<?php
session_start();

// Hardcoded credentials for demonstration.
// In a real application, you should fetch user from a database and verify the password hash.
$valid_email = 'test@example.com';
$valid_password = 'password';

$response = ['success' => false, 'message' => ''];

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $data = json_decode(file_get_contents('php://input'), true);
    $email = $data['email'] ?? null;
    $password = $data['password'] ?? null;

    if (empty($email) || empty($password)) {
        $response['message'] = 'Please enter both email and password.';
    } elseif ($email === $valid_email && $password === $valid_password) {
        $_SESSION['user'] = ['email' => $email];
        $response['success'] = true;
    } else {
        $response['message'] = 'Invalid credentials.';
    }
} else {
    $response['message'] = 'Invalid request method.';
}

header('Content-Type: application/json');
echo json_encode($response);