<?php
require_once __DIR__ . '/config.php';
if (!IS_INSTALLED) { header('Location: setup.php'); exit; }
require_once ROOT_PATH . '/includes/db.php';
require_once ROOT_PATH . '/includes/functions.php';
require_once ROOT_PATH . '/includes/auth.php';

if (is_logged_in()) { header('Location: ' . base_url('admin/')); exit; }

$error = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    verify_csrf();
    $user = trim($_POST['user'] ?? '');
    $pass = $_POST['pass'] ?? '';
    if (auth_login($user, $pass)) {
        $redir = $_SESSION['login_return'] ?? base_url('admin/');
        unset($_SESSION['login_return']);
        header('Location: ' . $redir); exit;
    }
    $error = 'Invalid username/email or password.';
}

$meta = build_meta(['title' => 'Login — ' . get_setting('site_title', SITE_NAME)]);
include ROOT_PATH . '/includes/header.php';
?>

<div class="window login-window" style="max-width:420px;margin:40px auto">
  <div class="win-titlebar">&#128274; Login to IndexGram</div>
  <div class="win-body">
    <?php if ($error): ?>
      <div class="flash flash-error"><?= h($error) ?></div>
    <?php endif; ?>
    <form method="post" autocomplete="on">
      <input type="hidden" name="csrf_token" value="<?= csrf_token() ?>">
      <div class="form-group">
        <label for="user">Username or Email</label>
        <input type="text" id="user" name="user" class="input-full" autocomplete="username" required autofocus>
      </div>
      <div class="form-group">
        <label for="pass">Password</label>
        <input type="password" id="pass" name="pass" class="input-full" autocomplete="current-password" required>
      </div>
      <div class="form-actions">
        <button type="submit" class="button">Login</button>
      </div>
    </form>
  </div>
</div>

<?php include ROOT_PATH . '/includes/footer.php'; ?>