<?php
require "db.php";
$a = $_GET['action'] ?? '';
$b = body();

if ($a==="register") {
  $u = trim($b["username"]??"");
  $p = trim($b["password"]??"");
  if ($u==""||$p=="") out(false,"username/password required",[],400);
  $st=db()->prepare("SELECT 1 FROM users WHERE username=?");
  $st->execute([$u]);
  if ($st->fetch()) out(false,"exists",[],409);
  $hash=password_hash($p,PASSWORD_DEFAULT);
  db()->prepare("INSERT INTO users(username,pass_hash) VALUES(?,?)")->execute([$u,$hash]);
  out(true,"registered",["user_id"=>db()->lastInsertId()]);
}
if ($a==="login") {
  $u = trim($b["username"]??"");
  $p = trim($b["password"]??"");
  $st=db()->prepare("SELECT * FROM users WHERE username=?");
  $st->execute([$u]);
  $r=$st->fetch();
  if(!$r || !password_verify($p,$r["pass_hash"])) out(false,"invalid",[],401);
  out(true,"ok",["user_id"=>$r["user_id"],"username"=>$u]);
}
out(false,"unknown action",[],404);