import { NextRequest, NextResponse } from 'next/server';
import bcrypt from 'bcryptjs';
import { rateLimit } from '@/lib/rateLimit';

export async function POST(request: NextRequest) {
    // Rate limiting: 5 login attempts per minute
    const rateLimitError = rateLimit(request, { windowMs: 60000, maxRequests: 5 });
    if (rateLimitError) return rateLimitError;

    try {
        const { password } = await request.json();
        // Default is hash for 'admin123'
        const adminPasswordHash = process.env.ADMIN_PASSWORD || '$2b$10$SHOt9G1qUNIvHoWre7499.eEtp5PtOII0daOQGNV.dhDEuPmOUdsq';

        let isValid = false;
        if (!adminPasswordHash.startsWith('$2b$')) {
            // If the env var is not a bcrypt hash (e.g. plain text "admin123"), compare directly
            isValid = password === adminPasswordHash;
        } else {
            isValid = await bcrypt.compare(password, adminPasswordHash);
        }

        if (isValid) {
            return NextResponse.json({ success: true });
        } else {
            return NextResponse.json({ error: 'Invalid password' }, { status: 401 });
        }
    } catch (error) {
        console.error('Login error:', error);
        return NextResponse.json({ error: 'Internal Server Error' }, { status: 500 });
    }
}