<?php

require_once __DIR__ . '/../includes/api_bootstrap.php';

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    sendJson(['success' => false, 'error' => 'Method not allowed'], 405);
}

$body = readJsonBody();
$personId = isset($body['personId']) ? trim((string) $body['personId']) : '';
$pin = isset($body['pin']) ? (string) $body['pin'] : '';

if ($personId === '') {
    sendJson(['success' => false, 'error' => 'personId is required'], 400);
}

$people = normalizePeopleList(readJsonFile('people.json'));
$person = findPersonById($people, $personId);
if ($person === null) {
    sendJson(['success' => false, 'error' => 'Person not found'], 404);
}

$role = $person['role'] ?? '';
$pinHash = $person['pin_hash'] ?? null;

if ($role === ROLE_HEAD && is_string($pinHash) && $pinHash !== '') {
    if ($pin === '' || !password_verify($pin, $pinHash)) {
        sendJson(['success' => false, 'error' => 'PIN required or incorrect'], 403);
    }
    setSessionPerson($personId, true);
} else {
    setSessionPerson($personId, false);
}

sendJson(['success' => true]);