import { NextResponse } from 'next/server';
import crypto from 'crypto';

export async function POST(req) {
    try {
        const body = await req.json();
        const { email, password, captcha } = body;
        
        const cookieHash = req.cookies.get('captcha_hash')?.value;
        const secret = process.env.CAPTCHA_SECRET || 'dev_secret_meow';
        const expectedHash = crypto.createHmac('sha256', secret).update((captcha || '').toLowerCase()).digest('hex');

        if (!cookieHash || cookieHash !== expectedHash) {
            return NextResponse.json({ error: 'Invalid or expired captcha' }, { status: 400 });
        }

        if (email === process.env.ADMIN_EMAIL && password === process.env.ADMIN_PASS) {
            // Real implementation would set a JWT or session cookie here
            return NextResponse.json({ success: true, message: 'Welcome back, Master!' });
        } else {
            // Trigger NTFY alert for failed login
            if (process.env.NTFY_URL) {
                await fetch(process.env.NTFY_URL, {
                    method: 'POST',
                    body: `Failed login attempt for email: ${email}`,
                    headers: {
                        'Title': 'Kalbot Login Alert',
                        'Priority': 'urgent',
                        'Tags': 'warning,skull'
                    }
                }).catch(e => console.error("Ntfy error:", e));
            }
            return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 });
        }
    } catch (err) {
        return NextResponse.json({ error: 'Server error' }, { status: 500 });
    }
}