# Enable Rewrite Engine
RewriteEngine On

# -------------------------------------------------
# FIX: Pass Authorization Header to PHP
# -------------------------------------------------
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

# -------------------------------------------------
# Handle CORS (Preflight Requests)
# -------------------------------------------------
<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization"

    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ - [R=200,L]
</IfModule>

# -------------------------------------------------
# ADMIN API ROUTES
# -------------------------------------------------
RewriteRule ^admin/dashboard/stats/?$ admin/dashboard/stats.php [L]
RewriteRule ^admin/deals/?$ admin/deals.php [L]
RewriteRule ^admin/recent-activities/?$ admin/recent-activities.php [L]
RewriteRule ^admin/users/?$ admin/users.php [L]
RewriteRule ^admin/products/?$ admin/products.php [L]
RewriteRule ^admin/orders/?$ admin/orders.php [L]
RewriteRule ^admin/categories/?$ admin/categories.php [L]
RewriteRule ^admin/coupons/?$ admin/coupons.php [L]
RewriteRule ^admin/notifications/?$ dashboard/notifications.php [L]
RewriteRule ^admin/carousel/?$ dashboard/carousel.php [L]
RewriteRule ^admin/delivery-management/?$ admin/delivery_management.php [L]


# -------------------------------------------------
# PUBLIC API ROUTES (Existing rules)
# -------------------------------------------------
RewriteRule ^test/?$ test.php [L]
RewriteRule ^products/?$ products/index.php [L]
RewriteRule ^products/([0-9a-f-]+)/?$ products/single.php?id=$1 [L]
RewriteRule ^categories/?$ categories/index.php [L]
RewriteRule ^categories/([a-zA-Z0-9-]+)/?$ categories/single.php?slug=$1 [L]
RewriteRule ^wishlist/?$ wishlist/index.php [L]
RewriteRule ^wishlist/add/?$ wishlist/add.php [L]
RewriteRule ^wishlist/remove/([0-9]+)/?$ wishlist/remove.php?id=$1 [L]
RewriteRule ^auth/login/?$ auth/login.php [L]
RewriteRule ^auth/register/?$ auth/register.php [L]
RewriteRule ^auth/profile/?$ auth/profile.php [L]

# -------------------------------------------------
# Force JSON Content Type for API PHP files (except delivery interface)
# -------------------------------------------------
<FilesMatch "\.php$">
    <IfModule mod_headers.c>
        Header set Content-Type "application/json; charset=utf-8"
    </IfModule>
</FilesMatch>

# Exception for delivery interface - should return HTML
<Files "delivery.php">
    <IfModule mod_headers.c>
        Header unset Content-Type
    </IfModule>
</Files>

# -------------------------------------------------
# Security Headers
# -------------------------------------------------
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "no-referrer-when-downgrade"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>