# All requests under /nadiplayer/api/ are routed to index.php
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /nadiplayer/api/

  # Real files / directories are served directly (helpful for any future static assets)
  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [L]

  # Everything else → front controller
  RewriteRule ^ index.php [QSA,L]
</IfModule>

# Make sure Authorization headers reach PHP (needed for Bearer tokens)
<IfModule mod_setenvif.c>
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTP:Authorization} ^(.*)
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%1]
</IfModule>

# Force no-cache headers at the .htaccess level too. This is critical
# for mobile WebViews / Capacitor where Cloudflare may have cached an
# older SPA response under /api/ paths from before the API folder was
# deployed.
<IfModule mod_headers.c>
  Header always set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
  Header always set Pragma "no-cache"
  Header always set Expires "0"
  Header always set CDN-Cache-Control "no-store"
  Header always set Cloudflare-CDN-Cache-Control "no-store"
</IfModule>

# Block direct access to sensitive files
<FilesMatch "(\.env|config\.php|error\.log)$">
  Require all denied
</FilesMatch>

# Hide "Index of" listings
Options -Indexes

# Larger upload size & longer timeouts (most cPanels honour these)
<IfModule mod_php.c>
  php_value upload_max_filesize 32M
  php_value post_max_size       32M
  php_value max_execution_time  60
</IfModule>
