!empty($_SESSION['is_admin'])]); } // POST /api/auth/login if ($method === 'POST' && $action === 'login') { $body = body(); $pw = $body['password'] ?? ''; if (empty($pw)) { json_error('Password required'); } if (!password_verify($pw, ADMIN_HASH)) { sleep(1); json_error('Invalid password', 401); } session_regenerate_id(true); $_SESSION['is_admin'] = true; json_out(['ok' => true]); } // POST /api/auth/logout — clears admin only, keeps OAuth user logged in if ($method === 'POST' && $action === 'logout') { unset($_SESSION['is_admin']); json_out(['ok' => true]); } json_error('Not found', 404);