# Momentum API · routing rules for /public_html/api/
# Pretty URLs: /api/auth/login -> /api/auth.php (PATH_INFO style)

Options -MultiViews
RewriteEngine On

# If the request is for a real file or directory, serve it directly.
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# /api/auth/...      -> /api/auth.php
# /api/tasks/...     -> /api/tasks.php
# /api/users/...     -> /api/users.php
# /api/whitelist/... -> /api/whitelist.php
# /api/habits/...    -> /api/habits.php
# /api/settings      -> /api/settings.php
RewriteRule ^auth(/.*)?$       auth.php       [L,QSA]
RewriteRule ^ping$             ping.php       [L,QSA]
RewriteRule ^tasks(/.*)?$      tasks.php      [L,QSA]
RewriteRule ^users(/.*)?$      users.php      [L,QSA]
RewriteRule ^whitelist(/.*)?$  whitelist.php  [L,QSA]
RewriteRule ^habits(/.*)?$     habits.php     [L,QSA]
RewriteRule ^settings(/.*)?$   settings.php   [L,QSA]

# Block direct access to db.php — it should only be required by other PHP files
<Files "db.php">
    Order Allow,Deny
    Deny from all
</Files>

# Force https (recommended; uncomment after AutoSSL is active)
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Disable directory listing
Options -Indexes

# Make sure PHP errors don't leak in JSON
php_flag display_errors Off
