RewriteEngine On

# Redirect to HTTPS if not on localhost
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^localhost
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

# Protect config directory
RewriteRule ^config/ - [F,L]

# Protect includes directory
RewriteRule ^includes/ - [F,L]

# Admin panel protection
RewriteCond %{REQUEST_URI} ^/admin/
RewriteCond %{HTTP_COOKIE} !admin_session=[^;]+
RewriteRule ^admin/(.*)$ /admin/index.php [L]

# API routing
RewriteRule ^api/user/([^/]+)/?$ /api/user/api.php?endpoint=$1 [QSA,L]
RewriteRule ^api/admin/([^/]+)/?$ /api/admin/api.php?endpoint=$1 [QSA,L]

# Frontend routing
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?path=$1 [QSA,L]