<?php
if (isset($_COOKIE['PHPSESSID'])) session_id($_COOKIE['PHPSESSID']);
session_start();
require_once '/var/www/weval/wevia-ia/authentik-trust.php'; // SSO gate
if (empty($_SESSION["weval_auth"])) {
    // Show login page content directly (no redirect, no 401)
    http_response_code(200);
    readfile("/var/www/html/weval-login.html");
    exit;
}
$path = preg_replace("#^/wevia-center#", "", $_SERVER["REQUEST_URI"]);
if (!$path || $path === "" || $path === "/") $path = "/";
$ch = curl_init("http://10.1.0.3:5880" . $path);
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_TIMEOUT => 30,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_HTTPHEADER => ["Host: 10.1.0.3:5880"],
    CURLOPT_USERPWD => "weval:YacineWeval2026"
]);
$body = curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$ct = curl_getinfo($ch, CURLINFO_CONTENT_TYPE);
curl_close($ch);
// NEVER forward 401 - show login page instead
if ($code == 401 || $code == 403) {
    http_response_code(200);
    readfile("/var/www/html/weval-login.html");
    exit;
}
// Strip any WWW-Authenticate header
header_remove("WWW-Authenticate");
header("Content-Type: " . ($ct ?: "text/html"));
http_response_code(200);
echo $body;