RewriteEngine On

# Custom error pages - use server's default styling
ErrorDocument 404 default

# Security: Deny direct access to sensitive directories
RewriteRule ^src/shared/ - [F,L]
RewriteRule ^src/templates/ - [F,L]
RewriteRule ^src/config/ - [F,L]
RewriteRule ^src/router/ - [F,L]
RewriteRule ^src/modules/Api/ - [F,L]
RewriteRule ^libraries/ - [F,L]
RewriteRule ^database/ - [F,L]

# Security: Deny direct access to specific sensitive files
RewriteRule ^src/modules/2FA/TwoFactorAuthController\.php$ - [F,L]
RewriteRule ^src/modules/2FA/config/crypto\.php$ - [F,L]
RewriteRule ^src/modules/2FA/config/totp\.php$ - [F,L]
RewriteRule ^src/modules/LinkTokens/SetPasswordView\.php$ - [F,L]
RewriteRule ^src/modules/LinkTokens/LinkRequestView\.php$ - [F,L]

# Security: Redirect direct access to MVC files to proper routes
RewriteRule ^src/modules/[^/]+/[^/]+Controller\.php$ - [F,L]
RewriteRule ^src/modules/[^/]+/[^/]+Model\.php$ - [F,L]
RewriteRule ^src/modules/InitialSetup/InitialSetupView\.php$ /setup [R=301,L]
RewriteRule ^src/modules/Login/LoginView\.php$ /login [R=301,L]
RewriteRule ^src/modules/2FA/TwoFactorSetupView\.php$ /2fa/setup [R=301,L]
RewriteRule ^src/modules/2FA/TwoFactorVerifyView\.php$ /2fa [R=301,L]
RewriteRule ^src/modules/MyFiles/MyFilesView\.php$ /myfiles [R=301,L]
RewriteRule ^src/modules/IPs/IPView\.php$ /ips [R=301,L]
RewriteRule ^src/modules/Users/UsersView\.php$ /users [R=301,L]
RewriteRule ^src/modules/CreateAccount/CreateAccountView\.php$ /create-account [R=301,L]

# Handle all other requests by redirecting to index.php (front controller pattern):
# Only redirect if the requested file doesn't exist physically
RewriteCond %{REQUEST_FILENAME} !-f
# Only redirect if the requested directory doesn't exist physically
RewriteCond %{REQUEST_FILENAME} !-d
# Redirect everything else to index.php, preserving query string parameters
RewriteRule ^(.*)$ index.php [QSA,L]

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1