<?php
require 'config.php';

$id = $_GET['id'] ?? '';
$password = $_GET['password'] ?? '';

if (!$id || !$password) {
    http_response_code(403);
    exit;
}

$stmt = $pdo->prepare("SELECT filepath, file_password FROM files WHERE id = ?");
$stmt->execute([$id]);
$file = $stmt->fetch();

if ($file && password_verify($password, $file['file_password'])) {

    // 🔥 PATH ASSOLUTO SICURO
    $fullPath = __DIR__ . '/' . $file['filepath'];

    if (file_exists($fullPath)) {

        $ext = strtolower(pathinfo($fullPath, PATHINFO_EXTENSION));
        $mime = ($ext === 'mp3') ? 'audio/mpeg' : 'audio/wav';

        header("Content-Type: $mime");
        header("Content-Length: " . filesize($fullPath));
        readfile($fullPath);
        exit;
    }
}

http_response_code(404);
exit;