async function fetchCsrfToken() {
  const res = await fetch('/api/csrf-token', { credentials: 'same-origin' });
  if (!res.ok) throw new Error('Failed to fetch CSRF token');
  const data = await res.json();
  return data.csrfToken;
}

document.getElementById('login-form').addEventListener('submit', async (e) => {
  e.preventDefault();
  const password = document.getElementById('password').value;
  const errorEl = document.getElementById('error');
  errorEl.classList.remove('visible');

  try {
    const csrfToken = await fetchCsrfToken();
    const res = await fetch('/login', {
      method: 'POST',
      credentials: 'same-origin',
      headers: {
        'Content-Type': 'application/json',
        'x-csrf-token': csrfToken
      },
      body: JSON.stringify({ password })
    });
    if (res.ok) {
      window.location.href = '/';
    } else {
      const data = await res.json().catch(() => ({}));
      errorEl.textContent = data.error || 'Invalid password';
      errorEl.classList.add('visible');
    }
  } catch (err) {
    errorEl.textContent = 'Login failed. Please try again.';
    errorEl.classList.add('visible');
  }
});