Initial commit: Flutter app + PHP/MySQL backend on Hostinger

Replaces Firebase with a self-hosted PHP/MySQL API served from
winded.prymsolutions.com. Includes full backend (schema, auth, events,
teams, brackets, suggestions, stats, media, file upload) and updated
Flutter repositories and domain models.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/api/teams/detail.php

@@ -0,0 +1,84 @@
+<?php
+require_once __DIR__ . '/../config/helpers.php';
+cors();
+
+$id     = $_GET['id'] ?? '';
+$method = $_SERVER['REQUEST_METHOD'];
+$db     = db();
+
+if ($id === '') json_err('Missing id');
+
+function load_team(PDO $db, string $id): ?array {
+    $stmt = $db->prepare('SELECT * FROM teams WHERE id = ?');
+    $stmt->execute([$id]);
+    $row = $stmt->fetch();
+    if (!$row) return null;
+    $ps = $db->prepare('SELECT * FROM players WHERE team_id = ? ORDER BY name');
+    $ps->execute([$id]);
+    $row['players'] = $ps->fetchAll();
+    return $row;
+}
+
+if ($method === 'GET') {
+    $team = load_team($db, $id);
+    if (!$team) json_err('Not found', 404);
+    json_ok($team);
+}
+
+if ($method === 'PUT') {
+    $payload = require_auth();
+    $b       = body();
+
+    // Allow admin or the team's own manager
+    $stmt = $db->prepare('SELECT manager_id FROM teams WHERE id = ?');
+    $stmt->execute([$id]);
+    $t = $stmt->fetch();
+    if (!$t) json_err('Not found', 404);
+    if ($payload['role'] !== 'admin' && $payload['uid'] !== $t['manager_id']) {
+        json_err('Forbidden', 403);
+    }
+
+    // Update scalar fields
+    $allowed = ['name','description','logo_url','primary_color','manager_email',
+                'manager_phone','wins','draws','losses','status'];
+    $fields = []; $params = [];
+    foreach ($allowed as $f) {
+        if (array_key_exists($f, $b)) { $fields[] = "$f = ?"; $params[] = $b[$f]; }
+    }
+    if (!empty($fields)) {
+        $params[] = $id;
+        $db->prepare('UPDATE teams SET ' . implode(', ', $fields) . ' WHERE id = ?')->execute($params);
+    }
+
+    // Sync players if provided
+    if (isset($b['players']) && is_array($b['players'])) {
+        $db->prepare('DELETE FROM players WHERE team_id = ?')->execute([$id]);
+        foreach ($b['players'] as $p) {
+            $pid = $p['id'] ?? uuid();
+            $db->prepare(
+                'INSERT INTO players (id, team_id, user_id, name, number, position, goals_scored, assists)
+                 VALUES (?, ?, ?, ?, ?, ?, ?, ?)'
+            )->execute([
+                $pid, $id,
+                $p['user_id']     ?? null,
+                $p['name']        ?? '',
+                $p['number']      ?? null,
+                $p['position']    ?? null,
+                (int)($p['goals_scored'] ?? 0),
+                (int)($p['assists']      ?? 0),
+            ]);
+        }
+    }
+
+    json_ok(load_team($db, $id));
+}
+
+if ($method === 'DELETE') {
+    require_admin();
+    $db->prepare('DELETE FROM players WHERE team_id = ?')->execute([$id]);
+    $db->prepare('DELETE FROM join_requests WHERE team_id = ?')->execute([$id]);
+    $db->prepare('DELETE FROM teams WHERE id = ?')->execute([$id]);
+    json_ok(['deleted' => true]);
+}
+
+json_err('Method not allowed', 405);

server/api/teams/index.php

@@ -0,0 +1,56 @@
+<?php
+require_once __DIR__ . '/../config/helpers.php';
+cors();
+
+$method = $_SERVER['REQUEST_METHOD'];
+$db     = db();
+
+function team_with_players(PDO $db, array $row): array {
+    $stmt = $db->prepare('SELECT * FROM players WHERE team_id = ? ORDER BY name');
+    $stmt->execute([$row['id']]);
+    $row['players'] = $stmt->fetchAll();
+    return $row;
+}
+
+if ($method === 'GET') {
+    $admin = isset($_GET['all']);
+    if ($admin) require_admin();
+    $sql  = $admin
+        ? 'SELECT * FROM teams ORDER BY name'
+        : "SELECT * FROM teams WHERE status = 'approved' ORDER BY name";
+    $rows = $db->query($sql)->fetchAll();
+    $rows = array_map(fn($r) => team_with_players($db, $r), $rows);
+    json_ok(['teams' => $rows]);
+}
+
+if ($method === 'POST') {
+    $payload = require_auth();
+    $b       = body();
+    $id      = uuid();
+    $role    = $payload['role'];
+    $status  = ($role === 'admin') ? 'approved' : 'pending';
+
+    $db->prepare(
+        'INSERT INTO teams (id, name, description, logo_url, primary_color, status,
+         manager_id, manager_email, manager_phone)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)'
+    )->execute([
+        $id,
+        $b['name']          ?? '',
+        $b['description']   ?? null,
+        $b['logo_url']      ?? null,
+        $b['primary_color'] ?? null,
+        $status,
+        $payload['uid'],
+        $b['manager_email'] ?? $payload['email'],
+        $b['manager_phone'] ?? null,
+    ]);
+
+    // Stamp team on manager profile
+    $db->prepare('UPDATE users SET team_id = ?, role = ? WHERE id = ?')
+       ->execute([$id, 'manager', $payload['uid']]);
+
+    json_ok(['id' => $id, 'status' => $status], 201);
+}
+
+json_err('Method not allowed', 405);

server/api/teams/join_requests.php

@@ -0,0 +1,88 @@
+<?php
+require_once __DIR__ . '/../config/helpers.php';
+cors();
+
+$method  = $_SERVER['REQUEST_METHOD'];
+$db      = db();
+
+if ($method === 'GET') {
+    $payload = require_auth();
+    if (isset($_GET['team_id'])) {
+        // Manager or admin fetching a team's requests
+        $stmt = $db->prepare(
+            'SELECT * FROM join_requests WHERE team_id = ? ORDER BY requested_at DESC'
+        );
+        $stmt->execute([$_GET['team_id']]);
+    } elseif (isset($_GET['player_id'])) {
+        $stmt = $db->prepare(
+            'SELECT * FROM join_requests WHERE player_id = ? ORDER BY requested_at DESC'
+        );
+        $stmt->execute([$_GET['player_id']]);
+    } else {
+        json_err('Provide team_id or player_id');
+    }
+    json_ok(['requests' => $stmt->fetchAll()]);
+}
+
+if ($method === 'POST') {
+    $payload     = require_auth();
+    $b           = body();
+    $team_id     = $b['team_id']     ?? '';
+    $player_id   = $payload['uid'];
+    $player_name = $b['player_name'] ?? '';
+    $player_email= $b['player_email']?? $payload['email'];
+    $team_name   = $b['team_name']   ?? '';
+
+    if ($team_id === '') json_err('team_id required');
+
+    // Idempotent: return existing pending request if one exists
+    $stmt = $db->prepare(
+        "SELECT id FROM join_requests WHERE team_id=? AND player_id=? AND status='pending'"
+    );
+    $stmt->execute([$team_id, $player_id]);
+    $existing = $stmt->fetch();
+    if ($existing) json_ok(['id' => $existing['id']]);
+
+    $id = uuid();
+    $db->prepare(
+        'INSERT INTO join_requests (id, team_id, team_name, player_id, player_name, player_email)
+         VALUES (?, ?, ?, ?, ?, ?)'
+    )->execute([$id, $team_id, $team_name, $player_id, $player_name, $player_email]);
+    json_ok(['id' => $id], 201);
+}
+
+if ($method === 'PUT') {
+    $payload   = require_auth();
+    $b         = body();
+    $request_id= $_GET['id'] ?? ($b['id'] ?? '');
+    $status    = $b['status'] ?? '';
+
+    if ($request_id === '' || $status === '') json_err('id and status required');
+    if (!in_array($status, ['approved','rejected'])) json_err('Invalid status');
+
+    $db->prepare('UPDATE join_requests SET status = ? WHERE id = ?')
+       ->execute([$status, $request_id]);
+
+    if ($status === 'approved') {
+        // Stamp team_id on the player's profile
+        $stmt = $db->prepare('SELECT * FROM join_requests WHERE id = ?');
+        $stmt->execute([$request_id]);
+        $req = $stmt->fetch();
+        if ($req) {
+            $db->prepare('UPDATE users SET team_id = ? WHERE id = ?')
+               ->execute([$req['team_id'], $req['player_id']]);
+            // Add player to players table
+            $exists = $db->prepare('SELECT id FROM players WHERE team_id=? AND user_id=?');
+            $exists->execute([$req['team_id'], $req['player_id']]);
+            if (!$exists->fetch()) {
+                $db->prepare(
+                    'INSERT INTO players (id, team_id, user_id, name) VALUES (?, ?, ?, ?)'
+                )->execute([uuid(), $req['team_id'], $req['player_id'], $req['player_name']]);
+            }
+        }
+    }
+
+    json_ok(['updated' => true]);
+}
+
+json_err('Method not allowed', 405);