$token = $_POST['session_token'] ?? '';
$device_id = $_POST['device_id'] ?? '';

$stmt = $mysqli->prepare("SELECT id, token_expires_at, device_id FROM login_keys WHERE session_token = ?");
$stmt->bind_param("s", $token);
$stmt->execute();
$stmt->store_result();

if ($stmt->num_rows > 0) {
    $stmt->bind_result($id, $token_expires_at, $db_device_id);
    $stmt->fetch();

    if (strtotime($token_expires_at) < time()) {
        echo json_encode(['status' => 'error', 'message' => 'Token hết hạn']);
        exit;
    }

    if ($db_device_id !== $device_id) {
        echo json_encode(['status' => 'error', 'message' => 'Sai thiết bị']);
        exit;
    }

    echo json_encode(['status' => 'success']);
} else {
    echo json_encode(['status' => 'error', 'message' => 'Token không hợp lệ']);
}