<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
</IfModule>

RewriteRule ^lessons/(\d+)/exam$ submit_exam.php?id=$1 [L,QSA]
RewriteRule ^auth/change-password$ change_password.php [L,QSA]
RewriteRule ^auth/upload-avatar$ upload_avatar.php [L,QSA]
RewriteRule ^word-of-day$ random_word.php [L,QSA]
RewriteRule ^auth/delete-account$ delete_account.php [L,QSA]

# Optional: Block direct access to sensitive files
<Files "firebase-service-account.json">
    Order Allow,Deny
    Deny from all
</Files>
<Files "config.php">
    Order Allow,Deny
    Deny from all
</Files>