from fastapi import APIRouter, Depends, HTTPException, status
from pydantic import BaseModel
from sqlalchemy import select
from sqlalchemy.orm import Session

from app.api.deps import AuthSession, require_admin_session, require_client_session
from app.core.config import settings
from app.core.security import issue_token
from app.db.session import get_db
from app.models.client_access import ClientAccount

router = APIRouter(prefix="/api/auth", tags=["auth"])


class LoginRequest(BaseModel):
    email: str
    password: str


class SessionResponse(BaseModel):
    name: str
    email: str
    role: str
    tenant_id: str | None = None
    token: str


def _build_session_response(*, name: str, email: str, role: str, tenant_id: str | None = None) -> SessionResponse:
    token = issue_token({"name": name, "email": email, "role": role, "tenant_id": tenant_id})
    return SessionResponse(name=name, email=email, role=role, tenant_id=tenant_id, token=token)


@router.post("/client/login", response_model=SessionResponse)
def client_login(payload: LoginRequest, db: Session = Depends(get_db)):
    if payload.email.strip().lower() != settings.client_email.lower() or payload.password != settings.client_password:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid client email or password")

    client_account = db.scalar(select(ClientAccount).where(ClientAccount.tenant_id == settings.client_tenant_id))
    if client_account is None:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Client account is not configured")

    return _build_session_response(
        name=settings.client_name,
        email=settings.client_email,
        role="client",
        tenant_id=client_account.tenant_id,
    )


@router.post("/admin/login", response_model=SessionResponse)
def admin_login(payload: LoginRequest):
    if payload.email.strip().lower() != settings.admin_email.lower() or payload.password != settings.admin_password:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid admin email or password")

    return _build_session_response(name=settings.admin_name, email=settings.admin_email, role="admin")


@router.get("/client/session", response_model=SessionResponse)
def read_client_session(session: AuthSession = Depends(require_client_session)):
    return _build_session_response(name=session.name, email=session.email, role=session.role, tenant_id=session.tenant_id)


@router.get("/admin/session", response_model=SessionResponse)
def read_admin_session(session: AuthSession = Depends(require_admin_session)):
    return _build_session_response(name=session.name, email=session.email, role=session.role)