"""Auth routes: login/logout, magic-link consume, bootstrap, account setup."""

from fastapi import APIRouter, Form, Request, Response
from fastapi.responses import HTMLResponse, RedirectResponse

import auth
from db import execute, query_one
from deps import current_user, render, require_user

router = APIRouter()

SESSION_COOKIE_KW = dict(httponly=True, secure=True, samesite="lax",
                         max_age=auth.SESSION_TTL_DAYS * 86400)


@router.get("/login", response_class=HTMLResponse)
def login_form(request: Request, error: str = "", email: str = ""):
    if current_user(request) is not None:
        return RedirectResponse("/", status_code=303)
    return render("login.html", error=error, email=email)


@router.post("/login")
def login_submit(
    request: Request, response: Response,
    email: str = Form(...), password: str = Form(...),
):
    row = query_one(
        "SELECT id, password_hash, role FROM user WHERE email = ?",
        (email.lower().strip(),),
    )
    if not row or not auth.verify_password(password, row["password_hash"] or ""):
        return render("login.html", error="Invalid email or password.", email=email)
    execute("UPDATE user SET last_login_at = CURRENT_TIMESTAMP WHERE id = ?", (row["id"],))
    cookie = auth.create_session_cookie(row["id"])
    resp = RedirectResponse("/", status_code=303)
    resp.set_cookie(auth.SESSION_COOKIE, cookie, **SESSION_COOKIE_KW)
    return resp


@router.post("/logout")
def logout():
    resp = RedirectResponse("/login", status_code=303)
    resp.delete_cookie(auth.SESSION_COOKIE)
    return resp


@router.get("/auth/magic")
def magic_consume(token: str):
    user = auth.consume_magic_link(token)
    if user is None:
        return render("auth_error.html",
                      message="That magic link is expired or already used.")
    cookie = auth.create_session_cookie(user.id)
    resp = RedirectResponse("/", status_code=303)
    resp.set_cookie(auth.SESSION_COOKIE, cookie, **SESSION_COOKIE_KW)
    return resp


@router.get("/auth/bootstrap")
def bootstrap_consume(token: str):
    """One-shot bootstrap link printed at first boot — lands on account-setup form."""
    user = auth.consume_magic_link(token)
    if user is None:
        return render("auth_error.html",
                      message="Bootstrap link is expired or already used.")
    cookie = auth.create_session_cookie(user.id)
    resp = RedirectResponse("/account/setup", status_code=303)
    resp.set_cookie(auth.SESSION_COOKIE, cookie, **SESSION_COOKIE_KW)
    return resp


@router.get("/account/setup", response_class=HTMLResponse)
def account_setup_form(request: Request, error: str = ""):
    user = require_user(request)
    return render("account_setup.html", user=user, error=error)


@router.post("/account/setup")
def account_setup_submit(
    request: Request,
    email: str = Form(...), name: str = Form(""),
    password: str = Form(...), password_confirm: str = Form(...),
):
    user = require_user(request)
    if password != password_confirm:
        return render("account_setup.html", user=user, error="Passwords do not match.")
    if len(password) < 10:
        return render("account_setup.html", user=user,
                      error="Password must be at least 10 characters.")
    email = email.lower().strip()
    existing = query_one("SELECT id FROM user WHERE email = ? AND id != ?", (email, user.id))
    if existing:
        return render("account_setup.html", user=user, error="That email is already in use.")
    execute(
        "UPDATE user SET email = ?, name = ?, password_hash = ? WHERE id = ?",
        (email, name.strip() or None, auth.hash_password(password), user.id),
    )
    return RedirectResponse("/", status_code=303)