"""
Auth dependencies for FastAPI (get_current_user, require_auth, require_admin).
Expects app.state.auth_service to be set.
"""
from typing import Optional

from fastapi import Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer
from fastapi import Request

from backend.auth.schemas import UserInfo

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login", auto_error=False)


async def get_current_user(
    request: Request,
    token: Optional[str] = Depends(oauth2_scheme),
) -> Optional[UserInfo]:
    """Resolve current user from JWT. Returns None if no/invalid token."""
    if not token:
        return None
    auth_service = getattr(request.app.state, "auth_service", None)
    if not auth_service:
        return None
    payload = auth_service.verify_token(token)
    if not payload:
        return None
    username = payload.get("sub")
    if not username:
        return None
    user = auth_service.authenticate_user(username, "", include_profile=False)
    if not user:
        return None
    return UserInfo(**user)


async def require_auth(
    current_user: Optional[UserInfo] = Depends(get_current_user),
) -> UserInfo:
    """Require authenticated user; raise 401 otherwise."""
    if not current_user:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Not authenticated",
            headers={"WWW-Authenticate": "Bearer"},
        )
    return current_user


async def require_admin(
    current_user: UserInfo = Depends(require_auth),
) -> UserInfo:
    """Require admin or super admin role; raise 403 otherwise. Both can create/view users and roles."""
    if not (current_user.is_admin or getattr(current_user, "is_super_admin", False)):
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Admin or Super Admin access required",
        )
    return current_user