from __future__ import annotations

from flask import Blueprint, jsonify, request

from app.services.auth import get_auth_service
from app.utils.serialization import to_plain


auth_blueprint = Blueprint("auth", __name__)
service = get_auth_service()


@auth_blueprint.get("/auth/status")
def auth_status():
    return jsonify(to_plain(service.status()))


@auth_blueprint.post("/auth/login")
def auth_login():
    payload = request.get_json(silent=True) or {}
    try:
        status = service.login(payload.get("username", ""), payload.get("password", ""))
        return jsonify(to_plain(status))
    except ValueError as exc:
        return jsonify({"detail": str(exc)}), 401


@auth_blueprint.post("/auth/logout")
def auth_logout():
    return jsonify(to_plain(service.logout()))


@auth_blueprint.get("/auth/users")
def list_users():
    try:
        service.require_admin()
        return jsonify(to_plain({"items": service.list_users()}))
    except PermissionError as exc:
        return jsonify({"detail": str(exc)}), 403


@auth_blueprint.post("/auth/users")
def create_user():
    payload = request.get_json(silent=True) or {}
    try:
        service.require_admin()
        user = service.create_user(
            username=payload.get("username", ""),
            password=payload.get("password", ""),
            role=payload.get("role", "user"),
            display_name=payload.get("display_name") or payload.get("username") or "",
        )
        return jsonify(to_plain({
            "username": user.username,
            "display_name": user.display_name,
            "role": user.role,
            "is_active": user.is_active,
        }))
    except PermissionError as exc:
        return jsonify({"detail": str(exc)}), 403
    except ValueError as exc:
        return jsonify({"detail": str(exc)}), 400


@auth_blueprint.post("/auth/users/<username>/reset-password")
def reset_password(username: str):
    payload = request.get_json(silent=True) or {}
    try:
        service.require_admin()
        user = service.reset_password(username=username, new_password=payload.get("password", ""))
        return jsonify(to_plain({
            "username": user.username,
            "display_name": user.display_name,
            "role": user.role,
            "is_active": user.is_active,
        }))
    except PermissionError as exc:
        return jsonify({"detail": str(exc)}), 403
    except ValueError as exc:
        return jsonify({"detail": str(exc)}), 400


@auth_blueprint.put("/auth/users/<username>/role")
def update_user_role(username: str):
    payload = request.get_json(silent=True) or {}
    try:
        service.require_admin()
        user = service.update_role(username=username, role=payload.get("role", "user"))
        return jsonify(to_plain({
            "username": user.username,
            "display_name": user.display_name,
            "role": user.role,
            "is_active": user.is_active,
        }))
    except PermissionError as exc:
        return jsonify({"detail": str(exc)}), 403
    except ValueError as exc:
        return jsonify({"detail": str(exc)}), 400