from fastapi import APIRouter, Depends, HTTPException, Request, Response
from sqlmodel import Session

from core.database import get_session
from core.settings import PANEL_ACCESS_PASSWORD
from schemas.system import PanelLoginRequest
from services.platform_auth_service import (
    clear_panel_token_cookie,
    create_panel_token,
    resolve_panel_request_auth,
    revoke_panel_token,
    set_panel_token_cookie,
)

router = APIRouter()


@router.get("/api/panel/auth/status")
def get_panel_auth_status(request: Request, session: Session = Depends(get_session)):
    configured = str(PANEL_ACCESS_PASSWORD or "").strip()
    principal = resolve_panel_request_auth(session, request)
    return {
        "enabled": bool(configured),
        "authenticated": bool(principal.authenticated),
        "auth_source": principal.auth_source if principal.authenticated else None,
    }


@router.post("/api/panel/auth/login")
def panel_login(
    payload: PanelLoginRequest,
    request: Request,
    response: Response,
    session: Session = Depends(get_session),
):
    configured = str(PANEL_ACCESS_PASSWORD or "").strip()
    if not configured:
        clear_panel_token_cookie(response)
        return {"success": True, "enabled": False}
    supplied = str(payload.password or "").strip()
    if supplied != configured:
        raise HTTPException(status_code=401, detail="Invalid panel access password")
    try:
        raw_token = create_panel_token(session, request)
    except RuntimeError as exc:
        raise HTTPException(status_code=503, detail=str(exc)) from exc
    set_panel_token_cookie(response, request, raw_token, session)
    return {"success": True, "enabled": True, "authenticated": True}


@router.post("/api/panel/auth/logout")
def panel_logout(request: Request, response: Response, session: Session = Depends(get_session)):
    revoke_panel_token(session, request)
    clear_panel_token_cookie(response)
    return {"success": True}