"""通用依赖:获取当前用户、要求 owner。"""
from __future__ import annotations

from datetime import datetime, timezone

from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from jwt.exceptions import InvalidTokenError
from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession

from app.core.security import decode_token, hash_api_token
from app.database import get_session
from app.models.api_token import ApiToken
from app.models.user import User, UserRole

_bearer = HTTPBearer(auto_error=False)


async def _resolve_user(
    creds: HTTPAuthorizationCredentials | None = Depends(_bearer),
    session: AsyncSession = Depends(get_session),
) -> User:
    if creds is None or not creds.credentials:
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Missing credentials")

    token = creds.credentials

    # 1) 先试 API Token(sha256 比较)
    h = hash_api_token(token)
    result = await session.execute(
        select(ApiToken).where(ApiToken.token_hash == h, ApiToken.revoked_at.is_(None))
    )
    api_row = result.scalars().first()
    if api_row:
        if api_row.expires_at and api_row.expires_at < datetime.now(timezone.utc):
            raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Token expired")
        result = await session.execute(select(User).where(User.id == api_row.user_id))
        user = result.scalars().first()
        if user and user.is_active:
            api_row.last_used_at = datetime.now(timezone.utc)
            await session.commit()
            return user

    # 2) 试 JWT
    try:
        payload = decode_token(token)
        if payload.get("type") != "access":
            raise InvalidTokenError("wrong type")
        uid = int(payload["sub"])
    except (InvalidTokenError, KeyError, ValueError):
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid token")

    result = await session.execute(
        select(User).where(User.id == uid, User.is_active.is_(True))
    )
    user = result.scalars().first()
    if user is None:
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "User not found or inactive")
    return user


async def get_current_user(user: User = Depends(_resolve_user)) -> User:
    return user


async def require_owner(user: User = Depends(get_current_user)) -> User:
    if user.role != UserRole.OWNER:
        raise HTTPException(status.HTTP_403_FORBIDDEN, "Owner only")
    return user