from flask import (Blueprint, render_template, request,
                   redirect, url_for, session, flash)
import bcrypt
from datetime import timedelta
from ..db import get_user_by_username, update_last_login, log_action
from ..config import ROLE_ADMIN, ROLE_DBA, ROLE_CLIENT

auth_bp = Blueprint("auth", __name__)

@auth_bp.route("/", methods=["GET", "POST"])
@auth_bp.route("/login", methods=["GET", "POST"])
def login():
    rid = session.get("role_id")
    if rid == ROLE_ADMIN:
        return redirect(url_for("admin.dashboard"))
    if rid == ROLE_DBA:
        return redirect(url_for("dba.dashboard"))
    if rid == ROLE_CLIENT:
        return redirect(url_for("client.dashboard"))
    
    error = None
    if request.method == "POST":
        username = request.form.get("username", "").strip()
        password = request.form.get("password", "").strip()
        try:
            selected_role = int(request.form.get("role_id", ROLE_CLIENT))
        except ValueError:
            selected_role = ROLE_CLIENT

        user = get_user_by_username(username)

        if not user:
            error = "Invalid username or password."
        elif user["role_id"] != selected_role:
            error = "Role does not match this account."
        elif not user["is_active"]:
            error = "Your account is inactive. Contact administrator."
        elif not bcrypt.checkpw(password.encode(), user["password_hash"].encode()):
            error = "Invalid username or password."
        else:
            session.permanent = True
            session["user_id"] = user["id"]
            session["user_name"] = user["full_name"]
            session["role_id"] = user["role_id"]

            if user["role_id"] == ROLE_CLIENT:
                session["ssrs_folder"] = user.get("ssrs_folder", "")
                session["client_db"] = user.get("client_db") or None

            update_last_login(user["id"])
            log_action(user["id"], "LOGIN", ip=request.remote_addr)

            if user["role_id"] == ROLE_ADMIN:
                return redirect(url_for("admin.dashboard"))
            if user["role_id"] == ROLE_DBA:
                return redirect(url_for("dba.dashboard"))
            return redirect(url_for("client.dashboard"))

    return render_template("auth/login.html",
                           error=error,
                           prev_role=request.form.get("role_id", "3"))


@auth_bp.route("/logout")
def logout():
    uid = session.get("user_id")
    if uid:
        log_action(uid, "LOGOUT", ip=request.remote_addr)
    session.clear()
    return redirect(url_for("auth.login"))