"""Authentication router."""
from fastapi import APIRouter, Depends, HTTPException, status
from sqlalchemy.orm import Session

from app.auth import verify_password, create_access_token, get_current_user, AdminUser
from app.config import settings
from app.database import get_db
from app.models.db_models import SystemSetting
from app.models.schemas import LoginRequest, TokenResponse
from app.services.audit_log import create_audit_log

router = APIRouter(prefix="/api/auth", tags=["auth"])


@router.post("/login", response_model=TokenResponse)
def login(req: LoginRequest, db: Session = Depends(get_db)):
    """Admin login endpoint."""
    if req.username != settings.ADMIN_USERNAME:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")

    # Get password hash from database
    setting = db.query(SystemSetting).filter(SystemSetting.key == "admin_password_hash").first()
    if not setting:
        raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail="Admin not initialized")

    if not verify_password(req.password, setting.value):
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")

    token = create_access_token(data={"sub": req.username})
    create_audit_log(db, action="login", resource_type="auth", operator=req.username)
    return TokenResponse(access_token=token, token_type="bearer")


@router.get("/me")
def get_me(user: AdminUser = Depends(get_current_user)):
    """Get current authenticated user."""
    return {"username": user.username}