import logging
import re
import secrets
import uuid
from datetime import datetime, timedelta

from fastapi import APIRouter, Depends, HTTPException, Request
from fastapi.security import OAuth2PasswordRequestForm
from pydantic import BaseModel
from sqlalchemy.orm import Session

from core.auth import (
  create_access_token, create_refresh_token,
  decode_refresh_token, hash_password, verify_password,
)
from core.database import get_db
from core.dependencies import get_current_user, limiter
from services.email_utils import send_password_reset_email, send_verification_email
from core.models import User as UserModel

logger = logging.getLogger("app")

router = APIRouter()

try:
  from disposable_email_domains import blocklist as _disposable_blocklist
except ImportError:
  _disposable_blocklist: set[str] = set()


class RegisterRequest(BaseModel):
  username: str
  email: str
  password: str

class ForgotPasswordRequest(BaseModel):
  email: str

class ResetPasswordWithTokenRequest(BaseModel):
  token: str
  new_password: str

class ResetPasswordRequest(BaseModel):
  current_password: str
  new_password: str

class ResendVerificationRequest(BaseModel):
  email: str

class RefreshRequest(BaseModel):
  refresh_token: str


def validate_register(username: str, email: str, password: str) -> str | None:
  if not username.strip():
    return "Username is required"
  if len(username) < 2:
    return "Username must be at least 2 characters"
  if len(username) > 16:
    return "Username must be 16 characters or fewer"
  if not re.match(r"^[^\s@]+@[^\s@]+\.[^\s@]+$", email):
    return "Please enter a valid email"
  domain = email.split("@")[-1].lower()
  if domain in _disposable_blocklist:
    return "Disposable email addresses are not allowed"
  if len(password) < 8:
    return "Password must be at least 8 characters"
  if len(password) > 256:
    return "Password must be 256 characters or fewer"
  return None


@router.post("/register")
@limiter.limit("5/minute")
def register(request: Request, req: RegisterRequest, db: Session = Depends(get_db)):
  err = validate_register(req.username, req.email, req.password)
  if err:
    raise HTTPException(status_code=400, detail=err)
  if db.query(UserModel).filter(UserModel.username.ilike(req.username)).first():
    raise HTTPException(status_code=400, detail="Username already taken")
  if db.query(UserModel).filter(UserModel.email == req.email).first():
    raise HTTPException(status_code=400, detail="Email already registered")
  verification_token = secrets.token_urlsafe(32)
  user = UserModel(
    id=uuid.uuid4(),
    username=req.username,
    email=req.email,
    password_hash=hash_password(req.password),
    email_verified=False,
    email_verification_token=verification_token,
    email_verification_token_expires_at=datetime.now() + timedelta(hours=24),
  )
  db.add(user)
  db.commit()
  try:
    send_verification_email(req.email, req.username, verification_token)
  except Exception as e:
    logger.error(f"Failed to send verification email: {e}")
    raise HTTPException(
      status_code=500,
      detail="Account created but we couldn't send the verification email. Please use 'Resend verification' to try again."
    )
  return {"message": "Account created. Please check your email to verify your account."}


@router.post("/login")
@limiter.limit("10/minute")
def login(request: Request, form: OAuth2PasswordRequestForm = Depends(), db: Session = Depends(get_db)):
  user = db.query(UserModel).filter(UserModel.username.ilike(form.username)).first()
  if not user or not verify_password(form.password, user.password_hash):
    raise HTTPException(status_code=400, detail="Invalid username or password")
  user.last_active_at = datetime.now()
  db.commit()
  return {
    "access_token": create_access_token(str(user.id)),
    "refresh_token": create_refresh_token(str(user.id)),
    "token_type": "bearer",
  }


@router.post("/auth/reset-password")
@limiter.limit("5/minute")
def reset_password(request: Request, req: ResetPasswordRequest, user: UserModel = Depends(get_current_user), db: Session = Depends(get_db)):
  if not verify_password(req.current_password, user.password_hash):
    raise HTTPException(status_code=400, detail="Current password is incorrect")
  if len(req.new_password) < 8:
    raise HTTPException(status_code=400, detail="Password must be at least 8 characters")
  if len(req.new_password) > 256:
    raise HTTPException(status_code=400, detail="Password must be 256 characters or fewer")
  if req.current_password == req.new_password:
    raise HTTPException(status_code=400, detail="New password must be different from current password")
  user.password_hash = hash_password(req.new_password)
  db.commit()
  return {"message": "Password updated"}


@router.post("/auth/forgot-password")
@limiter.limit("5/minute")
def forgot_password(request: Request, req: ForgotPasswordRequest, db: Session = Depends(get_db)):
  user = db.query(UserModel).filter(UserModel.email == req.email).first()
  # Always return success even if email not found. Prevents user enumeration
  if user:
    token = secrets.token_urlsafe(32)
    user.reset_token = token
    user.reset_token_expires_at = datetime.now() + timedelta(hours=1)
    db.commit()
    try:
      send_password_reset_email(user.email, user.username, token)
    except Exception as e:
      logger.error(f"Failed to send reset email: {e}")
      raise HTTPException(
        status_code=500,
        detail="Failed to send the password reset email. Please try again later."
      )
  return {"message": "If that email is registered you will receive a reset link shortly"}


@router.post("/auth/reset-password-with-token")
@limiter.limit("5/minute")
def reset_password_with_token(request: Request, req: ResetPasswordWithTokenRequest, db: Session = Depends(get_db)):
  user = db.query(UserModel).filter(UserModel.reset_token == req.token).first()
  if not user or not user.reset_token_expires_at or user.reset_token_expires_at < datetime.now():
    raise HTTPException(status_code=400, detail="Invalid or expired reset link")
  if len(req.new_password) < 8:
    raise HTTPException(status_code=400, detail="Password must be at least 8 characters")
  if len(req.new_password) > 256:
    raise HTTPException(status_code=400, detail="Password must be 256 characters or fewer")
  user.password_hash = hash_password(req.new_password)
  user.reset_token = None
  user.reset_token_expires_at = None
  db.commit()
  return {"message": "Password updated"}


@router.get("/auth/verify-email")
@limiter.limit("10/minute")
def verify_email(request: Request, token: str, db: Session = Depends(get_db)):
  user = db.query(UserModel).filter(UserModel.email_verification_token == token).first()
  if not user or not user.email_verification_token_expires_at or user.email_verification_token_expires_at < datetime.now():
    raise HTTPException(status_code=400, detail="Invalid or expired verification link")
  user.email_verified = True
  user.email_verification_token = None
  user.email_verification_token_expires_at = None
  db.commit()
  return {"message": "Email verified"}


@router.post("/auth/resend-verification")
@limiter.limit("5/minute")
def resend_verification(request: Request, req: ResendVerificationRequest, db: Session = Depends(get_db)):
  user = db.query(UserModel).filter(UserModel.email == req.email).first()
  # Always return success to prevent user enumeration
  if user and not user.email_verified:
    token = secrets.token_urlsafe(32)
    user.email_verification_token = token
    user.email_verification_token_expires_at = datetime.now() + timedelta(hours=24)
    db.commit()
    try:
      send_verification_email(user.email, user.username, token)
    except Exception as e:
      logger.error(f"Failed to resend verification email: {e}")
      raise HTTPException(
        status_code=500,
        detail="Failed to send the verification email. Please try again later."
      )
  return {"message": "If that email is registered and unverified, you will receive a new verification link shortly"}


@router.post("/auth/refresh")
@limiter.limit("20/minute")
def refresh(request: Request, req: RefreshRequest, db: Session = Depends(get_db)):
  user_id = decode_refresh_token(req.refresh_token)
  if not user_id:
    raise HTTPException(status_code=401, detail="Invalid or expired refresh token")
  user = db.query(UserModel).filter(UserModel.id == uuid.UUID(user_id)).first()
  if not user:
    raise HTTPException(status_code=401, detail="User not found")
  user.last_active_at = datetime.now()
  db.commit()
  return {
    "access_token": create_access_token(str(user.id)),
    "refresh_token": create_refresh_token(str(user.id)),
    "token_type": "bearer",
  }