from authlib.integrations.starlette_client import OAuth
from starlette.responses import RedirectResponse
from fastapi import APIRouter, Request, Depends
from sqlalchemy.orm import Session
from .database import get_db
from .models import User
import os

oauth = OAuth()
oauth.register(
    name='google',
    client_id=os.getenv("GOOGLE_CLIENT_ID"),
    client_secret=os.getenv("GOOGLE_CLIENT_SECRET"),
    server_metadata_url='https://accounts.google.com/.well-known/openid-configuration',
    client_kwargs={'scope': 'openid email profile'}
)

router = APIRouter(prefix="/auth")

@router.get("/login")
async def login(request: Request):
    # This redirects the user to Google's login page
    redirect_uri = request.url_for('auth_callback')
    return await oauth.google.authorize_redirect(request, str(redirect_uri))

@router.get("/callback")
async def auth_callback(request: Request, db: Session = Depends(get_db)):
    # 1. Get the token and user info from Google
    token = await oauth.google.authorize_access_token(request)
    user_info = token.get('userinfo')
    
    if not user_info:
        return {"error": "Failed to fetch user info from Google"}

    # 2. Check if user already exists in our database
    user = db.query(User).filter(User.email == user_info['email']).first()

    if not user:
        # 3. If new user, create them with is_approved=False
        user = User(
            email=user_info['email'],
            full_name=user_info['name'],
            google_id=user_info['sub'],
            picture=user_info['picture'],
            is_approved=False, # Wait for admin approval
            is_superuser=False # Only you can manually change this in the DB later
        )
        db.add(user)
        db.commit()
        db.refresh(user)

    # 4. Save user info in the Session
    request.session['user'] = {
        "email": user.email,
        "name": user.full_name,
        "is_approved": user.is_approved
    }

    # 5. Redirect to the home page or a "Waiting for Approval" page
    # return {"message": "Logged in!", "approved": user.is_approved}
    return RedirectResponse(url="/")

@router.get("/logout")
async def logout(request: Request):
    request.session.pop('user', None)
    # return {"message": "Logged out"}
    return RedirectResponse(url="/")


# app/auth.py (Add these to your auth router)

@router.get("/status")
async def get_status(request: Request, db: Session = Depends(get_db)):
    user_session = request.session.get('user')
    if not user_session:
        return {"logged_in": False}
    
    # Re-check DB for the latest approval status
    user = db.query(User).filter(User.email == user_session['email']).first()
    return {
        "logged_in": True,
        "name": user.full_name,
        "picture": user.picture,
        "is_approved": user.is_approved,
        "is_superuser": user.is_superuser
    }

@router.get("/admin/users")
async def list_users(db: Session = Depends(get_db)):
    # Fetch all users from the database
    return db.query(User).all()

@router.post("/admin/approve/{user_id}")
async def approve_user(user_id: int, db: Session = Depends(get_db)):
    user = db.query(User).filter(User.id == user_id).first()
    if not user:
        raise HTTPException(status_code=404, detail="User not found")
    
    user.is_approved = True # Set the gate to open
    db.commit()
    return {"status": "success"}


@router.post("/admin/toggle-admin/{user_id}")
async def toggle_admin(user_id: int, db: Session = Depends(get_db)):
    user = db.query(User).filter(User.id == user_id).first()
    if not user:
        raise HTTPException(status_code=404, detail="User not found")
    
    # Flip the status
    user.is_superuser = not user.is_superuser
    db.commit()
    return {"status": "success", "is_superuser": user.is_superuser}