"""
Authentication endpoints.
"""

from typing import Any, Dict

from fastapi import APIRouter, HTTPException, status
from pydantic import BaseModel

from app.core.auth import issue_access_token
from app.core.config import get_settings

router = APIRouter(prefix="/auth", tags=["auth"])
settings = get_settings()


class LoginRequest(BaseModel):
    username: str
    password: str


@router.post(
    "/admin-login",
    summary="Admin Login",
    description="Login for standalone app administration.",
)
async def admin_login(request: LoginRequest) -> Dict[str, Any]:
    """Authenticate an app admin and issue a JWT token."""
    if not settings.ENABLE_ADMIN:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Admin functionality is disabled.",
        )

    if not settings.ADMIN_USERNAME or not settings.ADMIN_PASSWORD:
        raise HTTPException(
            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
            detail="Admin credentials not configured.",
        )

    if (
        request.username != settings.ADMIN_USERNAME
        or request.password != settings.ADMIN_PASSWORD
    ):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid credentials",
        )

    token = issue_access_token(
        website_id=None,
        role="system_admin",
        expires_in_seconds=86400 * 7,  # 7 days
    )

    return {
        "access_token": token,
        "token_type": "bearer",
        "role": "system_admin",
    }