from fastapi import APIRouter, Depends, HTTPException
from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession

from app.core.auth import hash_password, verify_password, create_access_token
from app.core.deps import get_current_user
from app.db.database import get_db
from app.db.models import User
from app.schemas.auth import LoginRequest, RegisterRequest, ChangePasswordRequest
from app.schemas.user import TokenResponse, UserOut
from app.services.roster_service import validate_registration

router = APIRouter(prefix="/api/auth", tags=["auth"])


@router.post("/register")
async def register(req: RegisterRequest, db: AsyncSession = Depends(get_db)):
    # 1. Check if email is already registered
    existing = await db.execute(select(User).where(User.email == req.email))
    if existing.scalar_one_or_none():
        raise HTTPException(status_code=400, detail="该邮箱已注册")

    # 2. Validate invite_code + student_id against roster
    roster_entry = await validate_registration(db, req.invite_code, req.student_id)
    if roster_entry is None:
        raise HTTPException(
            status_code=400, detail="邀请码或学号无效，或该学号已注册"
        )

    # 3. Create user with approved status directly
    user = User(
        email=req.email,
        password_hash=hash_password(req.password),
        name=req.name,
        student_id=req.student_id,
        role="student",
        status="approved",
        class_id=roster_entry.class_id,
    )
    db.add(user)
    await db.flush()

    # 4. Mark roster entry as registered
    roster_entry.status = "registered"
    roster_entry.user_id = user.id
    await db.commit()

    # 5. Issue token — register and login in one step
    token = create_access_token({"sub": str(user.id), "role": user.role})
    return {
        "message": "注册成功",
        "token": token,
        "user": UserOut.model_validate(user),
    }


@router.post("/login", response_model=TokenResponse)
async def login(req: LoginRequest, db: AsyncSession = Depends(get_db)):
    result = await db.execute(select(User).where(User.email == req.email))
    user = result.scalar_one_or_none()

    if user is None:
        raise HTTPException(status_code=401, detail="邮箱或密码错误")

    if user.status == "disabled":
        raise HTTPException(status_code=401, detail="账号已被禁用")

    if not verify_password(req.password, user.password_hash):
        raise HTTPException(status_code=401, detail="邮箱或密码错误")

    token = create_access_token({"sub": str(user.id), "role": user.role})
    return TokenResponse(
        token=token,
        user=UserOut.model_validate(user),
    )


@router.get("/me", response_model=UserOut)
async def get_me(user: User = Depends(get_current_user), db: AsyncSession = Depends(get_db)):
    user_out = UserOut.model_validate(user)

    # Attach enabled_modules from user's class
    if user.class_id:
        from app.db.models import Class_
        from sqlalchemy import select

        result = await db.execute(select(Class_).where(Class_.id == user.class_id))
        class_ = result.scalar_one_or_none()
        if class_:
            user_out.enabled_modules = class_.get_enabled_modules()

    return user_out


@router.put("/change-password")
async def change_password(
    req: ChangePasswordRequest,
    user: User = Depends(get_current_user),
    db: AsyncSession = Depends(get_db),
):
    if not verify_password(req.old_password, user.password_hash):
        raise HTTPException(status_code=400, detail="Old password is incorrect")
    user.password_hash = hash_password(req.new_password)
    await db.commit()
    return {"message": "Password changed successfully"}