"""Auth capture API — remote browser for manual login + credential extraction."""
from __future__ import annotations

import logging
from typing import Any, Optional

from fastapi import APIRouter, Depends, HTTPException, Query
from pydantic import BaseModel, Field
from sqlalchemy.orm import Session

from app.database import get_db
from app.services.auth_capture_service import extract_all
from app.services.browser_import_service import (
    ImportSessionError,
    browser_imports,
    build_import_result,
)
from app.services.browser_session_service import (
    BrowserDependencyError,
    BrowserSessionError,
    browser_sessions,
)
from app.utils.auth import get_current_user, get_user_from_token_param

logger = logging.getLogger(__name__)

router = APIRouter(prefix="/api/auth-capture", tags=["auth-capture"])

SENSITIVE_CANDIDATE_FIELDS = frozenset({"value", "cookie_value"})


class CaptureSessionCreate(BaseModel):
    url: str = Field(..., description="Target login page URL to open in browser")
    width: int = Field(default=1280, ge=320, le=2560)
    height: int = Field(default=720, ge=240, le=1600)


class CaptureSessionResponse(BaseModel):
    session_id: str
    ws_url: str


class CaptureExtractResponse(BaseModel):
    cookies: list[dict] = []
    storage: dict[str, str] = {}
    session_storage: dict[str, str] = {}
    auth_headers: list[dict] = []
    candidates: list[dict] = []


class ImportSessionCreate(BaseModel):
    target_url: str = Field(..., description="Target page URL opened in the user's real browser")


class ImportSessionCreateResponse(BaseModel):
    session_id: str
    secret: str
    expires_in_seconds: int


class ImportSessionStatusResponse(BaseModel):
    session_id: str
    ready: bool = False
    expires_at: float
    result: Optional[CaptureExtractResponse] = None


class ImportSessionSubmit(BaseModel):
    secret: str
    page_url: str = ""
    cookies: list[dict] = []
    local_storage: dict[str, Any] = {}
    session_storage: dict[str, Any] = {}
    auth_headers: list[dict] = []


def _sanitize_candidate(candidate: dict[str, Any]) -> dict[str, Any]:
    return {
        key: value
        for key, value in candidate.items()
        if key not in SENSITIVE_CANDIDATE_FIELDS
    }


def _browser_error(exc: Exception) -> HTTPException:
    if isinstance(exc, BrowserDependencyError):
        return HTTPException(503, str(exc))
    if isinstance(exc, BrowserSessionError):
        return HTTPException(409, str(exc))
    if isinstance(exc, KeyError):
        return HTTPException(404, "session not found")
    if isinstance(exc, ValueError):
        return HTTPException(400, str(exc))
    logger.exception("auth-capture error")
    return HTTPException(500, "internal error")


def _ws_url(session_id: str, token: str) -> str:
    """Build WebSocket URL for the remote browser viewer."""
    return f"/api/browser-sessions/{session_id}/ws?token={token}"


@router.post("/sessions", response_model=CaptureSessionResponse, status_code=201)
async def create_capture_session(
    body: CaptureSessionCreate,
    _=Depends(get_current_user),
):
    """Create a temporary browser session pointing at the given URL.

    Returns a session_id and ws_url for the frontend to view/interact.
    The user should manually log in, then call GET /extract.
    """
    try:
        session = await browser_sessions.create_ephemeral(
            url=body.url,
            width=body.width,
            height=body.height,
        )
    except Exception as exc:
        raise _browser_error(exc)

    # Build a short-lived token for WS auth (reuse current user's token logic)
    # The frontend already has the user's Bearer token, pass it via query param
    return CaptureSessionResponse(
        session_id=session.id,
        ws_url=f"/api/browser-sessions/{session.id}/ws",
    )


@router.get("/sessions/{session_id}/extract", response_model=CaptureExtractResponse)
async def extract_credentials(
    session_id: str,
    include_raw: bool = Query(default=False, description="Include full cookies/storage/headers in response"),
    _=Depends(get_current_user),
):
    """Extract auth credentials from the browser session.

    By default only returns curated candidates (typed, scored, with masked preview).
    Pass include_raw=true to also get full cookies, localStorage, and headers.
    """
    try:
        session = browser_sessions.get_session(session_id)
    except KeyError:
        raise HTTPException(404, "session not found")

    try:
        result = await extract_all(session)
    except Exception as exc:
        raise _browser_error(exc)

    if not include_raw:
        # Strip raw data — only keep curated candidates with masked previews
        candidates = [_sanitize_candidate(candidate) for candidate in result.get("candidates", [])]
        return CaptureExtractResponse(candidates=candidates)
    return CaptureExtractResponse(**result)


@router.delete("/sessions/{session_id}", status_code=204)
async def close_capture_session(
    session_id: str,
    _=Depends(get_current_user),
):
    """Close and release the auth-capture browser session."""
    try:
        await browser_sessions.close(session_id)
    except Exception as exc:
        raise _browser_error(exc)


@router.post("/import-sessions", response_model=ImportSessionCreateResponse, status_code=201)
async def create_import_session(
    body: ImportSessionCreate,
    user=Depends(get_current_user),
):
    """Create a one-time real-browser import session.

    The returned secret is intended for the local browser extension only.
    """
    target_url = body.target_url.strip()
    if not target_url.startswith(("http://", "https://")):
        raise HTTPException(400, "Only http/https URLs are allowed")
    session, secret = browser_imports.create(target_url=target_url, created_by=user.email)
    return ImportSessionCreateResponse(
        session_id=session.id,
        secret=secret,
        expires_in_seconds=600,
    )


@router.get("/import-sessions/{session_id}", response_model=ImportSessionStatusResponse)
async def get_import_session(
    session_id: str,
    include_raw: bool = Query(default=False),
    user=Depends(get_current_user),
):
    try:
        session = browser_imports.get(session_id, created_by=user.email)
    except ImportSessionError as exc:
        raise HTTPException(404, str(exc))

    result = None
    if session.payload is not None:
        full_result = build_import_result(session.payload)
        if not include_raw:
            candidates = [_sanitize_candidate(candidate) for candidate in full_result.get("candidates", [])]
            result = CaptureExtractResponse(candidates=candidates)
        else:
            result = CaptureExtractResponse(**full_result)
    return ImportSessionStatusResponse(
        session_id=session.id,
        ready=session.payload is not None,
        expires_at=session.expires_at,
        result=result,
    )


@router.post("/import-sessions/{session_id}/submit", status_code=204)
async def submit_import_session(
    session_id: str,
    body: ImportSessionSubmit,
):
    try:
        browser_imports.submit(
            session_id=session_id,
            secret=body.secret,
            payload=body.model_dump(exclude={"secret"}),
        )
    except ImportSessionError as exc:
        raise HTTPException(400, str(exc))