"""
Auth API — endpoints for checking linked services and dev operations.

GET  /api/v1/auth/Discord/status?discord_id=Z
     Returns which services are linked for this Discord user.

POST /api/v1/auth/reset
     Wipes the auth store (dev only — requires ALLOW_AUTH_RESET=true).
"""

from __future__ import annotations

import logging

from fastapi import APIRouter, HTTPException

from src import auth_store
from src.config import get_config

logger = logging.getLogger("gateway.auth")

router = APIRouter(prefix="/api/v1/auth", tags=["auth"])


# ---------------------------------------------------------------------------
# GET /auth/status — get all linked services for a Discord user
# ---------------------------------------------------------------------------

@router.get("/Discord/status")
async def auth_status(discord_id: int):
    """
    Return all services linked to this Discord user with full details.

    Response:
        {
            "discord_id": 123456789,
            "linked_services": {
                "jellyfin": {
                    "external_user_id": "abc123",
                    "external_name": "Tim",
                    "linked_at": "2026-05-25T10:00:00",
                    "credentials": {
                        "token": "jwt...",
                        "url": "http://jellyfin:8096",
                        "user_id": "abc123"
                    }
                }
            }
        }
    """
    auths = auth_store.get_all_auths(discord_id)

    linked_services: dict[str, dict] = {}
    for auth in auths:
        svc_name = auth["service"]
        linked_services[svc_name] = {
            "external_user_id": auth["external_user_id"],
            "external_name": auth["external_name"],
            "linked_at": auth["linked_at"],
            "credentials": auth["credentials"],
        }

    return {
        "discord_id": discord_id,
        "linked_services": linked_services,
    }


# ---------------------------------------------------------------------------
# POST /auth/reset — wipe auth store (DEV ONLY)
# ---------------------------------------------------------------------------

@router.post("/reset")
async def reset_auth():
    """
    Reset the entire auth store — clears all user auth records.

    Only enabled when ALLOW_AUTH_RESET=true in the environment.
    Returns 403 in production.
    """
    if get_config("ALLOW_AUTH_RESET", "false").lower() != "true":
        raise HTTPException(
            status_code=403,
            detail="Auth reset is disabled. Set ALLOW_AUTH_RESET=true to enable (dev only).",
        )

    auth_store.reset_all()
    logger.warning("Auth store reset via API endpoint.")
    return {"status": "ok", "message": "Auth store cleared — all auth records removed."}