"""认证路由"""
from fastapi import APIRouter, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordRequestForm
from app.auth import (
    authenticate_user, create_access_token, get_password_hash,
    get_current_user, User, UserCreate, PasswordChange, Token,
    get_users_db, verify_password,
)

router = APIRouter()


@router.post("/login", response_model=Token)
async def login(form_data: OAuth2PasswordRequestForm = Depends()):
    """用户登录，获取 JWT Token"""
    user = authenticate_user(form_data.username, form_data.password)
    if not user:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="用户名或密码错误",
            headers={"WWW-Authenticate": "Bearer"},
        )
    access_token = create_access_token(data={"sub": user["username"], "role": user["role"]})
    return Token(
        access_token=access_token,
        username=user["username"],
        role=user["role"],
    )


@router.get("/me", response_model=User)
async def get_me(current_user: User = Depends(get_current_user)):
    """获取当前用户信息"""
    return current_user


@router.post("/change-password")
async def change_password(
    pwd: PasswordChange,
    current_user: User = Depends(get_current_user),
):
    """修改密码"""
    db = get_users_db()
    user = db.get(current_user.username)
    if not user:
        raise HTTPException(status_code=404, detail="用户不存在")
    if not verify_password(pwd.old_password, user["hashed_password"]):
        raise HTTPException(status_code=400, detail="旧密码错误")
    user["hashed_password"] = get_password_hash(pwd.new_password)
    return {"message": "密码修改成功"}


@router.post("/register")
async def register(user_create: UserCreate, current_user: User = Depends(get_current_user)):
    """注册新用户（仅管理员）"""
    if current_user.role != "admin":
        raise HTTPException(status_code=403, detail="仅管理员可注册新用户")

    db = get_users_db()
    if user_create.username in db:
        raise HTTPException(status_code=400, detail="用户名已存在")

    db[user_create.username] = {
        "username": user_create.username,
        "hashed_password": get_password_hash(user_create.password),
        "role": user_create.role,
    }
    return {"message": f"用户 '{user_create.username}' 创建成功"}


@router.get("/users")
async def list_users(current_user: User = Depends(get_current_user)):
    """列出所有用户（仅管理员）"""
    if current_user.role != "admin":
        raise HTTPException(status_code=403, detail="仅管理员可查看用户列表")
    db = get_users_db()
    return {
        "users": [
            {"username": u["username"], "role": u["role"]}
            for u in db.values()
        ]
    }


@router.delete("/users/{username}")
async def delete_user(username: str, current_user: User = Depends(get_current_user)):
    """删除用户（仅管理员，不能删除自己）"""
    if current_user.role != "admin":
        raise HTTPException(status_code=403, detail="仅管理员可删除用户")
    if username == current_user.username:
        raise HTTPException(status_code=400, detail="不能删除自己")
    db = get_users_db()
    if username not in db:
        raise HTTPException(status_code=404, detail="用户不存在")
    del db[username]
    return {"message": f"用户 '{username}' 已删除"}