"""
JWT Service
Centralizes local JWT creation and cookie helpers.
"""

from datetime import timedelta
from typing import Optional, Tuple
from fastapi import Response
from jose import jwt

from modules.shared.configuration import APP_CONFIG
from modules.shared.timezoneUtils import get_utc_now

# Config
SECRET_KEY = APP_CONFIG.get("APP_JWT_KEY_SECRET")
ALGORITHM = APP_CONFIG.get("Auth_ALGORITHM")
ACCESS_TOKEN_EXPIRE_MINUTES = int(APP_CONFIG.get("APP_TOKEN_EXPIRY"))
REFRESH_TOKEN_EXPIRE_DAYS = int(APP_CONFIG.get("APP_REFRESH_TOKEN_EXPIRY", "7"))

# Cookie security settings - use secure cookies only in production (HTTPS)
# In development (HTTP), secure=True would prevent cookies from being set/cleared properly
ENV_TYPE = APP_CONFIG.get("APP_ENV_TYPE", "dev")
USE_SECURE_COOKIES = ENV_TYPE in ["prod", "production"]


def createAccessToken(data: dict, expiresDelta: Optional[timedelta] = None) -> Tuple[str, "datetime"]:
    """Create a JWT access token and return (token, expiresAt)."""
    toEncode = data.copy()
    if "jti" not in toEncode or not toEncode.get("jti"):
        import uuid
        toEncode["jti"] = str(uuid.uuid4())

    expire = get_utc_now() + (expiresDelta if expiresDelta else timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES))
    toEncode.update({"exp": expire})
    encodedJwt = jwt.encode(toEncode, SECRET_KEY, algorithm=ALGORITHM)
    return encodedJwt, expire


def createRefreshToken(data: dict) -> Tuple[str, "datetime"]:
    """Create a JWT refresh token and return (token, expiresAt)."""
    toEncode = data.copy()
    if "jti" not in toEncode or not toEncode.get("jti"):
        import uuid
        toEncode["jti"] = str(uuid.uuid4())
    toEncode["type"] = "refresh"

    expire = get_utc_now() + timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS)
    toEncode.update({"exp": expire})
    encodedJwt = jwt.encode(toEncode, SECRET_KEY, algorithm=ALGORITHM)
    return encodedJwt, expire


def setAccessTokenCookie(response: Response, token: str, expiresDelta: Optional[timedelta] = None) -> None:
    """Set access token as httpOnly cookie."""
    maxAge = int(expiresDelta.total_seconds()) if expiresDelta else ACCESS_TOKEN_EXPIRE_MINUTES * 60
    response.set_cookie(
        key="auth_token",
        value=token,
        httponly=True,
        secure=USE_SECURE_COOKIES,  # Only secure in production (HTTPS)
        samesite="strict",
        path="/",
        max_age=maxAge
    )


def setRefreshTokenCookie(response: Response, token: str) -> None:
    """Set refresh token as httpOnly cookie."""
    response.set_cookie(
        key="refresh_token",
        value=token,
        httponly=True,
        secure=USE_SECURE_COOKIES,  # Only secure in production (HTTPS)
        samesite="strict",
        path="/",
        max_age=REFRESH_TOKEN_EXPIRE_DAYS * 24 * 60 * 60
    )


def clearAccessTokenCookie(response: Response) -> None:
    """
    Clear access token cookie by setting it to expire immediately.
    Uses both raw header manipulation and FastAPI's delete_cookie for maximum browser compatibility.
    """
    # Primary method: Raw Set-Cookie header for guaranteed deletion
    response.headers.append(
        "Set-Cookie",
        f"auth_token=deleted; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict"
    )
    
    # Fallback: Also use FastAPI's built-in method
    response.delete_cookie(key="auth_token", path="/")


def clearRefreshTokenCookie(response: Response) -> None:
    """
    Clear refresh token cookie by setting it to expire immediately.
    Uses both raw header manipulation and FastAPI's delete_cookie for maximum browser compatibility.
    """
    # Primary method: Raw Set-Cookie header for guaranteed deletion
    response.headers.append(
        "Set-Cookie",
        f"refresh_token=deleted; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict"
    )
    
    # Fallback: Also use FastAPI's built-in method
    response.delete_cookie(key="refresh_token", path="/")