# app/api/v1/vendor/auth.py
"""
Vendor team authentication endpoints.

This module provides:
- Vendor team member login
- Vendor owner login
- Vendor-scoped authentication
"""

import logging
from fastapi import APIRouter, Depends, Request
from sqlalchemy.orm import Session

from app.core.database import get_db
from app.services.auth_service import auth_service
from app.exceptions import InvalidCredentialsException
from middleware.vendor_context import get_current_vendor
from models.schema.auth import LoginResponse, UserLogin
from models.database.vendor import Vendor

router = APIRouter()
logger = logging.getLogger(__name__)


@router.post("/login", response_model=LoginResponse)
def vendor_login(
        user_credentials: UserLogin,
        request: Request,
        db: Session = Depends(get_db)
):
    """
    Vendor team member login.

    Authenticates users who are part of a vendor team.
    Validates against vendor context if available.
    """
    # Authenticate user
    login_result = auth_service.login_user(db=db, user_credentials=user_credentials)
    user = login_result["user"]

    # Prevent admin users from using vendor login
    if user.role == "admin":
        logger.warning(f"Admin user attempted vendor login: {user.username}")
        raise InvalidCredentialsException("Please use admin portal to login")

    # Optional: Validate user belongs to current vendor context
    vendor = get_current_vendor(request)
    if vendor:
        # Check if user is vendor owner or team member
        is_owner = any(v.id == vendor.id for v in user.owned_vendors)
        is_team_member = any(
            vm.vendor_id == vendor.id and vm.is_active
            for vm in user.vendor_memberships
        )

        if not (is_owner or is_team_member):
            logger.warning(
                f"User {user.username} attempted login to vendor {vendor.vendor_code} "
                f"but is not authorized"
            )
            raise InvalidCredentialsException(
                "You do not have access to this vendor"
            )

    logger.info(f"Vendor team login successful: {user.username}")

    return LoginResponse(
        access_token=login_result["token_data"]["access_token"],
        token_type=login_result["token_data"]["token_type"],
        expires_in=login_result["token_data"]["expires_in"],
        user=login_result["user"],
    )


@router.post("/logout")
def vendor_logout():
    """
    Vendor team member logout.

    Client should remove token from storage.
    """
    return {"message": "Logged out successfully"}