# app/api/v1/admin/auth.py
"""
Admin authentication endpoints.

This module provides:
- Admin user login
- Admin token validation
- Admin-specific authentication logic
"""

import logging
from fastapi import APIRouter, Depends
from sqlalchemy.orm import Session

from app.core.database import get_db
from app.services.auth_service import auth_service
from app.exceptions import InvalidCredentialsException
from models.schema.auth import LoginResponse, UserLogin

router = APIRouter(prefix="/auth")
logger = logging.getLogger(__name__)


@router.post("/login", response_model=LoginResponse)
def admin_login(user_credentials: UserLogin, db: Session = Depends(get_db)):
    """
    Admin login endpoint.

    Only allows users with 'admin' role to login.
    Returns JWT token for authenticated admin users.
    """
    # Authenticate user
    login_result = auth_service.login_user(db=db, user_credentials=user_credentials)

    # Verify user is admin
    if login_result["user"].role != "admin":
        logger.warning(f"Non-admin user attempted admin login: {user_credentials.username}")
        raise InvalidCredentialsException("Admin access required")

    logger.info(f"Admin login successful: {login_result['user'].username}")

    return LoginResponse(
        access_token=login_result["token_data"]["access_token"],
        token_type=login_result["token_data"]["token_type"],
        expires_in=login_result["token_data"]["expires_in"],
        user=login_result["user"],
    )


@router.post("/logout")
def admin_logout():
    """
    Admin logout endpoint.

    Client should remove token from storage.
    Server-side token invalidation can be implemented here if needed.
    """
    return {"message": "Logged out successfully"}