"""
JWT Authentication utilities for Flask application
"""
from functools import wraps
from flask import jsonify, request, current_app
from flask_jwt_extended import JWTManager, jwt_required, create_access_token, get_jwt_identity, verify_jwt_in_request, get_jwt
import logging

logger = logging.getLogger(__name__)

# Initialize JWT manager (will be initialized in app factory)
jwt = JWTManager()

# Simple single user (change credentials in production)
USERNAME = 'sisapiuser'
PASSWORD = 'M1n4#tr3e@12345'

def init_jwt(app):
    """Initialize JWT with Flask app"""
    jwt.init_app(app)
    
    # JWT error handlers
    @jwt.expired_token_loader
    def expired_token_callback(jwt_header, jwt_payload):
        return jsonify({
            'error': 'Token has expired',
            'message': 'The token has expired. Please login again.'
        }), 401

    @jwt.invalid_token_loader
    def invalid_token_callback(error):
        return jsonify({
            'error': 'Invalid token',
            'message': 'The token is invalid. Please login again.'
        }), 401

    @jwt.unauthorized_loader
    def missing_token_callback(error):
        return jsonify({
            'error': 'Authorization required',
            'message': 'Request does not contain an access token.'
        }), 401

    @jwt.needs_fresh_token_loader
    def token_not_fresh_callback(jwt_header, jwt_payload):
        return jsonify({
            'error': 'Fresh token required',
            'message': 'The token is not fresh. Please login again.'
        }), 401

    @jwt.revoked_token_loader
    def revoked_token_callback(jwt_header, jwt_payload):
        return jsonify({
            'error': 'Token has been revoked',
            'message': 'The token has been revoked.'
        }), 401

def authenticate_user(username, password):
    """Authenticate user credentials"""
    if username == USERNAME and password == PASSWORD:
        return {'username': username}
    return None

def create_user_token(username):
    """Create JWT token for authenticated user"""
    if username == USERNAME:
        return create_access_token(identity=username)
    return None

def require_auth(f):
    """Decorator to require JWT authentication for routes"""
    @wraps(f)
    def decorated_function(*args, **kwargs):
        try:
            verify_jwt_in_request()
            return f(*args, **kwargs)
        except Exception as e:
            logger.error(f"Authentication error: {e}")
            return jsonify({
                'error': 'Authentication failed',
                'message': 'Invalid or missing authentication token'
            }), 401
    return decorated_function

def get_current_user():
    """Get current authenticated user information"""
    try:
        verify_jwt_in_request()
        return {
            'username': get_jwt_identity()
        }
    except Exception:
        return None