from datetime import datetime, timedelta

from app.settings import SECRET_KEY
from fastapi import Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer
from jose import JWTError, jwt

from . import schema

ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30


def create_access_token(data: dict) -> str:
    """
    Generates a JWT access token with an expiration time.

    This function creates a JWT (JSON Web Token) that includes the provided
    data and an expiration time. The token is signed using a secret key and
    a specified algorithm.

    Args:
        data (dict): A dictionary containing the data to be included in the token.

    Returns:
        str: The encoded JWT token as a string.
    """
    to_encode = data.copy()
    expire = datetime.utcnow() + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
    to_encode.update({"exp": expire})
    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
    return encoded_jwt


def verify_token(token: str, credentials_exception):
    """
    Verifies the provided JWT token and extracts the user information.

    This function decodes the given JWT token using the secret key and specified
    algorithm. It checks for the presence of the user's email in the token's payload.
    If the email is not found or the token is invalid, an exception is raised.

    Args:
        token (str): The JWT token to be verified.
        credentials_exception: The exception to raise if the token is invalid or the email is not found.

    Returns:
        TokenData: An object containing the user's email extracted from the token.

    Raises:
        credentials_exception: If the token is invalid or does not contain an email.
    """
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        email: str = payload.get("sub")
        if email is None:
            raise credentials_exception
        token_data = schema.TokenData(email=email)
    except JWTError:
        raise credentials_exception
    return token_data


oauth2_scheme = OAuth2PasswordBearer(tokenUrl="login")


def get_current_user(token: str = Depends(oauth2_scheme)):
    """
    Retrieves the current authenticated user based on the provided JWT token.

    This function extracts the JWT token from the request, verifies it, and returns
    the user data associated with the token. If the token is invalid or cannot be
    verified, an HTTP 401 Unauthorized exception is raised.

    Args:
        token (str, optional): The JWT token extracted from the request using the OAuth2
                               password flow. Defaults to being fetched via `Depends(oauth2_scheme)`.

    Returns:
        TokenData: An object containing the user's information extracted from the token.

    Raises:
        HTTPException: If the token is invalid or the credentials cannot be validated.
    """
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    return verify_token(token, credentials_exception)