from fastapi import APIRouter, Depends, HTTPException
from sqlmodel import Session, select
from app.db import get_session
from app.models import User, Role
from app.schemas import LoginIn, Token, UserCreate
from app.security import verify_password, create_access_token, hash_password, require_roles, ADMIN_ROLES, get_current_user
from app.services.audit import audit
router = APIRouter(prefix="/auth", tags=["auth"])

@router.post("/login", response_model=Token)
def login(data: LoginIn, session: Session = Depends(get_session)):
    user = session.exec(select(User).where(User.email == data.email)).first()
    if not user or not verify_password(data.password, user.password_hash):
        raise HTTPException(status_code=401, detail="Invalid credentials")
    token = create_access_token(user)
    return {"access_token": token, "user": {"id": user.id, "email": user.email, "full_name": user.full_name, "role": user.role.value, "tenant_id": user.tenant_id}}

@router.get("/me")
def me(user: User = Depends(get_current_user)):
    return {"id": user.id, "email": user.email, "full_name": user.full_name, "role": user.role.value, "tenant_id": user.tenant_id}

@router.post("/users")
def create_user(data: UserCreate, current: User = Depends(require_roles(*ADMIN_ROLES)), session: Session = Depends(get_session)):
    user = User(tenant_id=current.tenant_id, email=data.email, full_name=data.full_name, role=data.role, password_hash=hash_password(data.password))
    session.add(user); session.commit(); session.refresh(user)
    audit(session,current,"create","user",user.id,{"email":user.email}); session.commit()
    return {"id": user.id, "email": user.email, "role": user.role.value}