"""
Authentication Blueprint - Login, Logout
User management is handled exclusively by the Enterprise Digital Platform portal.
Direct registration and local user creation are disabled.
"""
from flask import Blueprint, render_template, request, redirect, url_for, flash, current_app
from flask_login import login_user, logout_user, login_required, current_user
from app.extensions import db, bcrypt, login_manager
from app.models import User
from app.utils.logger import log_action

auth_bp = Blueprint('auth', __name__)


@auth_bp.route('/login', methods=['GET', 'POST'])
def login():
    """
    Login handler.
    When accessed through the portal nginx gateway the portal_sso.py before_request
    hook already logs the user in and redirects to the dashboard — this handler is
    only reached if someone accesses DigiServer directly (bypassing the gateway).
    In that case we redirect them to the portal login page.
    """
    if current_user.is_authenticated:
        return redirect(url_for('main.dashboard'))

    # If there are X-Auth-Username headers the SSO hook should have handled this
    # already.  If we still end up here the user has no portal session — send them
    # to the portal login so they can authenticate through the proper gateway.
    portal_login = current_app.config.get('PORTAL_LOGIN_URL', '/login')
    return redirect(portal_login)


@auth_bp.route('/logout')
@login_required
def logout():
    """User logout"""
    username = current_user.username
    logout_user()
    log_action('info', f'User {username} logged out')
    flash('You have been logged out.', 'info')
    return redirect(url_for('auth.login'))


@auth_bp.route('/register', methods=['GET', 'POST'])
def register():
    """
    Self-registration is disabled — users are managed exclusively by the portal.
    Redirect to the portal login page.
    """
    portal_login = current_app.config.get('PORTAL_LOGIN_URL', '/login')
    return redirect(portal_login)


@auth_bp.route('/change-password', methods=['GET', 'POST'])
@login_required
def change_password():
    """
    Password changes are managed by the portal.
    Passwords for portal-managed users are randomly generated and not user-facing.
    """
    flash('Password management is handled through the Enterprise Digital Platform portal.', 'info')
    return redirect(url_for('main.dashboard'))