"""
=========================================
CV6 AI Trading OS
User API
=========================================
"""

from fastapi import APIRouter, Depends, HTTPException, Request
from sqlalchemy.orm import Session

from app.database.session import get_db
from app.schemas.user_schema import UserCreate, UserLogin
from app.repositories.user_repository import UserRepository
from app.core.auth import create_access_token
from app.core.security import hash_password, verify_password
from app.core.rate_limit import check_login_rate_limit

router = APIRouter(
    prefix="/users",
    tags=["Users"]
)


# =====================================================
# Register User
# =====================================================

@router.post("/register")
def register_user(
    user: UserCreate,
    db: Session = Depends(get_db)
):

    repo = UserRepository(db)

    existing = repo.get_by_email(user.email)

    if existing:
        raise HTTPException(
            status_code=400,
            detail="Email already registered"
        )

    new_user = repo.create_user(
        name=user.name,
        email=user.email,
        password=hash_password(user.password)   # C-1 FIX: bcrypt hash, never plaintext
    )

    return {
        "success": True,
        "user_id": new_user.id
    }


# =====================================================
# Login User
# =====================================================

@router.post("/login")
def login_user(
    user: UserLogin,
    request: Request,
    db: Session = Depends(get_db)
):
    # H-2 FIX: enforce rate limit by client IP
    client_ip = request.client.host if request.client else "unknown"
    check_login_rate_limit(client_ip)

    repo = UserRepository(db)

    db_user = repo.get_by_email(user.email)

    # Generic message for both cases — avoids leaking whether an email is registered
    if not db_user or not verify_password(user.password, db_user.password):
        raise HTTPException(
            status_code=401,
            detail="Invalid email or password"
        )

    access_token = create_access_token(
        {
            "sub": db_user.email,
            "user_id": db_user.id
        }
    )

    return {
        "success": True,
        "access_token": access_token,
        "token_type": "bearer"
    }