from flask import Blueprint, render_template, request, redirect, url_for, flash
from flask_login import login_user, logout_user, login_required, current_user
from werkzeug.security import check_password_hash
from ldap_utils import authenticate_ldap_user
from models import User, db
from datetime import datetime
from werkzeug.security import check_password_hash
from ldap_utils import authenticate_ldap_user, generate_password_hash

auth_bp = Blueprint('auth', __name__)

@auth_bp.route('/login', methods=['GET', 'POST'])
def login():
    if current_user.is_authenticated:
        return redirect(url_for('temp_spec.spec_list'))

    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']
        
        # Step 1: Authenticate against LDAP
        user_info = authenticate_ldap_user(username, password)

        if user_info:
            # Step 2: User authenticated successfully, find or create local user
            local_user = User.query.filter_by(username=user_info['username']).first()

            if not local_user:
                # Create a new user in the local database
                local_user = User(
                    username=user_info['username'],
                    # password_hash is no longer needed for login, can be empty or random
                    password_hash='ldap_authenticated',
                    role='viewer'  # Default role for new users
                )
                db.session.add(local_user)
            
            # Update last_login time
            local_user.last_login = datetime.now()
            db.session.commit()

            # Step 3: Log in the user with Flask-Login
            login_user(local_user)
            return redirect(url_for('temp_spec.spec_list'))
        else:
            flash('帳號或密碼錯誤，請重新輸入', 'danger')

    return render_template('login.html')

@auth_bp.route('/logout')
@login_required
def logout():
    logout_user()
    return redirect(url_for('auth.login'))