"""Password encryption service using Fernet (AES-256)

安全性說明：
- 使用 Fernet 對稱加密（基於 AES-256）
- 加密金鑰從環境變數 FERNET_KEY 讀取
- 密碼加密後儲存於資料庫，用於自動刷新 AD token
"""
from cryptography.fernet import Fernet
from app.core.config import get_settings

settings = get_settings()


class EncryptionService:
    """Password encryption/decryption service"""

    def __init__(self):
        """Initialize with Fernet key from settings"""
        self._fernet = Fernet(settings.FERNET_KEY.encode())

    def encrypt_password(self, plaintext: str) -> str:
        """Encrypt password for storage

        Args:
            plaintext: Plain text password

        Returns:
            Encrypted password as base64 string
        """
        encrypted_bytes = self._fernet.encrypt(plaintext.encode())
        return encrypted_bytes.decode()

    def decrypt_password(self, ciphertext: str) -> str:
        """Decrypt stored password

        Args:
            ciphertext: Encrypted password (base64 string)

        Returns:
            Decrypted plain text password
        """
        decrypted_bytes = self._fernet.decrypt(ciphertext.encode())
        return decrypted_bytes.decode()


# Singleton instance
encryption_service = EncryptionService()