import logging
from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
import firebase_admin.auth as fb_auth
from google.cloud import firestore
from database.firebase_client import get_firestore

logger = logging.getLogger("chatbot.security")
# security = HTTPBearer()
security = HTTPBearer(auto_error=False)

def verify_firebase_token(credentials: HTTPAuthorizationCredentials = Depends(security)) -> dict:
    """
    Verifies the Firebase ID token from the Authorization header.
    Returns the decoded token claims if valid.
    """
    token = credentials.credentials
    try:
        decoded_token = fb_auth.verify_id_token(token, check_revoked=True)
        return decoded_token
    except fb_auth.RevokedIdTokenError:
        logger.warning("Revoked Firebase ID token used.")
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Token has been revoked. Please log in again.",
            headers={"WWW-Authenticate": "Bearer"},
        )
    except fb_auth.ExpiredIdTokenError:
        logger.warning("Expired Firebase ID token used.")
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Token has expired. Please refresh your session.",
            headers={"WWW-Authenticate": "Bearer"},
        )
    except Exception as e:
        logger.error(f"Invalid Firebase ID token: {e}")
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid authentication credentials.",
            headers={"WWW-Authenticate": "Bearer"},
        )

def get_current_user(decoded_token: dict = Depends(verify_firebase_token)) -> dict:
    """
    Dependency that returns the current user profile from Firestore.
    """
    uid = decoded_token.get("uid")
    email = decoded_token.get("email", "")
    
    db = get_firestore()
    user_doc = db.collection("users").document(uid).get()
    
    if not user_doc.exists:
        # Fallback to creating a subscriber doc if missing (first-time login from seeded auth)
        user_data = {
            "email": email,
            "role": "subscriber",
            "created_at": firestore.SERVER_TIMESTAMP
        }
        db.collection("users").document(uid).set(user_data)
        logger.info(f"Created default user document for UID {uid}")

    else:
        user_data = user_doc.to_dict()
        
    return {
        "uid": uid,
        "email": email,
        "role": user_data.get("role", "subscriber")
    }

def require_admin(user: dict = Depends(get_current_user)) -> dict:
    """
    Ensures the user has the 'admin' role.
    """
    if user.get("role") != "admin":
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Forbidden: Admin access required."
        )
    return user

def require_subscriber(user: dict = Depends(get_current_user)) -> dict:
    """
    Ensures the user has the 'subscriber' role.
    """
    if user.get("role") != "subscriber":
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Forbidden: Subscriber access required."
        )
    return user