# app/core/security.py
from datetime import datetime, timedelta, timezone
from typing import Any, Union, Optional

from jose import JWTError, jwt
from passlib.context import CryptContext

from app.config import settings # Import settings from config

# --- Password Hashing ---
# These functions are used for password hashing and verification
# They complement FastAPI-Users but provide direct access to the underlying password functionality
# when needed outside of the FastAPI-Users authentication flow.

# Configure passlib context
# Using bcrypt as the default hashing scheme
# 'deprecated="auto"' will automatically upgrade hashes if needed on verification
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

def verify_password(plain_password: str, hashed_password: str) -> bool:
    """
    Verifies a plain text password against a hashed password.
    This is used by FastAPI-Users internally, but also exposed here for custom authentication flows
    if needed.

    Args:
        plain_password: The password attempt.
        hashed_password: The stored hash from the database.

    Returns:
        True if the password matches the hash, False otherwise.
    """
    try:
        return pwd_context.verify(plain_password, hashed_password)
    except Exception:
        # Handle potential errors during verification (e.g., invalid hash format)
        return False

def hash_password(password: str) -> str:
    """
    Hashes a plain text password using the configured context (bcrypt).
    This is used by FastAPI-Users internally, but also exposed here for
    custom user creation or password reset flows if needed.

    Args:
        password: The plain text password to hash.

    Returns:
        The resulting hash string.
    """
    return pwd_context.hash(password)


# --- JSON Web Tokens (JWT) ---
# FastAPI-Users now handles all JWT token creation and validation.
# The code below is commented out because FastAPI-Users provides these features.
# It's kept for reference in case a custom implementation is needed later.

# Example of a potential future implementation:
# def get_subject_from_token(token: str) -> Optional[str]:
#     """
#     Extract the subject (user ID) from a JWT token.
#     This would be used if we need to validate tokens outside of FastAPI-Users flow.
#     For now, use fastapi_users.current_user dependency instead.
#     """
#     # This would need to use FastAPI-Users' token verification if ever implemented
#     # For example, by decoding the token using the strategy from the auth backend
#     try:
#         payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
#         return payload.get("sub")
#     except JWTError:
#         return None
#     return None