from fastapi import APIRouter, Depends, HTTPException
from sqlalchemy.orm import Session
from .. import database, models, schemas, auth_utils

router = APIRouter(tags=["SSO"])

@router.post("/verify", response_model=schemas.SSOVerifyResponse)
async def verify_user(request: schemas.SSOVerifyRequest, db: Session = Depends(database.get_db)):
    # 1. Validate API Key
    app = db.query(models.Application).filter(models.Application.api_key == request.api_key).first()
    if not app:
        raise HTTPException(status_code=403, detail="Invalid API Key")
    
    # 2. Validate User Credentials
    user = db.query(models.User).filter(models.User.username == request.username).first()
    if not user or not auth_utils.verify_password(request.password, user.hashed_password):
        return {"authorized": False, "message": "Invalid username or password"}
    
    if not user.is_active:
        return {"authorized": False, "message": "User account is inactive"}
        
    # 3. Check Assignment
    assignment = db.query(models.UserApplication).filter(
        models.UserApplication.user_id == user.id,
        models.UserApplication.application_id == app.id
    ).first()
    
    if not assignment:
        return {"authorized": False, "message": "User not authorized for this application"}
        
    return {"authorized": True, "message": "Authorized", "user": user}