#  Copyright (c) 2019. Tobias Kurze
"""
Base module for auth aspects.

Also this module contains mainly code for login through HTML pages served by the backend.
If frontend pages are build by frontend code (JS, etc.) authentication should consider using api functions.
(For more info, see api.auth_api.py.)

This code uses login_user and logout user (to start and end sessions) ... API code returns JWTs.
"""
from flask import Blueprint, jsonify, url_for
from flask_login import logout_user, LoginManager
from werkzeug.routing import BuildError

from backend import jwt_extended
from backend.models import BlacklistToken, User

auth_bp = Blueprint('auth', __name__, url_prefix='/auth', template_folder='templates')

from backend.auth.config import AUTH_PROVIDERS, DEFAULT_FRONTEND_PROVIDER
from backend.auth.oidc_config import OIDC_PROVIDERS

from backend.auth.oidc import oidc_auth

from .basic_auth import *


def auth_decorator(): # custom decorator
    pass


@auth_bp.route('/login', methods=['GET', 'POST'])
def login():
    try:
        prov = AUTH_PROVIDERS[DEFAULT_FRONTEND_PROVIDER]
    except KeyError:
        return "No known default provider specified!"
    url = prov["url"]
    try:
        url = url_for(prov["url"], next=request.endpoint)
    except BuildError as e:
        pass
        #logger.log("Can't create endpoint for '{}' (specified provider: {}).".format(e.endpoint, DEFAULT_PROVIDER))
    return redirect(url)


@auth_bp.route('/login_select', methods=['GET'])
def login_select():
    return render_template('login_select.html', providers=AUTH_PROVIDERS)


@auth_bp.route('/logout', methods=('GET', ))
def logout():
    logout_user()


@jwt_extended.user_claims_loader
def add_claims_to_access_token(user):
    if isinstance(user, str):
        return {}
    return {'role': user.role, 'groups': [g.to_dict() for g in user.groups]}


@jwt_extended.user_identity_loader
def user_identity_loader(user):
    return user.email


@jwt_extended.user_loader_callback_loader
def user_loader_callback(identity):
    print("### user_loader_callback_loader")
    return User.get_by_identifier(identity)


@jwt_extended.token_in_blacklist_loader
def check_if_token_in_blacklist(decrypted_token):
    jti = decrypted_token['jti']
    return BlacklistToken.get_by_token(jti) is not None