from flask import Flask, request, session, jsonify, send_from_directory
from webauthn import create_webauthn_credentials, verify_create_webauthn_credentials
from webauthn.metadata import get_metadata
from webauthn.types import RelyingParty, User, Attestation, UserVerification

import os

app = Flask(__name__, static_folder='static')
app.secret_key = os.environ.get('SECRET_KEY', os.urandom(32))

# Setup RP and user (for demo purposes, a fixed user)
RP = RelyingParty(id="https://paulmartrenchar-fidotest.hf.space", name="Demo RP", icon=None)
USER = User(id=b"demo-user", name="demo@example.com", display_name="Demo User", icon=None)

# Initialize and cache metadata (MDS blob)
fido_metadata = get_metadata()  # downloads, validates, caches:contentReference[oaicite:1]{index=1}

@app.route('/register/options', methods=['GET'])
def register_options():
    options, challenge = create_webauthn_credentials(
        rp=RP,
        user=USER,
        existing_keys=[],
        attachment=None,
        require_resident=False,
        user_verification=UserVerification.Preferred,
        attestation_request=Attestation.DirectAttestation
    )
    session['challenge'] = challenge
    return jsonify(options)

@app.route('/register/verify', methods=['POST'])
def register_verify():
    data = request.get_json()
    auth_data = verify_create_webauthn_credentials(
        rp=RP,
        challenge_b64=session.pop('challenge'),
        client_data_b64=data['response']['data'],
        attestation_b64=data['response']['attestation'],
        fido_metadata=fido_metadata
    )
    # Return attestation metadata info (e.g., certification status)
    info = {
        "aaguid": auth_data.authnr_data.aaguid.hex(),
        "counter": auth_data.authnr_data.counter,
        "flags": auth_data.authnr_data.flags,
        "fmt": auth_data.fmt,
        "status_reports": auth_data.metadata_statement.get("statusReports", []),
        "description": auth_data.metadata_statement.get("description")
    }
    return jsonify(info)

@app.route('/', defaults={'path':''})
@app.route('/<path:path>')
def serve(path):
    print(f"requested path {path}")
    return send_from_directory('static', path or 'index.html')

@app.after_request
def add_permissions_policy_header(response):
    response.headers['Permissions-Policy'] = 'publickey-credentials-create=(self)'
    return response

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=7860, ssl_context=None)