"""Authentication helpers for HF OAuth-backed requests.

Spec references:
- `specs/04_interfaces.md`: implements `get_current_user()`.
- `specs/07_security.md`: authentication is required and user identity scopes storage access.
- `specs/10_test_plan.md`: behavior is explicit and unit-testable.
"""

from __future__ import annotations

from typing import Any


class AuthError(Exception):
    """Base exception for authentication failures."""


class NotAuthenticatedError(AuthError):
    """Raised when the current request does not include an authenticated user."""


_MISSING = object()


def _safe_getattr(container: object, attribute_name: str) -> Any:
    """Read an attribute without propagating framework-specific accessor errors."""

    try:
        return object.__getattribute__(container, attribute_name)
    except AttributeError:
        pass
    except Exception:
        return _MISSING

    try:
        return getattr(container, attribute_name)
    except Exception:
        return _MISSING


def _extract_mapping_value(container: dict[str, Any]) -> str | None:
    """Extract a username from common mapping-based request contexts."""

    direct_keys: tuple[str, ...] = ("username", "user", "hf_user", "current_user")
    for key in direct_keys:
        value: Any = container.get(key)
        if isinstance(value, str) and value.strip():
            return value.strip()
        if isinstance(value, dict):
            nested_username: str | None = _extract_user_from_candidate(value)
            if nested_username is not None:
                return nested_username

    request: Any = container.get("request")
    if isinstance(request, dict):
        nested_username = _extract_mapping_value(request)
        if nested_username is not None:
            return nested_username

    state: Any = container.get("state")
    if isinstance(state, dict):
        nested_username = _extract_mapping_value(state)
        if nested_username is not None:
            return nested_username

    session: Any = container.get("session")
    if isinstance(session, dict):
        nested_username = _extract_mapping_value(session)
        if nested_username is not None:
            return nested_username

    return None


def _extract_object_value(container: object) -> str | None:
    """Extract a username from object-based request contexts."""

    attribute_names: tuple[str, ...] = ("username", "user", "hf_user", "current_user")
    for attribute_name in attribute_names:
        value: Any = _safe_getattr(container, attribute_name)
        if value is _MISSING:
            continue
        if isinstance(value, str) and value.strip():
            return value.strip()
        nested_username: str | None = _extract_user_from_candidate(value)
        if nested_username is not None:
            return nested_username

    for attribute_name in ("request", "state", "session"):
        nested_container: Any = _safe_getattr(container, attribute_name)
        if nested_container is _MISSING:
            continue
        nested_username = _extract_user_from_candidate(nested_container)
        if nested_username is not None:
            return nested_username

    return None


def _extract_user_from_candidate(candidate: Any) -> str | None:
    """Extract an authenticated username from one candidate context value."""

    if isinstance(candidate, str):
        normalized: str = candidate.strip()
        return normalized or None

    if isinstance(candidate, dict):
        username_from_mapping: str | None = _extract_mapping_value(candidate)
        if username_from_mapping is not None:
            return username_from_mapping

        preferred_keys: tuple[str, ...] = ("preferred_username", "name", "login", "sub")
        for key in preferred_keys:
            value: Any = candidate.get(key)
            if isinstance(value, str) and value.strip():
                return value.strip()
        return None

    if candidate is None:
        return None

    username_from_object: str | None = _extract_object_value(candidate)
    if username_from_object is not None:
        return username_from_object

    for attribute_name in ("preferred_username", "name", "login", "sub"):
        value: Any = _safe_getattr(candidate, attribute_name)
        if isinstance(value, str) and value.strip():
            return value.strip()

    return None


def get_current_user(request_ctx: Any) -> str:
    """Return the authenticated HF OAuth username from the current request context.

    Spec references:
    - `specs/04_interfaces.md`: implements `get_current_user()`.
    - `specs/07_security.md`: rejects unauthenticated access.

    Args:
        request_ctx: Framework-specific request or auth context object.

    Returns:
        The authenticated username string used for per-user storage isolation.

    Raises:
        NotAuthenticatedError: If no authenticated user can be extracted.
    """

    username: str | None = _extract_user_from_candidate(request_ctx)
    if username is None:
        raise NotAuthenticatedError("Authenticated user not found in request context.")
    return username