"""Update Supabase auth site URL and redirect allow-list via management API."""
import json
import re
import sys
import urllib.error
import urllib.request

PROJECT_REF = "tbmavjszaykfxxhcgfsq"

with open("apps/portal/.env.local") as f:
    content = f.read()

match = re.search(r"SUPABASE_SERVICE_ROLE_KEY=(.+)", content)
if not match:
    print("ERROR: SUPABASE_SERVICE_ROLE_KEY not found in apps/portal/.env.local")
    sys.exit(1)
SERVICE_KEY = match.group(1).strip()

payload = {
    "site_url": "https://bee.cuilabs.io",
    "uri_allow_list": [
        "https://bee.cuilabs.io/auth/callback",
        "https://bee.cuilabs.io/auth/reset-password",
        "https://beeportal.vercel.app/auth/callback",
        "http://localhost:3000/auth/callback",
        "http://localhost:3000/auth/reset-password",
    ],
}

req = urllib.request.Request(
    f"https://api.supabase.com/v1/projects/{PROJECT_REF}/config/auth",
    data=json.dumps(payload).encode(),
    headers={
        "Authorization": f"Bearer {SERVICE_KEY}",
        "Content-Type": "application/json",
    },
    method="PATCH",
)

try:
    with urllib.request.urlopen(req, timeout=15) as r:
        body = r.read().decode()
        print(f"✓ Auth config updated (HTTP {r.status})")
        result = json.loads(body)
        print(f"  site_url:        {result.get('site_url')}")
        print(f"  uri_allow_list:  {result.get('uri_allow_list')}")
except urllib.error.HTTPError as e:
    body = e.read().decode()
    print(f"✗ HTTP {e.code}: {body[:400]}")
    sys.exit(1)