from datetime import datetime, timezone

from app.core.exceptions import ForbiddenError, UnauthorizedError
from app.core.security import create_access_token, verify_password
from app.models.user import User
from app.repositories.user import UserRepository
from app.schemas.user import TokenResponse, UserResponse


class AuthService:
    def __init__(self, repo: UserRepository):
        self.repo = repo

    async def login(self, username: str, password: str) -> TokenResponse:
        user = await self.repo.get_by_username(username)

        if not user or not verify_password(password, user.password_hash):
            raise UnauthorizedError("Incorrect username or password")

        if not user.is_active:
            raise ForbiddenError("Account is disabled")

        # تسجيل وقت آخر دخول
        await self.repo.update(user, last_login_at=datetime.now(timezone.utc))

        token = create_access_token({"sub": str(user.id), "role": user.role})
        return TokenResponse(
            access_token=token,
            user=UserResponse.model_validate(user),
        )

    async def get_user_by_id(self, user_id: int) -> User:
        user = await self.repo.get(user_id)
        if not user or not user.is_active:
            raise UnauthorizedError("User not found or inactive")
        return user