# User Management Utilities

This module provides comprehensive user management utilities for Clerk authentication integration in the FastAPI backend.

## Overview

The user management utilities are designed to handle:

1. **User Data Extraction** - Extract and process user data from Clerk
2. **Session Management** - Manage user sessions and authentication context
3. **Permission Checking** - Validate user permissions and access control

## Core Components

### UserDataExtractor

Handles extraction and processing of user data from Clerk API.

```python
from app.utils.user_utils import UserDataExtractor
from app.core.auth import get_clerk_manager

# Initialize extractor
clerk_manager = get_clerk_manager()
extractor = UserDataExtractor(clerk_manager)

# Extract user data
clerk_user = await extractor.extract_user_from_clerk("user_123")
user_profile = extractor.create_user_profile(clerk_user)
metadata = extractor.extract_user_metadata(clerk_user)
```

### UserSessionManager

Manages user sessions and authentication context.

```python
from app.utils.user_utils import UserSessionManager

# Initialize session manager
session_manager = UserSessionManager(clerk_manager)

# Create session from token
session = await session_manager.create_user_session("clerk_token")

# Create complete authentication context
auth_context = await session_manager.create_authentication_context("clerk_token")

# Validate session
is_valid = await session_manager.validate_session(session)
```

### UserPermissionChecker

Handles permission validation and access control.

```python
from app.utils.user_utils import UserPermissionChecker

# Initialize permission checker
permission_checker = UserPermissionChecker(clerk_manager)

# Check user permissions
permissions = await permission_checker.check_user_permissions("user_123")

# Validate specific permission
permissions = await permission_checker.check_user_permissions("user_123", "generate_videos")

# Validate resource access
has_access = await permission_checker.validate_user_access("user_123", "job", "job_456")
```

## Utility Functions

### Quick Access Functions

```python
from app.utils.user_utils import (
    extract_user_from_token,
    create_auth_context,
    validate_user_permission
)

# Extract user from token
user = await extract_user_from_token("clerk_token")

# Create authentication context
context = await create_auth_context("clerk_token")

# Validate permission
has_permission = await validate_user_permission("user_123", "admin_access")
```

### Session Caching

```python
from app.utils.user_utils import get_session_cache

# Get session cache
cache = get_session_cache()

# Cache authentication context
cache.set("session_id", auth_context)

# Retrieve cached context
cached_context = cache.get("session_id")

# Clear expired sessions
cache.clear_expired()
```

## FastAPI Integration

The utilities integrate seamlessly with FastAPI dependency injection:

```python
from fastapi import APIRouter, Depends
from app.utils.auth_integration_example import (
    get_current_user,
    get_verified_user,
    get_admin_user,
    require_permission,
    check_rate_limits
)

router = APIRouter()

@router.get("/profile")
async def get_profile(
    current_user: AuthenticationContext = Depends(get_current_user)
):
    """Get user profile - requires authentication."""
    return {"user": current_user.user}

@router.post("/videos/generate")
async def generate_video(
    request: VideoGenerationRequest,
    current_user: AuthenticationContext = Depends(get_verified_user),
    _rate_check: AuthenticationContext = Depends(check_rate_limits)
):
    """Generate video - requires verified user and rate limit check."""
    # Implementation here
    pass

@router.get("/admin/metrics")
async def get_metrics(
    current_user: AuthenticationContext = Depends(get_admin_user)
):
    """Get system metrics - admin only."""
    # Implementation here
    pass

@router.delete("/jobs/{job_id}")
async def delete_job(
    job_id: str,
    current_user: AuthenticationContext = Depends(require_permission("delete_jobs"))
):
    """Delete job - requires specific permission."""
    # Implementation here
    pass
```

## Error Handling

The utilities provide consistent error handling:

```python
from app.core.auth import ClerkAuthError
from fastapi import HTTPException, status

try:
    auth_context = await create_auth_context(token)
except ClerkAuthError as e:
    raise HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail=str(e)
    )
```

## Requirements Compliance

This implementation satisfies the following requirements:

- **Requirement 6.1**: Returns 401 unauthorized for invalid/missing tokens
- **Requirement 6.2**: Returns 401 unauthorized for expired tokens  
- **Requirement 6.3**: Extracts user information from valid tokens
- **Requirement 6.4**: Retrieves user information from Clerk's system
- **Requirement 8.1**: Returns appropriate HTTP status codes with consistent error format

## Usage Examples

### Basic Authentication

```python
# In your FastAPI endpoint
@router.get("/protected")
async def protected_endpoint(
    current_user: AuthenticationContext = Depends(get_current_user)
):
    return {
        "message": f"Hello {current_user.user.full_name}",
        "user_id": current_user.user_id,
        "permissions": current_user.permissions.dict()
    }
```

### Permission-Based Access

```python
# Require specific permission
@router.post("/admin/action")
async def admin_action(
    current_user: AuthenticationContext = Depends(require_permission("admin_access"))
):
    return {"message": "Admin action performed"}
```

### Rate Limiting

```python
# Check rate limits before processing
@router.post("/expensive-operation")
async def expensive_operation(
    current_user: AuthenticationContext = Depends(check_rate_limits)
):
    # Rate limits are automatically checked
    return {"message": "Operation completed"}
```

## Testing

The utilities include comprehensive test coverage:

```bash
# Run tests
python -m pytest tests/test_user_utils.py -v
```

## Configuration

The utilities use the existing Clerk configuration from `app.core.config`:

```python
# Required environment variables
CLERK_SECRET_KEY=your_clerk_secret_key
CLERK_JWT_VERIFICATION=true  # Set to false for development only
ENVIRONMENT=development  # or production
```

## Security Considerations

1. **Token Validation**: All tokens are validated with Clerk before processing
2. **Session Caching**: Sessions are cached with appropriate TTL
3. **Permission Checking**: Granular permission validation
4. **Rate Limiting**: Built-in rate limiting support
5. **Error Handling**: Secure error messages that don't expose sensitive data

## Future Enhancements

1. **Redis Integration**: Replace in-memory cache with Redis
2. **Advanced Permissions**: Role-based access control (RBAC)
3. **Audit Logging**: Track user actions and permissions
4. **Token Refresh**: Automatic token refresh handling
5. **Multi-tenant Support**: Organization-based access control