from flask import Blueprint, render_template, request, redirect, url_for, session, current_app, jsonify
from functools import wraps
from loguru import logger

# 创建认证蓝图
auth_bp = Blueprint('auth', __name__)


# 登录检查装饰器
def login_required(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if not session.get('logged_in'):
            return redirect(url_for('auth.login'))
        return f(*args, **kwargs)

    return decorated_function


# 登录页面
@auth_bp.route('/login', methods=['GET', 'POST'])
def login():
    error = None
    if request.method == 'POST':
        # 使用 strip 规避用户误输入首尾空格导致的误判。
        username = str(request.form.get('username', '') or '').strip()
        password = str(request.form.get('password', '') or '')

        # 从应用上下文获取服务器实例，而不是从蓝图对象
        server = current_app.dashboard_server
        admin_db = getattr(server, "admin_account_db", None)

        # 优先使用数据库账号体系鉴权；若不可用则回退旧配置模式，保证兼容存量部署。
        login_ok = False
        if admin_db:
            try:
                login_ok = admin_db.verify_admin_password(username, password)
                if login_ok:
                    admin_db.mark_login_success(username, request.remote_addr or "")
            except Exception as e:
                logger.error(f"数据库账号登录校验异常，回退配置模式: {e}")
                login_ok = False

        if not login_ok:
            login_ok = (username == server.username and password == server.password)

        if login_ok:
            session['logged_in'] = True
            session['username'] = username  # 存储用户名到session
            logger.debug(f"Login successful. Session after login: {dict(session)}")
            return redirect(url_for('main.index'))
        else:
            error = '用户名或密码错误'

    return render_template('login.html', error=error)


# 登出
@auth_bp.route('/logout')
def logout():
    session.pop('logged_in', None)
    session.pop('username', None)  # 同时删除username
    return redirect(url_for('auth.login'))


@auth_bp.route('/api/auth/change_password', methods=['POST'])
@login_required
def change_password():
    """修改当前登录管理员密码。

    前端请求参数：
    {
      "old_password": "旧密码",
      "new_password": "新密码",
      "confirm_password": "确认新密码"
    }
    """
    server = current_app.dashboard_server
    admin_db = getattr(server, "admin_account_db", None)
    if not admin_db:
        return jsonify({"success": False, "error": "账号数据库未初始化，无法修改密码"}), 500

    payload = request.get_json(silent=True) or {}
    old_password = str(payload.get("old_password", "") or "")
    new_password = str(payload.get("new_password", "") or "")
    confirm_password = str(payload.get("confirm_password", "") or "")
    username = str(session.get("username", "") or "").strip()

    if not username:
        return jsonify({"success": False, "error": "会话失效，请重新登录"}), 401

    if not old_password or not new_password or not confirm_password:
        return jsonify({"success": False, "error": "请完整填写旧密码与新密码"}), 400

    if new_password != confirm_password:
        return jsonify({"success": False, "error": "两次输入的新密码不一致"}), 400

    # 密码长度做基础约束，避免过弱口令。
    if len(new_password) < 6:
        return jsonify({"success": False, "error": "新密码长度不能少于6位"}), 400

    if new_password == old_password:
        return jsonify({"success": False, "error": "新密码不能与旧密码相同"}), 400

    try:
        if not admin_db.verify_admin_password(username, old_password):
            return jsonify({"success": False, "error": "旧密码错误"}), 400

        updated = admin_db.update_password(username, new_password)
        if not updated:
            return jsonify({"success": False, "error": "密码更新失败，请稍后重试"}), 500

        return jsonify({"success": True, "message": "密码修改成功"})
    except Exception as e:
        logger.error(f"修改后台密码失败: username={username}, error={e}")
        return jsonify({"success": False, "error": "密码修改失败，请检查日志"}), 500