import os
from datetime import datetime, timedelta
import jwt

# ===================== JWT Config =====================
def get_jwt_config():
    """Get JWT configuration based on environment"""
    # Check if we're in HuggingFace Space
    if os.getenv("SPACE_ID"):
        # Cloud mode - use secrets from environment
        jwt_secret = os.getenv("JWT_SECRET")
        if not jwt_secret:
            log("⚠️  WARNING: JWT_SECRET not found in environment, using fallback")
            jwt_secret = "flare-admin-secret-key-change-in-production"  # Fallback
    else:
        # On-premise mode - use .env file
        from dotenv import load_dotenv
        load_dotenv()
        jwt_secret = os.getenv("JWT_SECRET", "flare-admin-secret-key-change-in-production")
    
    return {
        "secret": jwt_secret,
        "algorithm": os.getenv("JWT_ALGORITHM", "HS256"),
        "expiration_hours": int(os.getenv("JWT_EXPIRATION_HOURS", "24"))
    }

# ===================== Auth Helpers =====================
def create_token(username: str) -> str:
    """Create JWT token for user"""
    config = get_jwt_config()
    expiry = datetime.now(timezone.utc) + timedelta(hours=config["expiration_hours"])
    
    payload = {
        "sub": username,
        "exp": expiry,
        "iat": datetime.now(timezone.utc)
    }
    
    return jwt.encode(payload, config["secret"], algorithm=config["algorithm"])

def verify_token(credentials: HTTPAuthorizationCredentials = Depends(security)) -> str:
    """Verify JWT token and return username"""
    token = credentials.credentials
    config = get_jwt_config()
    
    try:
        payload = jwt.decode(token, config["secret"], algorithms=[config["algorithm"]])
        return payload["sub"]
    except jwt.ExpiredSignatureError:
        raise HTTPException(status_code=401, detail="Token expired")
    except jwt.InvalidTokenError:
        raise HTTPException(status_code=401, detail="Invalid token")