# flask_server/shared/utils.py

import jwt
from flask import g
import requests
from flask import request
from typing import Optional, Dict
from datetime import datetime

# 🔐 Decodifica el token sin verificar la firma, solo para extraer datos
def validate_jwt_token(token: str) -> dict | None:
    try:
        # 🔑 Clave secreta por cliente
        secret_key = g.cliente_config.get("secret_key", "insecure_default")
        decoded = jwt.decode(token, secret_key, algorithms=["HS256"])

        # 📆 Validación de expiración
        now = datetime.utcnow()
        exp = datetime.utcfromtimestamp(decoded.get("exp", 0))
        if exp < now:
            print("❌ Token expirado.")
            return None

        # 🌐 Validar dominio desde múltiples formas
        expected_slug = g.cliente_id
        expected_frontend = g.cliente_config.get("frontend_domain", "")
        expected_domain_variants = [
            expected_slug,
            expected_frontend,
            expected_frontend.replace("https://", ""),
            expected_frontend.replace("https://", "").replace("www.", "")
        ]

        if decoded.get("domain") not in expected_domain_variants:
            print(f"❌ Dominio del JWT no coincide. Esperado uno de {expected_domain_variants}, recibido: {decoded.get('domain')}")
            return None

        # 🔁 Validar subdominio Flask
        expected_flask = g.cliente_config.get("flask_subdomain")
        if decoded.get("flask_subdomain") != expected_flask:
            print("❌ Subdominio no coincide.")
            return None

        # 🎫 Validar clave de licencia
        expected_license = g.cliente_config.get("licencia")
        if decoded.get("license_key") != expected_license:
            print("❌ Licencia no coincide.")
            return None

        return decoded

    except jwt.ExpiredSignatureError:
        print("❌ Token expirado.")
    except jwt.InvalidTokenError as e:
        print(f"❌ Token inválido: {e}")
    return None


# 🧠 Extrae automáticamente el JWT del header Authorization y devuelve el usuario
def verify_request_token() -> Optional[Dict]:
    auth_header = request.headers.get("Authorization")
    if not auth_header:
        print("⚠️ Header Authorization no enviado")
        return None
    if not auth_header.startswith("Bearer "):
        print(f"⚠️ Header Authorization mal formado: {auth_header}")
        return None

    token = auth_header.split(" ")[1]
    print("🔐 Token recibido:", token)
    return validate_jwt_token(token)


# 🌐 Obtiene el contexto del usuario logueado desde WP usando /provider
def get_wp_user_context(token: str) -> Dict:
    try:
        decoded = validate_jwt_token(token)
        client_slug = decoded.get("data", {}).get("client")
        app_name = decoded.get("data", {}).get("app")

        if not client_slug or not app_name:
            print("❌ Token sin cliente o app")
            return {}

        url = f"https://{client_slug}.com.au/wp-json/wpflask/v1/provider?app={app_name}"
        headers = { "Authorization": f"Bearer {token}" }
        response = requests.get(url, headers=headers)

        if response.status_code == 200:
            print("✅ Contexto de usuario recibido desde WP:", response.json())
            return response.json()
        else:
            print("❌ Error al obtener contexto de WP:", response.text)
            return {}

    except Exception as e:
        print("❌ Error al conectar con WordPress:", str(e))
        return {}