import secrets

from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
from itsdangerous import URLSafeTimedSerializer

from app.config import get_settings


_basic = HTTPBasic()


def _serializer() -> URLSafeTimedSerializer:
    return URLSafeTimedSerializer(get_settings().secret_key, salt="download")


def create_download_token(email: str, nombre: str) -> str:
    return _serializer().dumps({"email": email, "nombre": nombre})


def verify_download_token(token: str) -> dict:
    settings = get_settings()
    max_age_seconds = max(1, settings.token_expiry_hours * 3600)
    return _serializer().loads(token, max_age=max_age_seconds)


def is_honeypot_filled(value: str | None) -> bool:
    return bool(value)


def require_admin(credentials: HTTPBasicCredentials = Depends(_basic)) -> str:
    settings = get_settings()
    user_ok = secrets.compare_digest(credentials.username, settings.admin_user)
    pass_ok = secrets.compare_digest(credentials.password, settings.admin_pass)
    if not (user_ok and pass_ok):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid credentials",
            headers={"WWW-Authenticate": "Basic"},
        )
    return credentials.username