#api/auth.py
from flask import Blueprint, session, redirect, url_for, jsonify
from authlib.integrations.flask_client import OAuth
import env_provider
auth_bp = Blueprint('auth', __name__, url_prefix='/api')

oauth = OAuth()
keycloak = oauth.register(
    'keycloak',
    client_id=env_provider.CLIENT_ID,
    client_secret=env_provider.CLIENT_SECRET,
    server_metadata_url="https://login.hangman-lab.top/auth/realms/Hangman-Lab/.well-known/openid-configuration",
    client_kwargs={"scope": "openid email profile"},
)

@auth_bp.route('/login', methods=['GET'])
def login():
    redirect_uri = url_for("auth.authorize", _external=True)
    return keycloak.authorize_redirect(redirect_uri)

@auth_bp.route('/authorize', methods=['GET'])
def authorize():
    try:
        token = keycloak.authorize_access_token()
        user_info = keycloak.parse_id_token(token)
        session['user'] = user_info
        return jsonify({"message": "login successful", "user": user_info})
    except Exception as e:
        return jsonify({"error": "Authorization failed"}), 401
@auth_bp.route('/logout', methods=['GET'])
def logout():
    session.pop('user', None)
    logout_url = "https://login.hangman-lab.top/auth/realms/Hangman-Lab/protocol/openid-connect/logout"
    return redirect(logout_url)

@auth_bp.route("/user", methods=["GET"])
def user():
    u = session.get('user')
    if not u:
        return jsonify({"username": "guest", "role": "guest"})
    return jsonify(u)