"""Backend runtime settings — env-only (no wizard / no config volume).

OIDC issuer/client_id/etc. live in the `oidc_settings` DB table set
via `hf-cli config oidc ...`. The OIDC_ONLY flag remains env-driven
because it's a deploy-time policy, not a per-tenant runtime config.
"""
from sqlalchemy import create_engine
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import sessionmaker
from pydantic_settings import BaseSettings


class Settings(BaseSettings):
    DATABASE_URL: str = "mysql+pymysql://harborforge:harborforge_pass@mysql:3306/harborforge"
    SECRET_KEY: str = "change-me-in-production"
    LOG_LEVEL: str = "INFO"
    ALGORITHM: str = "HS256"
    ACCESS_TOKEN_EXPIRE_MINUTES: int = 30

    # When true: no password login at all. Password login endpoint rejects,
    # user creation ignores any password (passwordless users that only sign
    # in via a bound OIDC identity / API keys), frontend hides password UI.
    HARBORFORGE_OIDC_ONLY: bool = False

    # Mark the OIDC state/session cookie Secure (HTTPS-only). Defaults to True
    # for production; set SESSION_COOKIE_SECURE=false for plain-HTTP local dev.
    SESSION_COOKIE_SECURE: bool = True

    # External OIDC provider ("Tessera", Keycloak-compatible) whose RS256
    # access tokens are accepted as API bearer tokens (additive to local
    # HS256 JWT + API keys). Tokens are verified against the issuer's JWKS;
    # `iss` must equal TESSERA_ISSUER and `aud` must contain TESSERA_AUDIENCE.
    TESSERA_ISSUER: str = "https://login.hangman-lab.top/realms/Hangman-Lab"
    TESSERA_AUDIENCE: str = "harbor-forge"

    class Config:
        env_file = ".env"


settings = Settings()

# Fail fast on a weak/default JWT signing key (prevents token forgery).
_WEAK_SECRETS = {
    "change-me-in-production",
    "change_me_in_production",
    "change-me-use-openssl-rand-hex-32",
    "secret",
    "changeme",
    "",
}
if settings.SECRET_KEY in _WEAK_SECRETS or len(settings.SECRET_KEY) < 32:
    raise RuntimeError(
        "Insecure SECRET_KEY: set a strong random value "
        "(e.g. `openssl rand -hex 32`) via the SECRET_KEY env var. "
        "Refusing to start with a default/short key."
    )

engine = create_engine(settings.DATABASE_URL, pool_pre_ping=True)
SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
Base = declarative_base()


def get_db():
    db = SessionLocal()
    try:
        yield db
    finally:
        db.close()