"""
管理员认证API路由

提供管理员登录的API端点
Requirements: 1.1, 1.2, 1.3
"""
from fastapi import APIRouter, Depends, HTTPException, status, Request
from sqlalchemy.orm import Session

from app.database import get_db
from app.schemas.admin_schema import AdminLoginRequest, AdminLoginResponse, AdminInfo
from app.services.admin_auth_service import AdminAuthService
from app.dependencies.admin_auth import get_current_admin
from app.models.admin import AdminUser

router = APIRouter(prefix="/api/admin/auth", tags=["管理员认证"])

# 错误码映射
ERROR_MESSAGES = {
    "AUTH_FAILED": "用户名或密码错误",
    "ACCOUNT_LOCKED": "账户已被锁定，请30分钟后重试",
    "ACCOUNT_DISABLED": "账户已被禁用"
}


@router.post("/login", response_model=AdminLoginResponse)
def admin_login(
    data: AdminLoginRequest,
    request: Request,
    db: Session = Depends(get_db)
):
    """管理员登录"""
    auth_service = AdminAuthService(db)
    
    # 获取客户端 IP
    ip = request.client.host if request.client else "unknown"
    
    try:
        response = auth_service.login(data.username, data.password, ip)
        return response
    except ValueError as e:
        error_code = str(e)
        message = ERROR_MESSAGES.get(error_code, "认证失败")
        
        if error_code == "ACCOUNT_LOCKED":
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail={"code": error_code, "message": message}
            )
        else:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail={"code": error_code, "message": message},
                headers={"WWW-Authenticate": "Bearer"}
            )


@router.get("/me", response_model=AdminInfo)
def get_current_admin_info(
    current_admin: AdminUser = Depends(get_current_admin)
):
    """获取当前管理员信息"""
    return AdminInfo.model_validate(current_admin)