"""
用户API路由

提供用户信息查询和更新的API端点
需求: 9.1, 10.1, 10.2, 10.3, 10.4
"""
from fastapi import APIRouter, Depends, Request
from sqlalchemy.orm import Session

from app.database import get_db
from app.middleware import get_current_user_from_request
from app.models.user import User
from app.schemas.user_schema import UserUpdate, UserResponse
from app.services.user_service import UserService
from app.services.token_revocation_service import token_revocation_service
from app.services.data_encryption_service import encryption_service
from app.services.encryption_service import encryption_service as rsa_encryption_service

router = APIRouter(prefix="/api/users", tags=["用户"])


@router.get("/me", response_model=UserResponse)
def get_current_user_info(
    request: Request,
    db: Session = Depends(get_db),
    current_user: User = Depends(get_current_user_from_request)
):
    """获取当前用户信息"""
    response_data = UserResponse.model_validate(current_user)
    if response_data.email:
        response_data.email = encryption_service.mask_sensitive_data(response_data.email)
    if response_data.phone:
        response_data.phone = encryption_service.mask_sensitive_data(response_data.phone)
    return response_data


@router.put("/me", response_model=UserResponse)
def update_current_user(
    data: UserUpdate,
    request: Request,
    db: Session = Depends(get_db),
    current_user: User = Depends(get_current_user_from_request)
):
    """更新当前用户信息"""
    user_service = UserService(db)
    user = user_service.update_user(current_user.id, data)

    # 返回响应时对敏感字段进行掩码处理
    response_data = UserResponse.model_validate(user)
    if response_data.email:
        response_data.email = encryption_service.mask_sensitive_data(response_data.email)
    if response_data.phone:
        response_data.phone = encryption_service.mask_sensitive_data(response_data.phone)

    return response_data


@router.delete("/me")
def delete_current_user(
    request: Request,
    db: Session = Depends(get_db),
    current_user: User = Depends(get_current_user_from_request)
):
    """删除当前用户（申请注销）。账户会从 users 表中移除。"""
    user_service = UserService(db)
    # 撤销该用户所有已签发的 session/token
    try:
        token_revocation_service.revoke_user_sessions(current_user.id)
    except Exception:
        pass

    user_service.delete_user(current_user.id)
    return {"message": "账户已申请注销并已移除"}


@router.post("/me/verify", response_model=UserResponse)
def submit_user_verification(
    data: dict,
    request: Request,
    db: Session = Depends(get_db),
    current_user: User = Depends(get_current_user_from_request)
):
    """提交实名认证（接收RSA加密数据）"""
    if "encrypted_data" not in data:
        from fastapi import HTTPException
        raise HTTPException(status_code=400, detail="缺少加密数据")
    
    user_service = UserService(db)
    user = user_service.submit_verification(current_user.id, data["encrypted_data"])
    return UserResponse.model_validate(user)


@router.get("/config/public")
def get_public_config(db: Session = Depends(get_db)):
    """获取公开配置（无需认证）"""
    from app.services.system_config_manager import config_manager
    
    return {
        "enable_verification_reminder": config_manager.get_bool("enable_verification_reminder", True)
    }


@router.get("/rsa-public-key")
def get_rsa_public_key():
    """获取RSA公钥（用于前端加密）"""
    return {
        "public_key": rsa_encryption_service.get_public_key_pem()
    }