"""Auth dependency'leri — get_current_tenant, get_token_jti."""
from fastapi import Depends
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer

from app.auth.jwt import decode_access_token
from app.models.tenant import Tenant
from app.repositories.tenant_repo import TenantRepository
from app.utils.exceptions import UnauthorizedError

_bearer = HTTPBearer(auto_error=False)


async def _get_payload(
    cred: HTTPAuthorizationCredentials | None = Depends(_bearer),
) -> dict:
    if cred is None or not cred.credentials:
        raise UnauthorizedError("Kimlik doğrulaması gerekli.")
    return decode_access_token(cred.credentials)


async def get_token_jti(payload: dict = Depends(_get_payload)) -> str:
    jti = payload.get("jti")
    if not jti:
        raise UnauthorizedError("Geçersiz token.")
    return jti


async def get_current_tenant(
    payload: dict = Depends(_get_payload),
    repo: TenantRepository = Depends(),
) -> Tenant:
    tenant_id = payload.get("sub")
    jti = payload.get("jti")
    if not tenant_id or not jti:
        raise UnauthorizedError("Geçersiz token.")

    session = await repo.get_session_by_jti(jti)
    if session is None or session.revoked_at is not None:
        raise UnauthorizedError("Oturum sonlandırılmış.")

    tenant = await repo.get_by_id(tenant_id)
    if tenant is None:
        raise UnauthorizedError("Hesap bulunamadı.")
    if not tenant.is_active:
        raise UnauthorizedError("Hesabınız pasif durumda.")

    return tenant