"""Widget auth — api_key ile widget çöz + Origin domain doğrulama. JWT yok."""
from urllib.parse import urlparse

from fastapi import Depends, Request

from app.models.chat import ChatWidget
from app.repositories.widget_repo import WidgetRepository
from app.utils.exceptions import NotFoundError, PermissionDeniedError


def _host_of(value: str | None) -> str | None:
    if not value:
        return None
    netloc = urlparse(value).netloc or value
    host = netloc.split(":")[0].lower()
    return host.removeprefix("www.")


def _domain_allowed(origin: str | None, allowed: list | None) -> bool:
    # allowed boş/None ise tüm domainlere izin (kurulum kolaylığı)
    if not allowed:
        return True
    if not origin:
        return False
    host = _host_of(origin)
    return any(host == _host_of(d) for d in allowed)


async def get_widget_by_key(
    api_key: str,
    request: Request,
    repo: WidgetRepository = Depends(),
) -> ChatWidget:
    widget = await repo.get_by_api_key(api_key)
    if widget is None:
        raise NotFoundError("Widget")

    origin = request.headers.get("origin") or request.headers.get("referer")
    if not _domain_allowed(origin, widget.allowed_domains):
        raise PermissionDeniedError("Bu domain için widget yetkili değil.")

    return widget