"""Authentication Pydantic models.

Request, response, and domain models used by the auth router and service.
"""

from pydantic import Field

from app.models.response import BanGuiBaseModel


class LoginRequest(BanGuiBaseModel):
    """Payload for ``POST /api/auth/login``."""

    password: str = Field(
        ...,
        max_length=72,
        description="Master password to authenticate with (max 72 bytes due to bcrypt truncation).",
    )

class LoginResponse(BanGuiBaseModel):
    """Successful login response.

    The session token is set as an ``HttpOnly`` ``SameSite=Lax`` cookie by the
    router, protecting it from JavaScript access. The JSON body contains only
    the expiry timestamp, allowing the frontend to know when to prompt for
    re-authentication.

    For programmatic API clients that require a token in the response body,
    use ``POST /api/auth/token`` instead, which does not set a cookie.
    """

    expires_at: str = Field(..., description="ISO 8601 UTC expiry timestamp.")

class LogoutResponse(BanGuiBaseModel):
    """Response body for ``POST /api/auth/logout``."""

    message: str = Field(default="Logged out successfully.")

class SessionValidResponse(BanGuiBaseModel):
    """Response for ``GET /api/auth/session`` confirming session validity."""

    valid: bool = Field(default=True, description="Whether the session is valid and active.")


class Session(BanGuiBaseModel):
    """Internal domain model representing a persisted session record."""

    id: int = Field(..., description="Auto-incremented row ID.")
    token: str = Field(..., description="Opaque session token.")
    created_at: str = Field(..., description="ISO 8601 UTC creation timestamp.")
    expires_at: str = Field(..., description="ISO 8601 UTC expiry timestamp.")