"""Authentication Pydantic models.

Request, response, and domain models used by the auth router and service.
"""

from pydantic import BaseModel, ConfigDict, Field


class LoginRequest(BaseModel):
    """Payload for ``POST /api/auth/login``."""

    model_config = ConfigDict(strict=True)

    password: str = Field(
        ...,
        max_length=72,
        description="Master password to authenticate with (max 72 bytes due to bcrypt truncation).",
    )


class LoginResponse(BaseModel):
    """Successful login response.

    The session token is set as an ``HttpOnly`` ``SameSite=Lax`` cookie by the
    router, protecting it from JavaScript access. The JSON body contains only
    the expiry timestamp, allowing the frontend to know when to prompt for
    re-authentication.

    For programmatic API clients that require a token in the response body,
    use ``POST /api/auth/token`` instead, which does not set a cookie.
    """

    model_config = ConfigDict(strict=True)

    expires_at: str = Field(..., description="ISO 8601 UTC expiry timestamp.")


class LogoutResponse(BaseModel):
    """Response body for ``POST /api/auth/logout``."""

    model_config = ConfigDict(strict=True)

    message: str = Field(default="Logged out successfully.")


class Session(BaseModel):
    """Internal domain model representing a persisted session record."""

    model_config = ConfigDict(strict=True)

    id: int = Field(..., description="Auto-incremented row ID.")
    token: str = Field(..., description="Opaque session token.")
    created_at: str = Field(..., description="ISO 8601 UTC creation timestamp.")
    expires_at: str = Field(..., description="ISO 8601 UTC expiry timestamp.")