#!/usr/bin/env python3
"""Diagnostic script for BanGUI auth/session 401 issue.

Tests the full auth flow against http://192.168.178.43:8080/api/v1/auth
using password "Hallo123!".

Usage:
    python3 check_auth.py
"""

import json
import urllib.error
import urllib.request

BASE_URL = "http://192.168.178.43:8080/api/v1"
PASSWORD = "Hallo123!"


def make_request(url, method="GET", data=None, headers=None, cookie=None):
    """Make an HTTP request and return (status, headers, body, cookies)."""
    req_headers = headers or {}
    if data:
        req_headers["Content-Type"] = "application/json"
    if cookie:
        req_headers["Cookie"] = cookie

    req = urllib.request.Request(
        url,
        data=json.dumps(data).encode("utf-8") if data else None,
        headers=req_headers,
        method=method,
    )

    try:
        with urllib.request.urlopen(req) as resp:
            body = resp.read().decode("utf-8")
            cookies = resp.headers.get_all("Set-Cookie") or []
            return resp.status, dict(resp.headers), body, cookies
    except urllib.error.HTTPError as e:
        body = e.read().decode("utf-8")
        cookies = e.headers.get_all("Set-Cookie") or []
        return e.code, dict(e.headers), body, cookies
    except Exception as e:
        return None, {}, str(e), []


def extract_cookie_value(set_cookie_headers, cookie_name):
    """Extract cookie value from Set-Cookie headers."""
    for header in set_cookie_headers:
        if header.startswith(cookie_name + "="):
            return header.split(";")[0]
    return None


def main():
    print("=" * 60)
    print("BanGUI Auth Diagnostic Script")
    print("Target:", BASE_URL)
    print("=" * 60)

    # 1. Check health endpoint (no auth needed)
    print("\n[1] GET /health")
    status, headers, body, _ = make_request(f"{BASE_URL}/health")
    print(f"    Status: {status}")
    print(f"    Response: {body[:200]}")

    # 2. Check CORS preflight for login
    print("\n[2] OPTIONS /auth/login (CORS preflight)")
    status, headers, body, _ = make_request(
        f"{BASE_URL}/auth/login",
        method="OPTIONS",
        headers={
            "Origin": "http://192.168.178.43:8080",
            "Access-Control-Request-Method": "POST",
            "Access-Control-Request-Headers": "Content-Type",
        },
    )
    print(f"    Status: {status}")
    print(f"    Access-Control-Allow-Origin: {headers.get('Access-Control-Allow-Origin', 'MISSING')}")
    print(f"    Access-Control-Allow-Credentials: {headers.get('Access-Control-Allow-Credentials', 'MISSING')}")

    # 3. Login
    print(f"\n[3] POST /auth/login (password: {PASSWORD})")
    status, headers, body, cookies = make_request(
        f"{BASE_URL}/auth/login",
        method="POST",
        data={"password": PASSWORD},
        headers={"Origin": "http://192.168.178.43:8080"},
    )
    print(f"    Status: {status}")
    print(f"    Response: {body}")
    print(f"    Set-Cookie headers: {cookies}")

    session_cookie = extract_cookie_value(cookies, "bangui_session")
    if session_cookie:
        print(f"    Extracted session cookie: {session_cookie[:50]}...")
    else:
        print("    WARNING: No bangui_session cookie received!")

    # 4. Validate session with cookie
    print("\n[4] GET /auth/session (with cookie)")
    if session_cookie:
        status, headers, body, _ = make_request(
            f"{BASE_URL}/auth/session",
            cookie=session_cookie,
            headers={"Origin": "http://192.168.178.43:8080"},
        )
        print(f"    Status: {status}")
        print(f"    Response: {body}")
    else:
        print("    SKIPPED (no cookie from login)")

    # 5. Validate session WITHOUT cookie (should be 401)
    print("\n[5] GET /auth/session (without cookie)")
    status, headers, body, _ = make_request(f"{BASE_URL}/auth/session")
    print(f"    Status: {status}")
    print(f"    Response: {body}")

    # 6. Check backend settings (if available via /setup or other endpoint)
    print("\n[6] GET /setup (check if setup is complete)")
    status, headers, body, _ = make_request(f"{BASE_URL}/setup")
    print(f"    Status: {status}")
    print(f"    Response: {body[:200]}")

    print("\n" + "=" * 60)
    print("DIAGNOSIS SUMMARY")
    print("=" * 60)

    if session_cookie and "Secure" in str(cookies):
        print("\n  PROBLEM FOUND: Session cookie has 'Secure' flag set,")
        print("  but you are accessing over HTTP (not HTTPS).")
        print("  Browsers will NOT send Secure cookies over HTTP!")
        print("\n  FIX: Set SESSION_COOKIE_SECURE=false in your backend .env")
        print("       and restart the backend.")

    if not session_cookie and status == 401:
        print("\n  PROBLEM FOUND: Login succeeded but no session cookie was set.")
        print("  This usually means the cookie is being rejected by the browser")
        print("  due to Secure flag on HTTP, or SameSite restrictions.")

    print("\n  If CORS Access-Control-Allow-Origin is missing or wrong,")
    print("  add your frontend origin to CORS_ALLOWED_ORIGINS in .env")
    print("=" * 60)


if __name__ == "__main__":
    main()