import urllib.request

from fastapi import APIRouter, Request
from sqlalchemy import text

from app.core.auth import _build_jwks_url, _extract_token, _get_jwks_client
from app.core.config import settings
from app.core.database import async_session

router = APIRouter(tags=["health"])


@router.get("/health")
async def health_check():
    """Health check endpoint with database connectivity verification."""
    try:
        async with async_session() as session:
            await session.execute(text("SELECT 1"))
        db_status = "connected"
    except Exception:
        db_status = "disconnected"

    return {"status": "healthy", "database": db_status}


@router.get("/")
async def root():
    """Root endpoint."""
    return {"message": "Nuzlocke Tracker API", "docs": "/docs"}


@router.get("/auth-debug")
async def auth_debug(request: Request):
    """Temporary diagnostic endpoint for auth debugging."""
    result: dict = {}

    # Config
    result["supabase_url"] = settings.supabase_url
    result["has_jwt_secret"] = bool(settings.supabase_jwt_secret)
    result["jwks_url"] = (
        _build_jwks_url(settings.supabase_url) if settings.supabase_url else None
    )

    # JWKS fetch
    jwks_url = result["jwks_url"]
    if jwks_url:
        try:
            with urllib.request.urlopen(jwks_url, timeout=5) as resp:
                result["jwks_status"] = resp.status
                result["jwks_body"] = resp.read().decode()
        except Exception as e:
            result["jwks_fetch_error"] = str(e)

    # JWKS client
    client = _get_jwks_client()
    result["jwks_client_exists"] = client is not None

    # Token info (header only, no secrets)
    token = _extract_token(request)
    if token:
        import jwt

        try:
            header = jwt.get_unverified_header(token)
            result["token_header"] = header
        except Exception as e:
            result["token_header_error"] = str(e)
    else:
        result["token"] = "not provided"

    return result