"""
Authentication decorators for SneakyScanner.

Provides decorators for protecting web routes and API endpoints.
"""

from functools import wraps
from typing import Callable

from flask import jsonify, redirect, request, url_for
from flask_login import current_user


def login_required(f: Callable) -> Callable:
    """
    Decorator for web routes that require authentication.

    Redirects to login page if user is not authenticated.
    This is a wrapper around Flask-Login's login_required that can be
    customized if needed.

    Args:
        f: Function to decorate

    Returns:
        Decorated function
    """
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if not current_user.is_authenticated:
            # Redirect to login page
            return redirect(url_for('auth.login', next=request.url))
        return f(*args, **kwargs)
    return decorated_function


def api_auth_required(f: Callable) -> Callable:
    """
    Decorator for API endpoints that require authentication.

    Returns 401 JSON response if user is not authenticated.
    Uses Flask-Login sessions (same as web UI).

    Args:
        f: Function to decorate

    Returns:
        Decorated function

    Example:
        @bp.route('/api/scans', methods=['POST'])
        @api_auth_required
        def trigger_scan():
            # Protected endpoint
            pass
    """
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if not current_user.is_authenticated:
            return jsonify({
                'error': 'Authentication required',
                'message': 'Please authenticate to access this endpoint'
            }), 401
        return f(*args, **kwargs)
    return decorated_function