from __future__ import annotations
import hashlib
from datetime import datetime
from sqlalchemy import String, Integer, DateTime, ForeignKey, func, Index
from sqlalchemy.orm import Mapped, mapped_column, relationship
from shared.db.base import Base


def hash_token(token: str) -> str:
    """SHA-256 hash a token for secure DB storage."""
    return hashlib.sha256(token.encode()).hexdigest()


class OAuthGrant(Base):
    """Long-lived grant tracking each client-app session authorization.

    Created when the OAuth authorize endpoint issues a code.  Tied to the
    account session that issued it (``issuer_session``) so that logging out
    on one device revokes only that device's grants.

    The ``token`` column is retained during migration but new grants store
    only ``token_hash``.  Lookups should use ``token_hash``.
    """
    __tablename__ = "oauth_grants"

    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
    token: Mapped[str | None] = mapped_column(String(128), nullable=True)
    token_hash: Mapped[str | None] = mapped_column(String(64), unique=True, nullable=True, index=True)
    user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
    client_id: Mapped[str] = mapped_column(String(64), nullable=False)
    issuer_session: Mapped[str] = mapped_column(String(128), nullable=False, index=True)
    device_id: Mapped[str | None] = mapped_column(String(128), nullable=True, index=True)
    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False, server_default=func.now())
    revoked_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)

    user = relationship("User", backref="oauth_grants")

    __table_args__ = (
        Index("ix_oauth_grant_token_hash", "token_hash", unique=True),
        Index("ix_oauth_grant_issuer", "issuer_session"),
        Index("ix_oauth_grant_device", "device_id", "client_id"),
    )