"""
Development authentication module for StarPunk

WARNING: This module provides a development-only authentication mechanism
that bypasses IndieLogin. It should NEVER be enabled in production.

This module is separate from production auth (starpunk/auth.py) to maintain
clear architectural boundaries and enable easy security audits.

Security measures:
- Only active when DEV_MODE=true
- Returns 404 if DEV_MODE=false
- Requires DEV_ADMIN_ME configuration
- Logs prominent warnings
- Cannot coexist with production SITE_URL
- Visual warnings in UI

Functions:
    is_dev_mode: Check if development mode is enabled
    validate_dev_config: Validate development configuration
    create_dev_session: Create session without authentication
"""

from flask import current_app

from starpunk.auth import create_session


def is_dev_mode() -> bool:
    """
    Check if development mode is enabled

    Returns:
        True if DEV_MODE is enabled, False otherwise

    Example:
        >>> from starpunk.dev_auth import is_dev_mode
        >>> if is_dev_mode():
        ...     print("Development mode active")
    """
    return current_app.config.get("DEV_MODE", False)


def validate_dev_config() -> None:
    """
    Validate development mode configuration

    Checks that DEV_MODE configuration is valid and safe:
    - DEV_ADMIN_ME must be set if DEV_MODE is true
    - Warns if DEV_MODE is enabled with production-like SITE_URL

    Raises:
        ValueError: If DEV_MODE is true but DEV_ADMIN_ME is not set

    Logs:
        WARNING: If DEV_MODE is enabled with HTTPS SITE_URL
    """
    dev_mode = current_app.config.get("DEV_MODE", False)

    if dev_mode:
        # Require DEV_ADMIN_ME
        dev_admin_me = current_app.config.get("DEV_ADMIN_ME")
        if not dev_admin_me:
            raise ValueError("DEV_MODE=true requires DEV_ADMIN_ME to be set")

        # Warn if production-like configuration detected
        site_url = current_app.config.get("SITE_URL", "")
        if site_url.startswith("https://"):
            current_app.logger.warning(
                "WARNING: DEV_MODE is enabled with production SITE_URL. "
                "This is likely a misconfiguration. "
                "DEV_MODE should only be used in local development."
            )


def create_dev_session(me: str) -> str:
    """
    Create development session without authentication

    WARNING: This bypasses IndieLogin authentication entirely.
    Only use in development environments.

    Args:
        me: User identity URL (from DEV_ADMIN_ME config)

    Returns:
        Session token (same format as production sessions)

    Logs:
        WARNING: Logs that dev session was created without authentication

    Example:
        >>> token = create_dev_session("https://example.com")
        >>> # Session created without IndieLogin verification
    """
    current_app.logger.warning(
        f"DEV MODE: Creating session for {me} without authentication. "
        f"This should NEVER happen in production!"
    )

    # Use production session creation (same session format)
    # This ensures dev sessions work identically to production
    return create_session(me)