# app/main.py
import streamlit as st
import yaml
from yaml.loader import SafeLoader
import streamlit_authenticator as stauth

from auth_core import (
    init_auth_db,
    load_credentials_from_db,
    get_role_for_user,
    create_user,
)
from version import __version__


def content_for(username: str, role: str):
    st.header("Dashboard")
    st.info(f"Willkommen, {username}!")

    if role == "admin":
        st.subheader("Admin-Bereich")
        st.write("Nur Admins sehen das hier.")

        with st.expander("Neuen Nutzer anlegen"):
            new_u = st.text_input("Neuer Username", key="new_u")
            new_email = st.text_input("E-Mail", key="new_email")
            new_p = st.text_input("Neues Passwort", type="password", key="new_p")
            new_role = st.selectbox("Rolle", ["user", "admin"], key="new_role")

            if st.button("Anlegen"):
                if new_u and new_p:
                    ok = create_user(new_u.strip(), new_p, new_role, new_email.strip() or None)
                    st.success("Nutzer angelegt.") if ok else st.error("Username bereits vorhanden oder Fehler.")
                else:
                    st.warning("Bitte Username und Passwort eingeben.")

    st.subheader("Dein Bereich")
    st.write(f"Personalisierter Content für **{username}**.")


def main():
    st.set_page_config(
        page_title=f"Intranet-Portal v{__version__}",
        page_icon="🔒",
        layout="centered",
    )

    # DB-Struktur sicherstellen
    init_auth_db()

    # --- Config laden (Cookie, etc.) ---
    with open("config/auth.yaml", "r", encoding="utf-8") as f:
        base_config = yaml.load(f, Loader=SafeLoader)

    # --- Credentials dynamisch aus DB laden ---
    db_creds = load_credentials_from_db()
    base_config["credentials"] = db_creds

    authenticator = stauth.Authenticate(
        base_config["credentials"],
        base_config["cookie"]["name"],
        base_config["cookie"]["key"],
        base_config["cookie"]["expiry_days"],
        base_config.get("preauthorized", {}),
    )

    name, auth_status, username = authenticator.login("Login", "main")

    if auth_status is False:
        st.error("Login fehlgeschlagen.")
        return

    if auth_status is None:
        st.warning("Bitte Benutzername und Passwort eingeben.")
        return

    # ---- Ab hier eingeloggt (persistenter Cookie) ----
    role = get_role_for_user(username)

    authenticator.logout("Logout", "sidebar")
    st.sidebar.write(f"Angemeldet als **{name}** ({username}, Rolle: {role})")

    content_for(username, role)


if __name__ == "__main__":
    main()