from django.contrib.auth.backends import BaseBackend
from django.contrib.auth.hashers import check_password
from passlib.context import CryptContext
from passlib.exc import UnknownHashError

from .models import User

pwd_ctx = CryptContext(schemes=["bcrypt"], deprecated="auto")


class LegacyPasswordBackend(BaseBackend):
    """
    Supports mixed password formats during migration:
    - Django-native hashes (pbkdf2, etc.)
    - Legacy passlib bcrypt hashes from FastAPI
    - Optional plaintext fallback for local/dev rescue scenarios
    """

    def authenticate(self, request, username=None, password=None, **kwargs):
        if not username or not password:
            return None
        try:
            user = User.objects.get(username=username)
        except User.DoesNotExist:
            return None

        stored = user.password or ""

        # 1) Django hash support
        try:
            if check_password(password, stored):
                return user
        except Exception:
            pass

        # 2) Legacy passlib bcrypt support
        try:
            if pwd_ctx.verify(password, stored):
                return user
        except (UnknownHashError, ValueError):
            pass

        # 3) Plaintext fallback (dev safety only)
        if stored and stored == password:
            return user

        return None

    def get_user(self, user_id):
        try:
            return User.objects.get(pk=user_id)
        except User.DoesNotExist:
            return None