"""Módulo de segurança da aplicação."""

from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
from flask_login import LoginManager
from flask_jwt_extended import JWTManager
import logging
from logging.handlers import RotatingFileHandler
import os
from datetime import timedelta
from src.discord.discord_webhook import send_discord_audit_log

security_logger = logging.getLogger('security')
security_logger.setLevel(logging.INFO)


def rate_limit_exceeded_callback(response):
    send_discord_audit_log(
        action="Alerta de uso excessivo",
        user_id=None,
        object_type="RateLimit",
        details="Limite de requisições atingido (rate limit)",
        ip_address=None
    )
    return response

if not os.path.exists('logs'):
    os.makedirs('logs')

security_handler = RotatingFileHandler(
    'logs/security.log',
    maxBytes=1024 * 1024,
    backupCount=10
)
security_handler.setFormatter(logging.Formatter(
    '%(asctime)s - %(levelname)s - %(message)s'
))
security_logger.addHandler(security_handler)

login_manager = LoginManager()
jwt = JWTManager()
limiter = Limiter(
    key_func=get_remote_address,
    default_limits=["200 per day", "50 per hour"],
    on_breach=rate_limit_exceeded_callback
)

def init_security(app):
    """Inicializa as configurações de segurança."""
    app.config['JWT_SECRET_KEY'] = os.getenv('JWT_SECRET_KEY', 'your-secret-key')
    app.config['JWT_ACCESS_TOKEN_EXPIRES'] = timedelta(hours=1)
    app.config['JWT_REFRESH_TOKEN_EXPIRES'] = timedelta(days=30)
    
    login_manager.init_app(app)
    login_manager.login_view = 'auth.login'
    login_manager.login_message = 'Por favor, faça login para acessar esta página.'
    login_manager.login_message_category = 'info'
    
    jwt.init_app(app)
    limiter.init_app(app)
    
    app.config['SESSION_COOKIE_SECURE'] = True
    app.config['SESSION_COOKIE_HTTPONLY'] = True
    app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
    app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=1)
    
    @app.after_request
    def add_security_headers(response):
        response.headers['X-Content-Type-Options'] = 'nosniff'
        response.headers['X-Frame-Options'] = 'SAMEORIGIN'
        response.headers['X-XSS-Protection'] = '1; mode=block'
        response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
        return response