"""Custom JWT authentication — validates session_id against ActiveSession table."""

from rest_framework_simplejwt.authentication import JWTAuthentication
from rest_framework_simplejwt.exceptions import InvalidToken


class SessionJWTAuthentication(JWTAuthentication):
    """
    Extends JWTAuthentication to check that the session_id in the token
    still exists in the ActiveSession table.

    Legacy tokens (without session_id) are allowed through for backward compatibility.
    """

    def get_user(self, validated_token):
        user = super().get_user(validated_token)

        # 检查用户是否被封禁
        if not user.is_active:
            raise InvalidToken({
                'detail': '您的账号已被禁用，请联系团队管理员',
                'code': 'user_disabled',
            })

        # 检查团队是否被封禁
        if user.team_id:
            try:
                from .models import Team
                team = Team.objects.get(pk=user.team_id)
                if not team.is_active:
                    raise InvalidToken({
                        'detail': '您所在的团队已被禁用，请联系平台管理员',
                        'code': 'team_disabled',
                    })
            except Team.DoesNotExist:
                pass

        session_id = validated_token.get('session_id')
        if session_id is None:
            # Legacy token without session_id — allow through
            return user

        from .models import ActiveSession
        if not ActiveSession.objects.filter(user=user, session_id=session_id).exists():
            raise InvalidToken({
                'detail': '您的账号已在其他设备登录',
                'code': 'session_expired_other_device',
            })

        return user