"""Pydantic v2 schemas for authentication endpoints."""

from typing import Optional

from pydantic import BaseModel, EmailStr

from app.schemas.user import UserResponse


class LoginRequest(BaseModel):
    """Credentials submitted to POST /login."""

    email: EmailStr
    password: str
    mfa_code: Optional[str] = None


class TokenResponse(BaseModel):
    """Returned on successful login or token refresh."""

    access_token: str
    refresh_token: str
    token_type: str = "bearer"
    user: UserResponse


class RegisterRequest(BaseModel):
    """Self-service registration (requires invitation token or whitelisted domain)."""

    username: str
    email: EmailStr
    password: str
    invitation_token: Optional[str] = None


class RefreshRequest(BaseModel):
    """Request body for POST /refresh."""

    refresh_token: str


class MFASetupResponse(BaseModel):
    """Returned when a user initiates MFA setup."""

    secret: str
    qr_uri: str


class MFAVerifyRequest(BaseModel):
    """6-digit TOTP code + secret submitted to activate MFA.

    The *secret* was returned by ``/mfa/setup`` and must be echoed back so
    the server can verify the code before persisting.
    """

    secret: str
    code: str


class ChangePasswordRequest(BaseModel):
    """Request body for changing the authenticated user's password."""

    old_password: str
    new_password: str


class MFADisableRequest(BaseModel):
    """Password confirmation required to disable MFA."""

    password: str


class ForgotPasswordRequest(BaseModel):
    """Request body for POST /forgot-password."""

    email: EmailStr


class ResetPasswordRequest(BaseModel):
    """Request body for POST /reset-password."""

    token: str
    new_password: str