# ================================================================
# services/forecasting/app/core/auth.py
# ================================================================
"""
Authentication utilities for forecasting service
"""

import structlog
from fastapi import HTTPException, status, Request
from typing import Dict, Any, Optional

logger = structlog.get_logger()

async def get_current_user_from_headers(request: Request) -> Dict[str, Any]:
    """
    Get current user from gateway headers
    Gateway middleware adds user context to headers after JWT verification
    """
    
    try:
        # Extract user information from headers set by API Gateway
        user_id = request.headers.get("X-User-ID")
        user_email = request.headers.get("X-User-Email")
        tenant_id = request.headers.get("X-Tenant-ID")
        user_roles = request.headers.get("X-User-Roles", "").split(",")
        
        if not user_id or not tenant_id:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail="Authentication required"
            )
        
        return {
            "user_id": user_id,
            "email": user_email,
            "tenant_id": tenant_id,
            "roles": [role.strip() for role in user_roles if role.strip()]
        }
        
    except HTTPException:
        raise
    except Exception as e:
        logger.error("Error extracting user from headers", error=str(e))
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid authentication"
        )