"""
web/session.py
--------------
Session helpers using signed cookies (itsdangerous).
Stores Adobe Sign and DocuSign tokens server-side in the cookie payload.

Sessions are short-lived (1 hour) and signed but not encrypted.
Do not store sensitive secrets here beyond access tokens.
"""

from itsdangerous import URLSafeTimedSerializer, BadSignature, SignatureExpired
from fastapi import Request, Response
from web.config import settings

_serializer = URLSafeTimedSerializer(settings.session_secret_key)
_COOKIE_NAME = "migrator_session"
_MAX_AGE = 3600  # 1 hour


def get_session(request: Request) -> dict:
    """Read and verify the session cookie. Returns an empty dict if missing or invalid."""
    raw = request.cookies.get(_COOKIE_NAME)
    if not raw:
        return {}
    try:
        return _serializer.loads(raw, max_age=_MAX_AGE)
    except (BadSignature, SignatureExpired):
        return {}


def save_session(response: Response, data: dict) -> None:
    """Sign and write session data into a cookie on the response."""
    signed = _serializer.dumps(data)
    response.set_cookie(
        _COOKIE_NAME,
        signed,
        max_age=_MAX_AGE,
        httponly=True,
        samesite="lax",
    )


def clear_session(response: Response) -> None:
    """Delete the session cookie."""
    response.delete_cookie(_COOKIE_NAME)