"""Автентифікація — bcrypt hash/verify, без Streamlit."""
from __future__ import annotations

import bcrypt
from sqlmodel import Session, select

from db.session import get_engine
from models import Users


def hash_password(password: str) -> str:
    hashed = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
    return hashed.decode("utf-8")


def verify_password(password: str, hashed: str) -> bool:
    return bcrypt.checkpw(password.encode("utf-8"), hashed.encode("utf-8"))


def authenticate(email: str, password: str) -> Users | None:
    with Session(get_engine()) as session:
        user = session.exec(select(Users).where(Users.email == email)).first()
    if user and verify_password(password, user.hashed_password):
        return user
    return None  # загальне None — не розкриваємо чи email чи пароль невірний (enumeration)
