from django.conf import settings
from mozilla_django_oidc.auth import OIDCAuthenticationBackend


class ModeratorAuthBackend(OIDCAuthenticationBackend):
    """Override base authentication class."""

    def get_or_create_user(self, access_token, id_token, payload):
        """Get or create a new user only if they have one of the groups
        mentioned in the ALLOWED_LOGIN_GROUPS in the claims.
        """
        user_info = self.get_userinfo(access_token, id_token, payload)
        groups = user_info.get("https://sso.mozilla.com/claim/groups", [])

        # The user is not staff or NDA member. Return None
        if not any(x in groups for x in settings.ALLOWED_LOGIN_GROUPS):
            return None
        return super(ModeratorAuthBackend, self).get_or_create_user(
            access_token, id_token, payload
        )

    def update_user(self, user, claims):
        # Update user status (nda, staff based on assertions)
        profile = user.userprofile
        if username := claims.get("uid"):
            user.username = username
        email = claims.get("email")
        if email and user.email != email:
            user.email = email
        profile.avatar_url = claims.get("avatar", "")
        user.save()

        # Only staff members and members of the NDA group are allowed to login.
        # Because of this everyone will get the is_nda_member set to True.
        # If in the future more people are allowed to login this needs to be
        # available to only members of the ALLOWED_LOGIN_GROUPS
        profile.is_nda_member = True
        profile.save()
        return user