app.py

# --- Imports ---
import os
import time
import json
import logging
import requests
import threading
import datetime
import urllib.parse
from datetime import datetime, timezone, timedelta
from functools import wraps
from typing import Dict, Any, List, Optional, Union, Tuple
from collections import defaultdict

# Third-party imports
from dotenv import load_dotenv
from flask import (
    Flask, 
    render_template, 
    request, 
    jsonify, 
    session, 
    redirect, 
    url_for, 
    make_response, 
    abort, 
    send_from_directory
)
from pymongo import MongoClient, ASCENDING, DESCENDING
from bson import ObjectId, json_util
from bson.json_util import dumps
from discord_webhook import DiscordWebhook, DiscordEmbed

# --- Load Environment Variables EARLY ---
load_dotenv()

# Debug log for Mongo URI
print("MongoDB URI:", os.getenv("MONGO_URI"))

# Initialize Flask app
app = Flask(__name__)
app.config["SECRET_KEY"] = os.getenv("FLASK_SECRET_KEY", "default-secret-key")
app.config["PERMANENT_SESSION_LIFETIME"] = timedelta(minutes=30)
app.config["MAX_CONTENT_LENGTH"] = 16 * 1024 * 1024  # 16MB max upload size

# Import and register API Blueprints
from api.users import users_bp as users_api_blueprint
app.register_blueprint(users_api_blueprint)

# --- End of Imports ---

# --- Load Environment Variables EARLY ---
load_dotenv()
# Debug log for Mongo URI
print("MongoDB URI:", os.getenv("MONGO_URI"))



# --- Constants and Configuration ---
CONFIG = {
    "MONGO_DB": "techtact",
    "MONGO_COLLECTION": "visitors",
    "ARCHIVE_COLLECTION": "archived_stats",
    "MONTH_TRACKER_COLLECTION": "month_tracker",
    "LOG_FORMAT": "%(asctime)s - %(name)s - %(levelname)s - %(message)s",
    "REQUEST_TIMEOUT": 5,
    "DISCORD_EMBED_COLOR": 0x2B2D31,
    "DEFAULT_AVATAR_URL": "https://cdn.discordapp.com/embed/avatars/{}.png",
    "CLEANUP_TIMEZONE": "UTC",
    # Enhanced Anti-DDoS settings
    "RATE_LIMIT": 30,
    "RATE_LIMIT_WINDOW": 30,
    "REFRESH_LIMIT": 5,
    "REFRESH_WINDOW": 30,
    "BLOCK_THRESHOLD": 3,
    "BLOCK_DURATION": 7200,
    "USER_AGENT_BLACKLIST": [
    "python-requests", "curl", "wget", "nikto", "sqlmap", "nmap", 
    "hydra", "metasploit", "scrapy", "phantomjs", "selenium",
    "headless", "bot", "spider", "crawler", "zgrab", "masscan",
    "nessus", "openvas", "burp", "arachni", "skipfish", "w3af",
    "owasp", "zap", "fiddler", "postman", "insomnia", "httrack",
    "grabber", "harvest", "extract", "collect", "scan", "exploit",
    "dirbuster", "gobuster", "ffuf", "nikto", "sqlmap", "wpscan",
    "acunetix", "netsparker", "appscan", "nessus", "openvas",
    "nessus", "openvas", "burp", "arachni", "skipfish", "w3af",
    "owasp", "zap", "fiddler", "postman", "insomnia", "httrack",
    "grabber", "harvest", "extract", "collect", "scan", "exploit",
    "dirbuster", "gobuster", "ffuf", "nikto", "sqlmap", "wpscan",
    "acunetix", "netsparker", "appscan", "nessus", "openvas",
    "nessus", "openvas", "burp", "arachni", "skipfish", "w3af",
    "owasp", "zap", "fiddler", "postman", "insomnia", "httrack",
    "grabber", "harvest", "extract", "collect", "scan", "exploit",
    "dirbuster", "gobuster", "ffuf", "nikto", "sqlmap", "wpscan",
    "acunetix", "netsparker", "appscan", "nessus", "openvas"
    ],
    "IP_BLACKLIST": [],
    "REQUEST_SIZE_LIMIT": 512 * 1024,
    "LOADING_DELAY": 3,  # 3 second loading delay for anti-DDoS
    
    # Enhanced Human Verification settings
    "HUMAN_VERIFICATION_ENABLED": True,
    "VERIFICATION_SESSION_EXPIRY": 86400,  # 24 hours
    "VERIFICATION_SPAM_TIMEOUT": 20,  # 20 seconds for spamming
    "VERIFICATION_INACTIVE_TIMEOUT": 3600,  # 1 hour for inactive
    "VERIFICATION_FAIL_LIMIT": 3,
    "VERIFICATION_FAIL_BAN": 300,
    "VERIFICATION_QUESTIONS": [
        {"question":"What do you wear on your feet?","answer":"Shoes","options":["Gloves","Shoes","Hat","Scarf"]},
        {"question":"Which shape is round?","answer":"Circle","options":["Triangle","Square","Circle","Rectangle"]},
        {"question":"What do you use to write?","answer":"Pen","options":["Ruler","Pen","Scissors","Eraser"]},
        {"question":"Which animal has a long neck?","answer":"Giraffe","options":["Elephant","Lion","Giraffe","Zebra"]},
        {"question":"How many letters are in the word 'cat'?","answer":"3","options":["2","3","4","5"]},
        {"question":"Which fruit is red?","answer":"Apple","options":["Banana","Apple","Pear","Plum"]},
        {"question":"What color are strawberries?","answer":"Red","options":["Blue","Green","Red","Yellow"]},
        {"question":"What does a cow give us?","answer":"Milk","options":["Wool","Milk","Eggs","Honey"]},
        {"question":"What is 5 + 3?","answer":"8","options":["6","7","8","9"]},
        {"question":"Which one is used to call someone?","answer":"Phone","options":["Tablet","Phone","TV","Microwave"]},
        {"question":"Which is a type of insect?","answer":"Ant","options":["Frog","Bird","Ant","Snake"]},
        {"question":"Which one do you wear on your head?","answer":"Hat","options":["Hat","Shirt","Shoes","Belt"]},
        {"question":"What color is the sky on a clear day?","answer":"Blue","options":["Green","Red","Blue","Black"]},
        {"question":"Which is the largest planet?","answer":"Jupiter","options":["Earth","Mars","Jupiter","Venus"]},
        {"question":"How many legs does a cat have?","answer":"4","options":["2","3","4","5"]},
        {"question":"What do you drink when you're thirsty?","answer":"Water","options":["Milk","Water","Juice","Oil"]},
        {"question":"Which is used to open a door?","answer":"Key","options":["Knife","Pen","Key","Screw"]},
        {"question":"Which of these is a fruit?","answer":"Banana","options":["Potato","Banana","Carrot","Onion"]},
        {"question":"Which one is a body part?","answer":"Arm","options":["Spoon","Arm","Pencil","Book"]},
        {"question":"What shape is a pizza?","answer":"Circle","options":["Square","Circle","Triangle","Oval"]},
        {"question":"What is 6 − 2?","answer":"4","options":["3","4","5","6"]},
        {"question":"What do you use to cut paper?","answer":"Scissors","options":["Fork","Ruler","Scissors","Marker"]},
        {"question":"What comes after the number 9?","answer":"10","options":["8","9","10","11"]},
        {"question":"Which one can fly?","answer":"Plane","options":["Car","Plane","Boat","Train"]},
        {"question":"Which of these is a mode of communication?","answer":"Email","options":["Email","Knife","Broom","Ladder"]},
        {"question":"Which organ do you use to hear?","answer":"Ear","options":["Nose","Ear","Eye","Mouth"]},
        {"question":"Which season comes after summer?","answer":"Autumn","options":["Spring","Autumn","Winter","Rainy"]},
        {"question":"Which number is greater: 7 or 5?","answer":"7","options":["5","6","7","4"]},
        {"question":"Which animal barks?","answer":"Dog","options":["Cat","Dog","Bird","Duck"]},
        {"question":"Which object can float on water?","answer":"Boat","options":["Car","Rock","Boat","Bike"]},
        {"question":"What color are lemons?","answer":"Yellow","options":["Red","Green","Blue","Yellow"]},
        {"question":"Which one is used to clean floors?","answer":"Broom","options":["Fork","Broom","Pan","Towel"]},
        {"question":"What do chickens lay?","answer":"Eggs","options":["Milk","Eggs","Bread","Wool"]},
        {"question":"Which is a liquid?","answer":"Juice","options":["Rock","Paper","Juice","Sand"]},
        {"question":"Which one is NOT a fruit?","answer":"Potato","options":["Apple","Banana","Potato","Mango"]},
        {"question":"Which number is even?","answer":"6","options":["3","5","6","9"]},
        {"question":"Which object gives us light at night?","answer":"Moon","options":["Sun","Star","Moon","Cloud"]},
        {"question":"What color is coal?","answer":"Black","options":["White","Black","Red","Blue"]},
        {"question":"Which of these can you eat?","answer":"Bread","options":["Bread","Ball","Pen","Tire"]},
        {"question":"What is 4 × 2?","answer":"8","options":["6","8","10","12"]},
        {"question":"What do you use to see things far away?","answer":"Binoculars","options":["Glasses","Binoculars","Compass","Phone"]},
        {"question":"What goes tick-tock?","answer":"Clock","options":["Fan","Clock","Chair","Dog"]},
        {"question":"How many days in February (non-leap year)?","answer":"28","options":["28","29","30","31"]},
        {"question":"Which animal is known as man's best friend?","answer":"Dog","options":["Cat","Dog","Fish","Parrot"]},
        {"question":"What shape has 3 sides?","answer":"Triangle","options":["Square","Triangle","Circle","Pentagon"]},
        {"question":"Which animal goes 'quack'?","answer":"Duck","options":["Goose","Frog","Duck","Horse"]},
        {"question":"Which of these is frozen water?","answer":"Ice","options":["Steam","Rain","Ice","Snow"]},
        {"question":"How many hours are in a day?","answer":"24","options":["12","18","24","30"]},
        {"question":"Which of these is hot?","answer":"Fire","options":["Fire","Snow","Ice","Rain"]}
    ]
}

# --- Setup Logging ---
logging.basicConfig(
    level=logging.INFO,
    format=CONFIG["LOG_FORMAT"],
    handlers=[
        logging.StreamHandler(),
        logging.FileHandler(os.path.join(os.path.dirname(__file__), "app.log"))
    ]
)
logger = logging.getLogger(__name__)

# --- Load Environment Variables ---
load_dotenv()

class Config:
    DISCORD_WEBHOOK = os.getenv("DISCORD_WEBHOOK")
    DISCORD_ALERT_WEBHOOK = os.getenv("DISCORD_ALERT_WEBHOOK")
    DISCORD_BOT_TOKEN = os.getenv("DISCORD_BOT_TOKEN")
    MONGO_URI = os.getenv("MONGO_URI")
    DISCORD_GUILD_ID = os.getenv("DISCORD_GUILD_ID")
    
    @classmethod
    def validate(cls):
        required = ["DISCORD_BOT_TOKEN", "MONGO_URI", "DISCORD_ALERT_WEBHOOK", "DISCORD_GUILD_ID"]
        missing = [var for var in required if not getattr(cls, var)]
        if missing:
            raise EnvironmentError(f"Missing required environment variables: {', '.join(missing)}")

Config.validate()


# --- Ultra-Strong Anti-DDoS System + Human Verification Triggers ---
class DDoSProtection:

    def is_blocked(self, ip):
        now = time.time()
        # Check global block
        if self.global_blocked and now < self.global_block_until:
            self.log_event(ip, "global_block", "Global DDoS block active")
            return True
        # Check DB for blocked IP
        block = self.db.get_blocked_ip(ip)
        if block and block["unblock_time"] > now:
            self.log_event(ip, "ip_blocked", "IP is blocked")
            return True
        elif block:
            self.db.unblock_ip(ip)
        return False

    def block_ip(self, ip, duration, reason):
        unblock_time = time.time() + duration
        self.db.block_ip(ip, unblock_time, reason)
        self.log_event(ip, "block_ip", reason, {"duration": duration})

    def check(self, ip, user_agent):
        now = time.time()

        # Blocked IP
        if self.is_blocked(ip):
            self.log_event(ip, "blocked_request", "Blocked IP tried to access")
            return False, "Blocked IP"

        # IP blacklist (manual)
        if ip in CONFIG.get("IP_BLACKLIST", []):
            self.log_event(ip, "ip_blacklist", "Blacklisted IP")
            if self.global_blocked:
                self.block_ip(ip, CONFIG["BLOCK_DURATION"] * 3, "Blacklisted IP")
                self.flag_human_verification(ip, "Blacklisted IP")
                return False, "Blacklisted IP"
            return False, "Blacklisted IP"

# --- Database Setup ---
# --- Database Setup ---
class DatabaseManager:
    def __init__(self):
        try:
            self.client = MongoClient(Config.MONGO_URI, serverSelectionTimeoutMS=5000)
            # Force a connection check
            self.client.server_info()  # This will trigger an exception if connection fails
            self.db = self.client[CONFIG["MONGO_DB"]]
            self.visitors = self.db[CONFIG["MONGO_COLLECTION"]]
            self.archived_stats = self.db[CONFIG["ARCHIVE_COLLECTION"]]
            self.month_tracker = self.db[CONFIG["MONTH_TRACKER_COLLECTION"]]
            self.blocked_ips = self.db["blocked_ips"]
            self.suspicious_logs = self.db["suspicious_logs"]
            self._setup_indexes()
            logger.info("Successfully connected to MongoDB")
        except Exception as e:
            logger.error(f"Failed to connect to MongoDB: {e}")
            raise RuntimeError(f"Could not connect to MongoDB: {e}")

    def _setup_indexes(self):
        try:
            # Visitors collection indexes
            self.visitors.create_index([("ip", 1), ("month", 1)], unique=True)
            self.visitors.create_index("timestamp")
            self.visitors.create_index("date")
            self.visitors.create_index("month")
            self.visitors.create_index("year")
            
            # Blocked IPs collection indexes
            self.blocked_ips.create_index("ip", unique=True)
            self.blocked_ips.create_index("unblock_time")
            
            # Suspicious logs collection indexes
            self.suspicious_logs.create_index("timestamp", -1)  # For sorting by most recent
            self.suspicious_logs.create_index("ip")  # For filtering by IP
            self.suspicious_logs.create_index([("timestamp", -1), ("ip", 1)])  # Compound index for common queries
            
            logger.info("Database indexes created successfully")
        except Exception as e:
            logger.error(f"Failed to create database indexes: {e}")

    def get_unique_ip_count(self) -> int:
        """Get count of unique IP addresses"""
        try:
            return len(self.visitors.distinct("ip"))
        except Exception as e:
            logger.error(f"Failed to get unique IP count: {e}")
            return 0

    def log_visitor(self, visitor_data: Dict[str, Any]) -> bool:
        """
        Log visitor data only if unique IP for the current month.
        Never store duplicate IPs for the same month.
        Only store important fields: ip, timestamp, date, month, year.
        """
        # self._check_monthly_reset()  # <-- REMOVE call to monthly reset
        try:
            # Only keep the important fields, ignore extra keys
            important_fields = ["ip", "timestamp", "date", "month", "year"]
            data = {k: visitor_data[k] for k in important_fields if k in visitor_data}

            # Check for duplicate (ip, month)
            existing = self.visitors.find_one({
                "ip": data["ip"],
                "month": data["month"]
            })
            if existing:
                logger.debug(f"Duplicate IP detected for current month: {data.get('ip')}")
                return False
            result = self.visitors.insert_one(data)
            logger.info(f"Logged NEW unique visitor with IP: {data.get('ip')} (ID: {result.inserted_id})")
            return True
        except Exception as e:
            logger.error(f"Failed to log visitor: {e}")
            return False

    def get_visitor_count(self, filter_query: Dict[str, Any] = None) -> int:
        try:
            return self.visitors.count_documents(filter_query or {})
        except Exception as e:
            logger.error(f"Failed to get visitor count: {e}")
            return 0

    def get_period_stats(self) -> Tuple[Dict[str, int], Dict[str, int], Dict[str, int]]:
        """Returns tuple of (day_counts, month_counts, year_counts)"""
        try:
            pipeline = [
                {"$group": {
                    "_id": "$date",
                    "count": {"$sum": 1}
                }},
                {"$sort": {"count": -1}}
            ]
            day_counts = {str(doc["_id"]): doc["count"] for doc in self.visitors.aggregate(pipeline)}
            
            pipeline[0]["$group"]["_id"] = "$month"
            month_counts = {str(doc["_id"]): doc["count"] for doc in self.visitors.aggregate(pipeline)}
            
            pipeline[0]["$group"]["_id"] = "$year"
            year_counts = {str(doc["_id"]): doc["count"] for doc in self.visitors.aggregate(pipeline)}
            
            return day_counts, month_counts, year_counts
        except Exception as e:
            logger.error(f"Failed to get period stats: {e}")
            return {}, {}, {}

    def get_historical_stats(self):
        """Get combined stats from current data and archives"""
        try:
            current_stats = {
                "total": self.get_visitor_count(),
                "unique_ips": self.get_unique_ip_count(),
                "day_counts": {},
                "month_counts": {},
                "year_counts": {}
            }
            
            day_counts, month_counts, year_counts = self.get_period_stats()
            current_stats.update({
                "day_counts": day_counts,
                "month_counts": month_counts,
                "year_counts": year_counts
            })
            
            archived_stats = list(self.archived_stats.find().sort("timestamp", -1))
            
            return {
                "current": current_stats,
                "archived": archived_stats
            }
        except Exception as e:
            logger.error(f"Failed to get historical stats: {e}")
            return None

    # --- DDoS Blocked IPs in MongoDB ---
    def block_ip(self, ip, unblock_time, reason, admin_id=None):
        doc = {
            "ip": ip,
            "unblock_time": unblock_time,
            "reason": reason,
            "blocked_at": time.time()
        }
        if admin_id:
            doc["admin_id"] = admin_id
        self.blocked_ips.update_one(
            {"ip": ip},
            {"$set": doc},
            upsert=True
        )

    def get_blocked_ip(self, ip):
        return self.blocked_ips.find_one({"ip": ip})

    def unblock_ip(self, ip):
        self.blocked_ips.delete_one({"ip": ip})

    def get_blocked_ips(self, limit=100):
        """Return a list of blocked IPs, most recent first."""
        try:
            return list(self.blocked_ips.find().sort("blocked_at", -1).limit(limit))
        except Exception as e:
            logger.error(f"Failed to fetch blocked IPs: {e}")
            return []


# --- Initialize global DatabaseManager instance ---
try:
    db = DatabaseManager()
except Exception as e:
    logger.error(f"Failed to initialize DatabaseManager: {e}")
    raise

# --- IPUtils Utility ---
class IPUtils:
    @staticmethod
    def get_client_ip():
        """Get client IP address from request headers (supports proxies)"""
        if request.headers.get('X-Forwarded-For'):
            # X-Forwarded-For may contain multiple IPs, take the first
            ip = request.headers.get('X-Forwarded-For').split(',')[0].strip()
        else:
            ip = request.remote_addr or "unknown"
        return ip

# --- Discord API User Info Fetch ---
class DiscordAPI:
    @staticmethod
    def get_user_info(user_id: str, access_token: str = None) -> Dict[str, Any]:
        """
        Fetch Discord user information.
        If access_token is provided, use it for /users/@me, otherwise use bot token for user_id.
        """
        if user_id == "me" and access_token:
            url = "https://discord.com/api/v10/users/@me"
            headers = {"Authorization": f"Bearer {access_token}"}
        else:
            url = f"https://discord.com/api/v10/users/{user_id}"
            headers = {"Authorization": f"Bot {Config.DISCORD_BOT_TOKEN}"}
        try:
            response = requests.get(url, headers=headers, timeout=CONFIG["REQUEST_TIMEOUT"])
            if response.status_code == 200:
                data = response.json()
                avatar_hash = data.get("avatar")
                username = data.get("username", "Unknown")
                discriminator = data.get("discriminator", "0")
                if discriminator == "0":
                    full_username = username
                else:
                    full_username = f"{username}#{discriminator}"
                avatar_url = None
                if avatar_hash:
                    if avatar_hash.startswith("a_"):
                        avatar_url = f"https://cdn.discordapp.com/avatars/{data['id']}/{avatar_hash}.gif?size=128"
                    else:
                        avatar_url = f"https://cdn.discordapp.com/avatars/{data['id']}/{avatar_hash}.png?size=128"
                return {
                    "id": data.get("id", user_id),
                    "username": full_username,
                    "avatar_url": avatar_url or CONFIG["DEFAULT_AVATAR_URL"].format(int(data.get("id", "0")) % 5),
                    "avatar_gif": avatar_url if avatar_url and avatar_url.endswith(".gif?size=128") else None
                }
            else:
                logger.error(f"Discord API error {response.status_code}: {response.text}")
        except Exception as e:
            logger.error(f"Failed to fetch Discord user {user_id}: {e}")
        # fallback
        fallback_id = user_id if user_id != "me" else "0"
        return {
            "id": fallback_id,
            "username": "Unavailable",
            "avatar_url": CONFIG["DEFAULT_AVATAR_URL"].format(int(fallback_id) % 5 if fallback_id.isdigit() else 0),
            "avatar_gif": None
        }

# --- StatsManager Utility ---
class StatsManager:
    @staticmethod
    def get_current_stats():
        try:
            now = datetime.now(timezone.utc)
            today_str = now.strftime('%Y-%m-%d')
            month_str = now.strftime('%Y-%m')
            year_str = now.strftime('%Y')
            today_count = db.get_visitor_count({"date": today_str})
            month_count = db.get_visitor_count({"month": month_str})
            year_count = db.get_visitor_count({"year": year_str})
            total_count = db.get_visitor_count()
            unique_ips = db.get_unique_ip_count()
            day_counts, month_counts, year_counts = db.get_period_stats()
            top_day = max(day_counts.items(), key=lambda x: x[1]) if day_counts else ("N/A", 0)
            top_month = max(month_counts.items(), key=lambda x: x[1]) if month_counts else ("N/A", 0)
            top_year = max(year_counts.items(), key=lambda x: x[1]) if year_counts else ("N/A", 0)
            blocked_ips_count = db.blocked_ips.count_documents({})

            # --- Aggregate archived stats for totals ---
            archived = list(db.archived_stats.find())
            archived_total = sum(a.get("total_visitors", 0) for a in archived)
            archived_unique = sum(a.get("unique_ips", 0) for a in archived)
            archived_top_day = ("N/A", 0)
            archived_top_month = ("N/A", 0)
            archived_top_year = ("N/A", 0)

            # Find best top_day/month/year from archives
            all_days = []
            all_months = []
            all_years = []
            for a in archived:
                all_days.extend(a.get("top_days", []))
                all_months.extend(a.get("top_months", []))
                all_years.extend(a.get("top_years", []))
            if all_days:
                archived_top_day = max(all_days, key=lambda x: x[1])
            if all_months:
                archived_top_month = max(all_months, key=lambda x: x[1])
            if all_years:
                archived_top_year = max(all_years, key=lambda x: x[1])

            # Combine current and archived stats
            combined_total = total_count + archived_total
            combined_unique = unique_ips + archived_unique
            combined_top_day = top_day if top_day[1] >= archived_top_day[1] else archived_top_day
            combined_top_month = top_month if top_month[1] >= archived_top_month[1] else archived_top_month
            combined_top_year = top_year if top_year[1] >= archived_top_year[1] else archived_top_year

            # Calculate averages
            day_counts, month_counts, year_counts = db.get_period_stats()
            arv_day = round(combined_total / max(1, len(day_counts)), 2) if day_counts else 0
            arv_month = round(combined_total / max(1, len(month_counts)), 2) if month_counts else 0
            arv_year = round(combined_total / max(1, len(year_counts)), 2) if year_counts else 0

            return {
                "today": today_count,
                "month": month_count,
                "year": year_count,
                "total": combined_total,
                "unique_ips": combined_unique,
                "top_day": combined_top_day,
                "top_month": combined_top_month,
                "top_year": combined_top_year,
                "blocked_ips": blocked_ips_count,
                "arv_day": arv_day,
                "arv_month": arv_month,
                "arv_year": arv_year,
                "day_count": len(day_counts),
                "month_count": len(month_counts),
                "year_count": len(year_counts)
            }
        except Exception as e:
            logging.error(f"Failed to fetch stats: {e}")
            # Return empty stats to avoid template errors
            return {
                "today": 0,
                "month": 0,
                "year": 0,
                "total": 0,
                "unique_ips": 0,
                "top_day": ("N/A", 0),
                "top_month": ("N/A", 0),
                "top_year": ("N/A", 0),
                "blocked_ips": 0,
                "arv_day": 0,
                "arv_month": 0,
                "arv_year": 0,
                "day_count": 0,
                "month_count": 0,
                "year_count": 0
            }

# --- Admin Auth Decorator ---
def admin_required(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        admin_pw = os.getenv("ADMIN_DASHBOARD_PASSWORD", "changeme")
        if not admin_pw:
            return "Admin password not set.", 403
        auth = request.authorization
        if not auth or auth.username != "admin" or auth.password != admin_pw:
            return (
                "Authentication required",
                401,
                {"WWW-Authenticate": 'Basic realm="Admin Dashboard"'},
            )
        return f(*args, **kwargs)
    return decorated

# --- Discord OAuth2 Config ---
DISCORD_CLIENT_ID = os.getenv("DISCORD_CLIENT_ID")
DISCORD_CLIENT_SECRET = os.getenv("DISCORD_CLIENT_SECRET")
DISCORD_REDIRECT_URI = os.getenv("DISCORD_REDIRECT_URI", "http://localhost:5000/callback/discord")
DISCORD_OAUTH_SCOPE = "identify"
DISCORD_API_BASE = "https://discord.com/api"
# List of allowed Discord user IDs (website owners)
DASHBOARD_ALLOWED_USERS = {"1132413940693995541"}  # Add more IDs as needed

# --- Dashboard User Permissions Database ---
def get_user_permissions(discord_id):
    user = db.db["dashboard_users"].find_one({"discord_id": discord_id})
    # --- Role-based permissions ---
    role_perms = {
        "owner": {
            "can_view_stats": True,
            "can_view_events": True,
            "can_view_blocked": True,
            "can_view_database": True,
            "can_manage_database": True,  # Full access to all database operations
            "can_edit_documents": True,   # Edit existing documents
            "can_delete_documents": True, # Delete individual documents
            "can_clear_collections": True, # Clear entire collections
            "can_view_settings": True,
            "can_manage_users": True,
            "can_export": True,
            "can_clear_data": True,
            "can_edit_settings": True,
        },
        "admin": {
            "can_view_stats": True,
            "can_view_events": True,
            "can_view_blocked": True,
            "can_view_database": True,
            "can_manage_database": True,  # Full access to all database operations
            "can_edit_documents": True,   # Edit existing documents
            "can_delete_documents": True, # Delete individual documents
            "can_clear_collections": True, # Clear entire collections
            "can_view_settings": True,
            "can_manage_users": True,
            "can_export": True,
            "can_clear_data": True,
            "can_edit_settings": True,
        },
        "moderator": {
            "can_view_stats": True,
            "can_view_events": True,
            "can_view_blocked": True,
            "can_view_database": False,
            "can_view_settings": False,
            "can_manage_users": False,
            "can_export": False,
            "can_clear_data": False,
            "can_edit_settings": False
        },
        "analyst": {
            "can_view_stats": True,
            "can_view_events": True,
            "can_view_database": True,
            "can_export": True,
            "can_view_blocked": False,
            "can_view_settings": False,
            "can_manage_users": False,
            "can_clear_data": False,
            "can_edit_settings": False
        },
        "user": {
            "can_view_stats": True,
            "can_view_events": False,
            "can_view_blocked": False,
            "can_view_database": False,
            "can_view_settings": False,
            "can_manage_users": False,
            "can_export": False,
            "can_clear_data": False,
            "can_edit_settings": False
        },
        "custom": {}
    }
    if not user:
        return {"role": "user", "permissions": role_perms["user"]}
    role = user.get("role", "user")
    if role not in role_perms:
        role = "user"
    perms = dict(role_perms[role])
    if role == "custom":
        perms.update(user.get("permissions", {}))
    # Always include can_manage_users in the top-level for easier JS checks
    top_level = dict(perms)
    top_level["role"] = role
    return {"role": role, "permissions": perms, **top_level}


def dashboard_login_required(f):
    from functools import wraps
    @wraps(f)
    def decorated(*args, **kwargs):
        user = session.get("discord_user")
        if not user:
            return redirect(url_for("login_discord"))
        return f(*args, **kwargs)
    return decorated

def require_manage_users(f):
    from functools import wraps
    @wraps(f)
    def decorated(*args, **kwargs):
        user = session.get("discord_user")
        if not user:
            return redirect(url_for("login_discord"))
        perms = get_user_permissions(user["id"])

def require_database_permission(permission):
    """Decorator to check for specific database permissions.
    
    Args:
        permission (str): The permission to check (e.g., 'can_edit_documents', 'can_delete_documents')
    """
    def decorator(f):
        @wraps(f)
        def decorated_function(*args, **kwargs):
            user = session.get("discord_user")
            if not user or not user.get("id"):
                return jsonify({"success": False, "error": "Unauthorized"}), 401
            perms = get_user_permissions(user["id"])
            if not perms.get("permissions", {}).get(permission, False):
                return jsonify({"success": False, "error": "Insufficient permissions"}), 403
            return f(*args, **kwargs)
        return decorated_function
    return decorator

# --- Delete user API for permissions tab modal ---
@app.route("/dashboard/api/users/delete", methods=["POST"])
@dashboard_login_required
@require_database_permission("can_manage_users")
def dashboard_api_users_delete():
    data = request.get_json()
    discord_id = data.get("discord_id")
    if not discord_id:
        return jsonify({"success": False, "error": "Missing Discord ID"}), 400
    user = db.db["dashboard_users"].find_one({"discord_id": discord_id})
    if user and user.get("role") == "owner":
        return jsonify({"success": False, "error": "Cannot delete owner"}), 403
    db.db["dashboard_users"].delete_one({"discord_id": discord_id})
    return jsonify({"success": True})

# --- Dashboard Users API for Permissions Tab ---
@app.route('/dashboard/api/users', methods=['GET'])
@dashboard_login_required
def dashboard_api_users():
    user = session.get('discord_user')
    perms = get_user_permissions(user["id"]) if user and "id" in user else {"permissions": {}}
    if not perms["permissions"].get("can_manage_users"):
        return jsonify([]), 403
    users = list(db.db["dashboard_users"].find({}, {"_id": 0}))
    discord_info_cache = {}
    formatted = []
    for u in users:
        discord_id = u.get("discord_id", "")
        # Fetch Discord info only once per user
        if discord_id not in discord_info_cache:
            discord_info_cache[discord_id] = DiscordAPI.get_user_info(discord_id)
        info = discord_info_cache[discord_id]
        formatted.append({
            "avatar_url": info.get("avatar_url") or f"https://cdn.discordapp.com/embed/avatars/{int(discord_id or '0') % 5}.png",
            "avatar_gif": info.get("avatar_gif"),
            "username": info.get("username", "Unknown User"),
            "id": discord_id,
            "role": u.get("role", "user"),
            "permissions": u.get("permissions", {})
        })
    return jsonify(formatted)

# Add this to your app.py
@app.route('/dashboard/api/users/<user_id>', methods=['GET'])
@dashboard_login_required
def get_user_details(user_id):
    """Get details for a specific user"""
    try:
        user = db.db["dashboard_users"].find_one({"discord_id": user_id})
        if not user:
            return jsonify({"error": "User not found"}), 404
            
        # Get Discord info with avatar
        discord_info = DiscordAPI.get_user_info(user_id)
        
        # Check if user is owner (prevent editing owners)
        is_owner = user.get("role") == "owner"
        
        return jsonify({
            "id": user_id,
            "username": discord_info.get("username", "Unknown User"),
            "avatar_url": discord_info.get("avatar_url", ""),
            "role": user.get("role", "user"),
            "permissions": user.get("permissions", {}),
            "is_owner": is_owner
        })
    except Exception as e:
        logger.error(f"Error getting user details: {e}")
        return jsonify({"error": "Internal server error"}), 500
# --- Dashboard Route: Pass user info for header and permissions for tabs ---
@app.route("/dashboard")
@dashboard_login_required
def dashboard():
    # Get user info from session
    user = session.get("discord_user")
    user_id = user["id"] if user and "id" in user else None
    # Always provide a permissions dict for template safety
    user_permissions = get_user_permissions(user_id) if user_id else {"role": "user", "permissions": {}}
    # Provide Discord info for header
    user_discord_info = user if user else None
    # List collections for DB viewer
    db_collections = db.db.list_collection_names() if hasattr(db, "db") else []
    return render_template(
        "dashboard.html",
        user_permissions=user_permissions,
        user_discord_info=user_discord_info,
        db_collections=db_collections
    )

# --- Role mapping: Discord Role ID to Display Name ---
DISCORD_ROLE_MAP = {
    # Replace these with your actual Discord role IDs
    "1371407916581523468": "TACT Owner",
    "1371922931172507678": "Tech House Owner",
    "1371416000054038661": "TikTok Manager",
    "1369443343515389972": "Discord Admin",
    "1369442372408180757": "Discord Moderator",
    "1369442992796074075": "Discord Support",
}

GUILD_ID = os.getenv("DISCORD_GUILD_ID")  # Set this in your .env

# Fetch and group users by role
import collections

def get_guild_members_by_role():
    if not GUILD_ID or not Config.DISCORD_BOT_TOKEN:
        logger.error("Missing GUILD_ID or DISCORD_BOT_TOKEN")
        return {
            "Bot Team": [],
            "Tiktok Team": [],
            "Discord Team": [],
            "TACT Owner": []
        }
    url = f"https://discord.com/api/v10/guilds/{GUILD_ID}/members?limit=1000"
    headers = {"Authorization": f"Bot {Config.DISCORD_BOT_TOKEN}"}
    try:
        resp = requests.get(url, headers=headers, timeout=CONFIG["REQUEST_TIMEOUT"])
        logger.info(f"Discord API /members status: {resp.status_code}")
        if resp.status_code != 200:
            logger.error(f"Failed to fetch guild members: {resp.status_code} {resp.text}")
            return {
                "Bot Team": [],
                "Tiktok Team": [],
                "Discord Team": [],
                "TACT Owner": []
            }
        members = resp.json()
        logger.info(f"Fetched {len(members)} members from Discord API.")
        if not members:
            logger.error(f"Discord API returned no members. Raw response: {resp.text}")

        # Role priority: higher index = higher priority
        role_priority = [
            "TACT Owner",
            "Tech House Owner",
            "TikTok Manager",
            "Discord Admin",
            "Discord Moderator",
            "Discord Support"
        ]
        role_section_map = {
            "TACT Owner": "Bot Team",
            "Tech House Owner": "Tiktok Team",
            "TikTok Manager": "Tiktok Team",
            "Discord Admin": "Discord Team",
            "Discord Moderator": "Discord Team",
            "Discord Support": "Discord Team"
        }

        user_best_role = {}
        user_best_role_name = {}
        tact_owners = []

        for member in members:
            user = member["user"]
            roles = member.get("roles", [])
            avatar = user.get('avatar')
            # Find the highest role for this user
            best_role = None
            best_priority = len(role_priority)
            for role_id in roles:
                role_name = DISCORD_ROLE_MAP.get(role_id)
                if role_name and role_name in role_priority:
                    pri = role_priority.index(role_name)
                    if pri < best_priority:
                        best_priority = pri
                        best_role = role_name
            if best_role:
                user_best_role[user["id"]] = best_role
                user_info = {
                    "id": user["id"],
                    "username": user.get("username", "Unknown"),
                    "avatar_url": f"https://cdn.discordapp.com/avatars/{user['id']}/{avatar}.png?size=128" if avatar else CONFIG["DEFAULT_AVATAR_URL"].format(int(user["id"]) % 5),
                    "avatar_gif": f"https://cdn.discordapp.com/avatars/{user['id']}/{avatar}.gif?size=128" if avatar and isinstance(avatar, str) and avatar.startswith('a_') else None,
                    "role": best_role
                }
                user_best_role_name[user["id"]] = user_info
                if best_role == "TACT Owner":
                    tact_owners.append(user_info)

        # Assign users to sections based on their highest role
        sections = {
            "Bot Team": [],
            "Tiktok Team": [],
            "Discord Team": [],
            "TACT Owner": tact_owners
        }
        for user_id, info in user_best_role_name.items():
            section = role_section_map.get(info["role"])
            if section:
                sections[section].append(info)

        # Sort each section by role priority and username for a clean UI
        def sort_key(u):
            return (role_priority.index(u["role"]), u["username"].lower())

        for key in sections:
            sections[key] = sorted(sections[key], key=sort_key)

        return sections
    except Exception as e:
        logger.error(f"Error fetching guild members: {e}")
        return {
            "Bot Team": [],
            "Tiktok Team": [],
            "Discord Team": [],
            "TACT Owner": []
        }
    
@app.route('/dashboard/api/update_document', methods=['POST'])
@dashboard_login_required
@require_database_permission("can_edit_documents")
def api_update_document():
    collection_name = request.args.get('col')
    doc_id = request.args.get('id')
    
    if not collection_name or not doc_id:
        return jsonify({'success': False, 'error': 'Missing collection or document ID'}), 400
    
    try:
        changes = request.get_json()
        if not changes:
            return jsonify({'success': False, 'error': 'No changes provided'}), 400
            
        # Convert string IDs to ObjectId
        if '_id' in changes and isinstance(changes['_id'], str):
            changes['_id'] = ObjectId(changes['_id'])
            
        collection = db.db[collection_name]
        result = collection.update_one(
            {'_id': ObjectId(doc_id)},
            {'$set': changes}
        )
        
        if result.modified_count > 0 or result.matched_count > 0:
            return jsonify({'success': True})
        else:
            return jsonify({'success': False, 'error': 'No changes made'})
    except Exception as e:
        app.logger.error(f"Error updating document: {str(e)}")
        return jsonify({'success': False, 'error': str(e)}), 500

@app.route('/dashboard/api/delete_document', methods=['DELETE', 'POST'])
@dashboard_login_required
@require_database_permission("can_delete_documents")
def api_delete_document():
    # Try to get parameters from both query string and JSON body for backward compatibility
    collection_name = request.args.get('col') or (request.json.get('collection') if request.is_json else None)
    doc_id = request.args.get('id') or (request.json.get('docId') or request.json.get('id') if request.is_json else None)
    
    if not collection_name or not doc_id:
        return jsonify({'success': False, 'error': 'Missing collection or document ID'}), 400
    
    try:
        collection = db.db[collection_name]
        result = collection.delete_one({'_id': ObjectId(doc_id)})
        
        if result.deleted_count > 0:
            return jsonify({'success': True})
        else:
            return jsonify({'success': False, 'error': 'Document not found'}), 404
    except Exception as e:
        app.logger.error(f"Error deleting document: {str(e)}")
        return jsonify({'success': False, 'error': str(e)}), 500

@app.route('/dashboard/api/delete_field', methods=['POST'])
@dashboard_login_required
def api_delete_field():
    if not request.json:
        return jsonify({'success': False, 'error': 'Invalid request'}), 400
        
    collection_name = request.json.get('collection')
    doc_id = request.json.get('docId')
    field = request.json.get('field')
    
    if not collection_name or not doc_id or not field:
        return jsonify({'success': False, 'error': 'Missing parameters'}), 400
    
    try:
        collection = db.db[collection_name]
        result = collection.update_one(
            {'_id': ObjectId(doc_id)},
            {'$unset': {field: ""}}
        )
        
        if result.modified_count > 0:
            return jsonify({'success': True})
        else:
            return jsonify({'success': False, 'error': 'No changes made'})
    except Exception as e:
        return jsonify({'success': False, 'error': str(e)}), 500

@app.route("/")
def index():
    try:
        # Log the visitor (unique per month)
        ip = IPUtils.get_client_ip()
        now = datetime.now(timezone.utc)
        visitor_data = {
            "ip": ip,
            "timestamp": now.timestamp(),
            "date": now.strftime('%Y-%m-%d'),
            "month": now.strftime('%Y-%m'),
            "year": now.strftime('%Y')
        }
        db.log_visitor(visitor_data)
        stats = StatsManager.get_current_stats()
    except Exception as e:
        logging.error(f"Error getting stats for index: {e}")
        stats = {
            "today": 0,
            "month": 0,
            "year": 0,
            "total": 0,
            "unique_ips": 0,
            "top_day": ("N/A", 0),
            "top_month": ("N/A", 0),
            "top_year": ("N/A", 0),
            "arv_day": 0,
            "arv_month": 0,
            "arv_year": 0,
            "day_count": 0,
            "month_count": 0,
            "year_count": 0
        }
    # Use new grouped team_sections
    team_sections = get_guild_members_by_role()
    # Defensive: always pass force_anti_adblock as a boolean
    force_anti_adblock = os.getenv("FORCE_ANTI_ADBLOCK", "0") == "1"
    return render_template("index.html", stats=stats, team_sections=team_sections, force_anti_adblock=force_anti_adblock)

# --- Discord OAuth2 Login ---
@app.route("/login/discord")
def login_discord():
    return redirect(f"https://discord.com/api/oauth2/authorize?client_id={DISCORD_CLIENT_ID}&redirect_uri={urllib.parse.quote(DISCORD_REDIRECT_URI)}&response_type=code&scope={DISCORD_OAUTH_SCOPE}")

@app.route("/callback/discord")
def callback_discord():
    code = request.args.get("code")
    if not code:
        return "Missing code parameter", 400
    # Exchange code for access token
    token_url = "https://discord.com/api/oauth2/token"
    token_data = {
        "client_id": DISCORD_CLIENT_ID,
        "client_secret": DISCORD_CLIENT_SECRET,
        "grant_type": "authorization_code",
        "code": code,
        "redirect_uri": DISCORD_REDIRECT_URI
    }
    try:
        # Use application/x-www-form-urlencoded as required by Discord
        headers = {"Content-Type": "application/x-www-form-urlencoded"}
        token_response = requests.post(token_url, data=token_data, headers=headers, timeout=CONFIG["REQUEST_TIMEOUT"])
        if token_response.status_code != 200:
            logger.error(f"Discord token exchange failed: {token_response.status_code} {token_response.text}")
            return f"Discord token exchange failed: {token_response.text}", 500
        tokens = token_response.json()
        access_token = tokens.get("access_token")
        if not access_token:
            return "Failed to obtain access token", 500
    except Exception as e:
        logger.error(f"Error during Discord OAuth2 token exchange: {e}")
        return "Error during authentication", 500

    # Fetch user info using access_token
    user_info = DiscordAPI.get_user_info("me", access_token=access_token)
    # REMOVE: Only allow specific users
    # if not user_info or user_info.get("id") not in DASHBOARD_ALLOWED_USERS:
    #     return "You are not authorized to access this dashboard.", 403

    # Store user info in session
    session["discord_user"] = user_info
    return redirect(url_for("dashboard"))

# --- Logout Route ---
@app.route("/logout")
def logout():
    session.pop("discord_user", None)
    return redirect(url_for("index"))

# --- Stats API: Return current stats ---
@app.route("/dashboard/api/stats")
@dashboard_login_required
def dashboard_api_stats():
    # Return all real stats for dashboard.js
    stats = StatsManager.get_current_stats()
    return jsonify(stats)

@app.route("/get_stats")
def get_stats():
    stats = StatsManager.get_current_stats()
    return jsonify(stats)

# --- Blocked IPs Check ---
def block_check():
    ip = IPUtils.get_client_ip()
    block = db.get_blocked_ip(ip)
    if block:
        now = time.time()
        unblock_time = block.get("unblock_time", 0)
        # If unblock_time is 0 (permanent) or in the future, block
        if unblock_time == 0 or unblock_time > now:
            # Always render blocked.html for blocked users
            reason = block.get("reason", "Blocked")
            block_time = block.get("blocked_at", 0)
            admin_id = block.get("admin_id")
            admin_info = DiscordAPI.get_user_info(admin_id) if admin_id else None
            remaining = int(unblock_time - now) if unblock_time > 0 else None
            return render_template(
                "blocked.html",
                ip=ip,
                reason=reason,
                unblock_time=unblock_time,
                block_time=block_time,
                remaining=remaining,
                admin_id=admin_id,
                admin_info=admin_info
            ), 403
        else:
            db.unblock_ip(ip)
    return None

@app.before_request
def before_request_block_check():
    allowed_paths = [
        '/static/', '/login/discord', '/callback/discord', '/logout', '/blocked'
    ]
    if any(request.path.startswith(p) for p in allowed_paths):
        return
    if request.path in ('/favicon.ico', '/robots.txt'):
        return
    if request.method not in ('GET', 'POST', 'HEAD'):
        return
    # Suspicious activity detection...
    user_agent = request.headers.get('User-Agent', '').lower()
    ip = IPUtils.get_client_ip()
    for bad in CONFIG.get("USER_AGENT_BLACKLIST", []):
        if bad in user_agent:
            log_suspicious_activity(ip, user_agent, f"Suspicious User-Agent: {bad}")
            break
    # Block check
    result = block_check()
    if result:
        return result

# All routes using @dashboard_login_required and @require_owner must be below these definitions!

now = datetime.now()

@app.template_filter('timestamp_to_utc')
def timestamp_to_utc_filter(ts):
    try:
        return datetime.utcfromtimestamp(ts).strftime('%Y-%m-%d %H:%M UTC')
    except Exception:
        return str(ts)

# --- Discord API endpoint for user info (nickname/username) ---
@app.route("/dashboard/api/discord_user_info")
def api_discord_user_info():
    user_id = request.args.get("id")
    if not user_id:
        return jsonify({})
    # Try to get nickname from guild, fallback to username
    # You must have your bot in the guild and proper permissions
    # For demo: fallback to username only
    info = DiscordAPI.get_user_info(user_id)
    # If you want to fetch nickname from a guild, you can extend DiscordAPI.get_user_info to do so
    return jsonify({
        "username": info.get("username"),
        "nickname": info.get("username")  # Replace with actual nickname if available
    })

@app.route("/dashboard/api/remove_ip_everywhere", methods=["POST"])
@dashboard_login_required
def dashboard_remove_ip_everywhere():
    user = session.get("discord_user")
    perms = get_user_permissions(user["id"])
    if not perms["permissions"].get("can_view_blocked"):
        return jsonify({"success": False, "error": "No permission"}), 403
    ip = request.json.get("ip")
    if not ip:
        return jsonify({"success": False, "error": "No IP provided"}), 400
    # Remove from all collections except blocked_ips
    try:
        skip = {"blocked_ips"}
        for col in db.db.list_collection_names():
            if col in skip:
                continue
            db.db[col].delete_many({"ip": ip})
        return jsonify({"success": True})
    except Exception as e:
        return jsonify({"success": False, "error": str(e)}), 500

@app.route("/dashboard/api/blocked_ips")
@dashboard_login_required
def dashboard_blocked_ips():
    # Return a list of blocked IPs from the database
    blocked_ips = db.get_blocked_ips(limit=100)
    # Convert ObjectId and timestamps for JSON serialization
    def serialize_ip(ip):
        ip = dict(ip)
        ip.pop('_id', None)
        # Ensure blocked_at and unblock_time are numbers (float or int)
        if 'blocked_at' in ip:
            try:
                ip['blocked_at'] = float(ip['blocked_at'])
            except Exception:
                ip['blocked_at'] = 0
        if 'unblock_time' in ip:
            try:
                ip['unblock_time'] = int(ip['unblock_time'])
            except Exception:
                ip['unblock_time'] = 0
        return ip
    return jsonify([serialize_ip(ip) for ip in blocked_ips])

@app.route("/dashboard/api/block_ip", methods=["POST"])
@dashboard_login_required
def dashboard_block_ip():
    user = session.get("discord_user")
    perms = get_user_permissions(user["id"])
    # Fix: allow block_ip only for users with can_manage_users or can_view_blocked
    if not (perms["permissions"].get("can_manage_users") or perms["permissions"].get("can_view_blocked")):
        return jsonify({"success": False, "error": "No permission"}), 403
    data = request.get_json()
    ip = data.get("ip")
    reason = data.get("reason", "Manual block")
    duration = data.get("duration", 0)
    try:
        duration = int(duration)
    except Exception:
        duration = 0
    if not ip:
        return jsonify({"success": False, "error": "No IP provided"}), 400
    # If duration is 0, block permanently; otherwise, block for duration seconds from now
    unblock_time = 0 if duration == 0 else int(time.time()) + duration
    admin_id = user["id"] if user and "id" in user else None
    db.block_ip(ip, unblock_time, reason, admin_id=admin_id)
    return jsonify({"success": True, "message": f"Blocked {ip}"})

@app.route('/dashboard/api/unblock_ip', methods=['POST'])
@dashboard_login_required
def api_unblock_ip():
    user = session.get("discord_user")
    perms = get_user_permissions(user["id"])
    if not (perms["permissions"].get("can_manage_users") or perms["permissions"].get("can_view_blocked")):
        return jsonify(success=False, message='No permission'), 403
    data = request.get_json()
    ip = data.get('ip')
    if not ip:
        return jsonify(success=False, message='No IP provided'), 400
    try:
        result = db.blocked_ips.delete_one({'ip': ip})
        if result.deleted_count > 0:
            return jsonify(success=True, message=f'Unblocked {ip}')
        else:
            return jsonify(success=False, message='IP not found or already unblocked'), 404
    except Exception as e:
        return jsonify(success=False, message=str(e)), 500

@app.route('/dashboard/api/clear_blocked', methods=['POST'])
@dashboard_login_required
def api_clear_blocked():
    user = session.get("discord_user")
    perms = get_user_permissions(user["id"])
    if not (perms["permissions"].get("can_manage_users") or perms["permissions"].get("can_view_blocked")):
        return jsonify(success=False, message='No permission'), 403
    try:
        result = db.blocked_ips.delete_many({})
        if result.deleted_count > 0:
            return jsonify(success=True, message='All blocked IPs cleared')
        else:
            return jsonify(success=False, message='No blocked IPs to clear'), 404
    except Exception as e:
        return jsonify(success=False, message=str(e)), 500

# --- Database Viewer API for dashboard.js compatibility ---
@app.route("/dashboard/api/db_collection", methods=["GET", "DELETE"])
@dashboard_login_required
def dashboard_api_db_collection():
    """
    GET: Returns all documents in the specified collection.
    DELETE: Clears all documents from the specified collection (requires can_manage_database).
    Query param: col (collection name)
    """
    collection_name = request.args.get("col")
    if not collection_name:
        return jsonify({"success": False, "error": "Collection name is required"}), 400

    # Prevent access to system collections
    if collection_name.startswith("system."):
        return jsonify({"success": False, "error": "System collections not allowed"}), 400

    try:
        # Check if collection exists
        if collection_name not in db.db.list_collection_names():
            return jsonify({"success": False, "error": f"Collection '{collection_name}' not found"}), 404

        collection = db.db[collection_name]

        # Handle DELETE (clear collection)
        if request.method == "DELETE":
            user = session.get("discord_user")
            perms = get_user_permissions(user["id"]) if user and "id" in user else {"permissions": {}}
            if not perms.get("permissions", {}).get("can_manage_database"):
                return jsonify({"success": False, "error": "Insufficient permissions"}), 403
            result = collection.delete_many({})
            return jsonify({
                "success": True,
                "message": f"Cleared {result.deleted_count} documents from '{collection_name}'",
                "deleted_count": result.deleted_count
            })

        # Handle GET (fetch collection)
        documents = list(collection.find({}))
        serialized_docs = []
        for doc in documents:
            serialized = {}
            for key, value in doc.items():
                if isinstance(value, datetime):
                    serialized[key] = value.isoformat()
                elif isinstance(value, ObjectId):
                    serialized[key] = str(value)
                else:
                    serialized[key] = value
            serialized_docs.append(serialized)
        return jsonify({
            "success": True,
            "collection": collection_name,
            "count": len(serialized_docs),
            "data": serialized_docs
        })
    except Exception as e:
        import traceback
        app.logger.error(f"Error in /dashboard/api/db_collection: {e}\n{traceback.format_exc()}")
        return jsonify({
            "success": False,
            "error": str(e),
            "collection": collection_name
        }), 500

@app.route("/dashboard/api/suspicious_logs", methods=["GET"])
@dashboard_login_required
def dashboard_api_suspicious_logs():
    """
    API endpoint to fetch suspicious activity logs.

    Returns a JSON array of log entries with proper error handling.
    """
    try:
        # Get user and permissions
        user = session.get("discord_user")
        if not user or not user.get("id"):
            logger.warning("Unauthorized access attempt to suspicious_logs endpoint")
            return jsonify({"success": False, "error": "Unauthorized"}), 401
            
        perms = get_user_permissions(user["id"])
        if not perms["permissions"].get("can_view_events"):
            logger.warning(f"User {user['id']} attempted to access suspicious logs without permission")
            return jsonify({"success": False, "error": "Insufficient permissions"}), 403
        
        # Log the request
        logger.info(f"Fetching suspicious logs for user {user['id']} ({user.get('username', 'unknown')})")
        
        try:
            # Query the database with a timeout to prevent hanging
            logs_cursor = db.suspicious_logs.find().sort("timestamp", -1).limit(100)
            logs = list(logs_cursor)
            
            logger.info(f"Successfully fetched {len(logs)} suspicious log entries")
            
            # Process logs for JSON serialization
            processed_logs = []
            for log in logs:
                try:
                    processed_log = {
                        "_id": str(log.get("_id", "")),
                        "ip": log.get("ip", ""),
                        "user_agent": log.get("user_agent", ""),
                        "reason": log.get("reason", ""),
                        "extra": log.get("extra", {}),
                        "timestamp": float(log.get("timestamp", 0))
                    }
                    processed_logs.append(processed_log)
                except Exception as log_error:
                    logger.error(f"Error processing log entry {log.get('_id')}: {log_error}")
                    continue
            
            return jsonify({
                "success": True,
                "data": processed_logs,
                "count": len(processed_logs),
                "timestamp": time.time()
            })
            
        except Exception as db_error:
            logger.error(f"Database error in suspicious_logs endpoint: {str(db_error)}", exc_info=True)
            return jsonify({
                "success": False,
                "error": "Database error occurred",
                "details": str(db_error)
            }), 500
            
    except Exception as e:
        logger.critical(f"Unexpected error in suspicious_logs endpoint: {str(e)}", exc_info=True)
        return jsonify({
            "success": False,
            "error": "An unexpected error occurred",
            "details": str(e)
        }), 500


# --- Suspicious Activity Logging & Discord Alerting ---
def log_suspicious_activity(ip, user_agent, reason, extra=None):
    now = datetime.now(timezone.utc)
    log_entry = {
        "ip": ip,
        "user_agent": user_agent,
        "reason": reason,
        "timestamp": now.timestamp(),
        "date": now.strftime('%Y-%m-%d'),
        "time": now.strftime('%H:%M:%S'),
        "path": request.path,
        "method": request.method,
        "extra": extra or {}
    }
    try:
        db.suspicious_logs.insert_one(log_entry)
        logger.warning(f"Suspicious activity logged: {reason} from IP {ip}")
        # Send Discord alert if webhook is configured
        webhook_url = os.getenv("DISCORD_ALERT_WEBHOOK")
        if webhook_url:
            embed = {
                "title": "⚠️ Suspicious Activity Detected",
                "color": CONFIG["DISCORD_EMBED_COLOR"],
                "fields": [
                    {"name": "IP", "value": f"`{ip}`", "inline": True},
                    {"name": "User-Agent", "value": f"```\n{str(user_agent)[:256]}\n```", "inline": False},
                    {"name": "Reason", "value": reason, "inline": False},
                    {"name": "Path", "value": request.path, "inline": True},
                    {"name": "Method", "value": request.method, "inline": True},
                    {"name": "Action", "value": extra.get('action', 'N/A') if extra else 'N/A', "inline": True},
                ],
                "timestamp": now.isoformat()
            }
            data = {"embeds": [embed]}
            try:
                requests.post(webhook_url, json=data, timeout=3)
            except Exception as e:
                logger.error(f"Failed to send Discord webhook for suspicious activity: {e}")
    except Exception as e:
        logger.error(f"Failed to log suspicious activity: {e}")

def block_check():
    """
    Check if the current IP is blocked or should be rate limited.
    Returns a response if the request should be blocked, None otherwise.
    """
    ip = IPUtils.get_client_ip()
    # Check if IP is blocked
    blocked = db.get_blocked_ip(ip)
    if blocked:
        if blocked['unblock_time'] > 0 and time.time() > blocked['unblock_time']:
            # Unblock expired block
            db.unblock_ip(ip)
        else:
            # Still blocked
            return make_response(
                jsonify({"success": False, "error": f"IP blocked until {datetime.fromtimestamp(blocked['unblock_time']).isoformat() if blocked['unblock_time'] > 0 else 'indefinitely'}"}),
                403
            )
    return None

# --- Integrate suspicious activity detection into before_request ---
@app.before_request
def before_request_block_check():
    # Allow static files, login, logout, callback, and blocked page itself
    allowed_paths = [
        '/static/', '/login/discord', '/callback/discord', '/logout', '/blocked'
    ]
    if any(request.path.startswith(p) for p in allowed_paths):
        return
    # Don't block favicon or robots.txt
    if request.path in ('/favicon.ico', '/robots.txt'):
        return
    # Only block for GET/POST/HEAD
    if request.method not in ('GET', 'POST', 'HEAD'):
        return
    ip = IPUtils.get_client_ip()
    user_agent = request.headers.get('User-Agent', '').lower()
    path = request.path
    # Enhanced User-Agent checking
    for bad_ua in CONFIG.get("USER_AGENT_BLACKLIST", []):
        if bad_ua.lower() in user_agent:
            log_suspicious_activity(
                ip=ip,
                user_agent=user_agent,
                reason=f"Blacklisted User-Agent: {bad_ua}",
                extra={
                    "action": "BLOCKED",
                    "path": path
                }
            )
            db.block_ip(ip, time.time() + CONFIG["BLOCK_DURATION"], f"Blacklisted User-Agent: {bad_ua}")
            return abort(403, "Access denied - Suspicious activity detected")
    if ip in CONFIG.get("IP_BLACKLIST", []):
        log_suspicious_activity(
            ip=ip,
            user_agent=user_agent,
            reason="Blacklisted IP",
            extra={
                "action": "BLOCKED",
                "path": path
            }
        )
        return abort(403, "Access denied - Blacklisted IP")
    result = block_check()
    if result:
        return result

@app.route("/blocked")
def blocked_page():
    ip = IPUtils.get_client_ip()
    block = db.get_blocked_ip(ip)
    unblock_time = block.get("unblock_time", 0) if block else 0
    reason = block.get("reason", "Blocked") if block else "Blocked"
    block_time = block.get("blocked_at", 0) if block else 0
    admin_id = block.get("admin_id") if block else None
    admin_info = DiscordAPI.get_user_info(admin_id) if admin_id else None
    remaining = int(unblock_time - time.time()) if unblock_time > 0 else None
    return render_template(
        "blocked.html",
        ip=ip,
        reason=reason,
        unblock_time=unblock_time,
        block_time=block_time,
        remaining=remaining,
        admin_id=admin_id,
        admin_info=admin_info
    ), 403

if __name__ == "__main__":
    import sys
    try:
        app.run(host="0.0.0.0", port=int(os.getenv("PORT", 5000)), debug=True)
    except Exception as e:
        logging.error(f"Failed to start Flask app: {e}")
        sys.exit(1)