from flask import g
from werkzeug.local import LocalProxy

from flask_dance.consumer import OAuth2ConsumerBlueprint

__maintainer__ = "David Baumgold <david@davidbaumgold.com>"


def make_google_blueprint(
    client_id=None,
    client_secret=None,
    *,
    scope=None,
    offline=False,
    reprompt_consent=False,
    reprompt_select_account=False,
    redirect_url=None,
    redirect_to=None,
    login_url=None,
    authorized_url=None,
    session_class=None,
    storage=None,
    hosted_domain=None,
    rule_kwargs=None,
):
    """
    Make a blueprint for authenticating with Google using OAuth 2. This requires
    a client ID and client secret from Google. You should either pass them to
    this constructor, or make sure that your Flask application config defines
    them, using the variables :envvar:`GOOGLE_OAUTH_CLIENT_ID` and
    :envvar:`GOOGLE_OAUTH_CLIENT_SECRET`.

    Args:
        client_id (str): The client ID for your application on Google
        client_secret (str): The client secret for your application on Google
        scope (str, optional): comma-separated list of scopes for the OAuth token.
            Defaults to the "https://www.googleapis.com/auth/userinfo.profile" scope.
        offline (bool): Whether to request `offline access
            <https://developers.google.com/accounts/docs/OAuth2WebServer#offline>`_
            for the OAuth token. Defaults to False
        reprompt_consent (bool): If True, force Google to re-prompt the user
            for their consent, even if the user has already given their
            consent. Defaults to False
        reprompt_select_account (bool): If True, force Google to re-prompt the select account page,
            even if there is a single logged-in user. Defaults to False
        redirect_url (str): the URL to redirect to after the authentication
            dance is complete
        redirect_to (str): if ``redirect_url`` is not defined, the name of the
            view to redirect to after the authentication dance is complete.
            The actual URL will be determined by :func:`flask.url_for`
        login_url (str, optional): the URL path for the ``login`` view.
            Defaults to ``/google``
        authorized_url (str, optional): the URL path for the ``authorized`` view.
            Defaults to ``/google/authorized``.
        session_class (class, optional): The class to use for creating a
            Requests session. Defaults to
            :class:`~flask_dance.consumer.requests.OAuth2Session`.
        storage: A token storage class, or an instance of a token storage
                class, to use for this blueprint. Defaults to
                :class:`~flask_dance.consumer.storage.session.SessionStorage`.
        hosted_domain (str, optional): The domain of the G Suite user. Used to indicate that the account selection UI
            should be optimized for accounts at this domain. Note that this only provides UI optimization, and requires
            response validation (see warning).
        rule_kwargs (dict, optional): Additional arguments that should be passed when adding
            the login and authorized routes. Defaults to ``None``.

    .. _google_hosted_domain_warning:
    .. warning::
       The ``hosted_domain`` argument **only provides UI optimization**. Don't rely on this argument to control
       who can access your application. You must verify that the ``hd`` claim of the response ID token matches the
       ``hosted_domain`` argument passed to ``make_google_blueprint``.

    :rtype: :class:`~flask_dance.consumer.OAuth2ConsumerBlueprint`
    :returns: A :doc:`blueprint <flask:blueprints>` to attach to your Flask app.
    """
    scope = scope or ["https://www.googleapis.com/auth/userinfo.profile"]
    authorization_url_params = {}
    prompt_params = []
    auto_refresh_url = None
    if offline:
        authorization_url_params["access_type"] = "offline"
        auto_refresh_url = "https://accounts.google.com/o/oauth2/token"
    if reprompt_consent:
        prompt_params.append("consent")
    if reprompt_select_account:
        prompt_params.append("select_account")
    if prompt_params:
        prompt_params = " ".join(prompt_params)
        authorization_url_params["prompt"] = prompt_params
    if hosted_domain:
        authorization_url_params["hd"] = hosted_domain
    google_bp = OAuth2ConsumerBlueprint(
        "google",
        __name__,
        client_id=client_id,
        client_secret=client_secret,
        scope=scope,
        base_url="https://www.googleapis.com/",
        authorization_url="https://accounts.google.com/o/oauth2/auth",
        token_url="https://accounts.google.com/o/oauth2/token",
        auto_refresh_url=auto_refresh_url,
        redirect_url=redirect_url,
        redirect_to=redirect_to,
        login_url=login_url,
        authorized_url=authorized_url,
        authorization_url_params=authorization_url_params,
        session_class=session_class,
        storage=storage,
        rule_kwargs=rule_kwargs,
    )
    google_bp.from_config["client_id"] = "GOOGLE_OAUTH_CLIENT_ID"
    google_bp.from_config["client_secret"] = "GOOGLE_OAUTH_CLIENT_SECRET"

    @google_bp.before_app_request
    def set_applocal_session():
        g.flask_dance_google = google_bp.session

    return google_bp


google = LocalProxy(lambda: g.flask_dance_google)