"""Auth models for Navi user identity."""

import hashlib

from pydantic import BaseModel

from ._ddl import _ensure_auth_tables


def make_gravatar_url(email: str, size: int = 128) -> str:
    """Generate a Gravatar URL from an email address."""
    email_hash = hashlib.md5(email.lower().strip().encode()).hexdigest()
    return f"https://www.gravatar.com/avatar/{email_hash}?s={size}&d=identicon"


class User(BaseModel):
    """Authenticated Navi user, resolved from gnexus-auth."""

    id: str
    email: str
    display_name: str | None = None
    avatar_url: str | None = None
    role: str = "user"  # "user" | "admin"
    permissions: list[str] = []

    def has_permission(self, permission: str) -> bool:
        """Check if user has a specific permission.

        Admin role implies all permissions.
        """
        return self.role == "admin" or permission in self.permissions