# -*- coding: utf-8 -*-
"""
Accounts Views

This module contains all views for the accounts application,
including authentication, user management, role and permission management,
and security monitoring.

Views included:
- Authentication views (login, logout, password management)
- User management views (profile, settings, user list)
- Role and permission management views
- Security monitoring views
- API views for AJAX requests

Author: Adtlas Development Team
Version: 1.0.0
Created: 2024
"""

import json
import logging
from datetime import datetime, timedelta
from typing import Dict, Any, Optional, List

from django.shortcuts import render, redirect, get_object_or_404
from django.contrib.auth import authenticate, login, logout
from django.contrib.auth.models import User
from django.contrib.auth.decorators import login_required, user_passes_test
from django.contrib.auth.forms import PasswordChangeForm
from django.contrib import messages
from django.http import JsonResponse, HttpResponse, HttpRequest
from django.views.decorators.http import require_http_methods, require_POST
from django.views.decorators.csrf import csrf_exempt
from django.utils import timezone
from django.utils.translation import gettext as _
from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger
from django.db.models import Q, Count, Avg
from django.db import transaction
from django.conf import settings
from django.urls import reverse
from django.template.loader import render_to_string
from django.core.mail import send_mail
from django.contrib.auth.tokens import default_token_generator
from django.utils.http import urlsafe_base64_encode, urlsafe_base64_decode
from django.utils.encoding import force_bytes, force_str
from django.core.exceptions import ValidationError
from django.views.generic import ListView, DetailView, CreateView, UpdateView, DeleteView
from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin

from .models import (
    UserProfile, Role, Permission, UserRole, RolePermission,
    UserSession, SecurityLog, APIKey, UserAccess
)
from .forms import (
    LoginForm, UserProfileForm, RoleForm, PermissionForm,
    UserRoleForm, APIKeyForm, UserAccessForm, PasswordResetForm
)
from .utils import (
    get_client_ip, get_user_agent_info, log_security_event,
    check_rate_limit, generate_api_key, encrypt_password
)
from .decorators import permission_required, role_required

# Configure logging
logger = logging.getLogger(__name__)


# ============================================================================
# Authentication Views
# ============================================================================

def login_view(request: HttpRequest) -> HttpResponse:
    """
    Handle user login with security features.
    
    This view handles user authentication with additional security features
    including rate limiting, account lockout, and security logging.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        HttpResponse: Login page or redirect to dashboard
    """
    # Redirect if user is already authenticated
    if request.user.is_authenticated:
        return redirect('core:dashboard')
    
    # Get client information for security logging
    ip_address = get_client_ip(request)
    user_agent = request.META.get('HTTP_USER_AGENT', '')
    
    # Check rate limiting for this IP address
    if not check_rate_limit(ip_address, 'login', limit=5, window=300):  # 5 attempts per 5 minutes
        log_security_event(
            event_type='login_blocked',
            severity='medium',
            description=f'Login rate limit exceeded for IP: {ip_address}',
            ip_address=ip_address,
            user_agent=user_agent,
            request_path=request.path
        )
        messages.error(request, _('Too many login attempts. Please try again later.'))
        return render(request, 'accounts/login.html', {'form': LoginForm()})
    
    if request.method == 'POST':
        form = LoginForm(request.POST)
        if form.is_valid():
            username = form.cleaned_data['username']
            password = form.cleaned_data['password']
            remember_me = form.cleaned_data.get('remember_me', False)
            
            # Attempt authentication
            user = authenticate(request, username=username, password=password)
            
            if user is not None:
                # Check if user account is active
                if not user.is_active:
                    log_security_event(
                        user=user,
                        event_type='login_failed',
                        severity='medium',
                        description='Login attempt on inactive account',
                        ip_address=ip_address,
                        user_agent=user_agent
                    )
                    messages.error(request, _('Your account has been deactivated.'))
                    return render(request, 'accounts/login.html', {'form': form})
                
                # Check if account is locked
                try:
                    profile = user.userprofile
                    if profile.is_account_locked():
                        log_security_event(
                            user=user,
                            event_type='login_blocked',
                            severity='medium',
                            description='Login attempt on locked account',
                            ip_address=ip_address,
                            user_agent=user_agent
                        )
                        messages.error(request, _('Your account is temporarily locked due to multiple failed login attempts.'))
                        return render(request, 'accounts/login.html', {'form': form})
                except UserProfile.DoesNotExist:
                    # Create profile if it doesn't exist
                    UserProfile.objects.create(user=user)
                    profile = user.userprofile
                
                # Successful login
                login(request, user)
                
                # Reset failed login attempts
                profile.failed_login_attempts = 0
                profile.account_locked_until = None
                profile.last_login_ip = ip_address
                profile.save(update_fields=['failed_login_attempts', 'account_locked_until', 'last_login_ip'])
                
                # Set session expiry based on remember_me
                if not remember_me:
                    request.session.set_expiry(0)  # Session expires when browser closes
                else:
                    request.session.set_expiry(settings.SESSION_COOKIE_AGE)
                
                # Create user session record
                user_agent_info = get_user_agent_info(user_agent)
                UserSession.objects.create(
                    user=user,
                    session_key=request.session.session_key,
                    ip_address=ip_address,
                    user_agent=user_agent,
                    device_type=user_agent_info.get('device_type', 'unknown'),
                    browser=user_agent_info.get('browser', ''),
                    operating_system=user_agent_info.get('os', ''),
                    expires_at=timezone.now() + timedelta(seconds=request.session.get_expiry_age())
                )
                
                # Log successful login
                log_security_event(
                    user=user,
                    event_type='login_success',
                    severity='low',
                    description='Successful user login',
                    ip_address=ip_address,
                    user_agent=user_agent,
                    session_key=request.session.session_key
                )
                
                # Redirect to next page or dashboard
                next_url = request.GET.get('next', reverse('core:dashboard'))
                messages.success(request, _(f'Welcome back, {user.get_full_name() or user.username}!'))
                return redirect(next_url)
            
            else:
                # Failed login attempt
                try:
                    user = User.objects.get(username=username)
                    profile = user.userprofile
                    profile.failed_login_attempts += 1
                    
                    # Lock account after 5 failed attempts
                    if profile.failed_login_attempts >= 5:
                        profile.account_locked_until = timezone.now() + timedelta(minutes=30)
                        log_security_event(
                            user=user,
                            event_type='account_locked',
                            severity='high',
                            description='Account locked due to multiple failed login attempts',
                            ip_address=ip_address,
                            user_agent=user_agent
                        )
                        messages.error(request, _('Account locked due to multiple failed login attempts. Please try again in 30 minutes.'))
                    else:
                        remaining_attempts = 5 - profile.failed_login_attempts
                        messages.error(request, _(f'Invalid credentials. {remaining_attempts} attempts remaining.'))
                    
                    profile.save(update_fields=['failed_login_attempts', 'account_locked_until'])
                    
                    log_security_event(
                        user=user,
                        event_type='login_failed',
                        severity='medium',
                        description='Failed login attempt',
                        ip_address=ip_address,
                        user_agent=user_agent
                    )
                
                except User.DoesNotExist:
                    # Log failed login for non-existent user
                    log_security_event(
                        event_type='login_failed',
                        severity='medium',
                        description=f'Login attempt with non-existent username: {username}',
                        ip_address=ip_address,
                        user_agent=user_agent
                    )
                    messages.error(request, _('Invalid credentials.'))
        
        else:
            messages.error(request, _('Please correct the errors below.'))
    
    else:
        form = LoginForm()
    
    return render(request, 'accounts/login.html', {'form': form})


@login_required
def logout_view(request: HttpRequest) -> HttpResponse:
    """
    Handle user logout with session cleanup.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        HttpResponse: Redirect to login page
    """
    # Get session information before logout
    session_key = request.session.session_key
    ip_address = get_client_ip(request)
    
    # Update user session record
    try:
        user_session = UserSession.objects.get(
            user=request.user,
            session_key=session_key,
            is_active=True
        )
        user_session.terminate(reason='user')
    except UserSession.DoesNotExist:
        pass
    
    # Log logout event
    log_security_event(
        user=request.user,
        event_type='logout',
        severity='low',
        description='User logout',
        ip_address=ip_address,
        session_key=session_key
    )
    
    # Perform logout
    user_name = request.user.get_full_name() or request.user.username
    logout(request)
    
    messages.success(request, _(f'Goodbye, {user_name}! You have been logged out successfully.'))
    return redirect('accounts:login')


@login_required
def change_password(request: HttpRequest) -> HttpResponse:
    """
    Handle password change with security logging.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        HttpResponse: Password change form or redirect
    """
    if request.method == 'POST':
        form = PasswordChangeForm(request.user, request.POST)
        if form.is_valid():
            user = form.save()
            
            # Log password change
            log_security_event(
                user=user,
                event_type='password_change',
                severity='medium',
                description='User changed password',
                ip_address=get_client_ip(request)
            )
            
            # Update password change timestamp
            try:
                profile = user.userprofile
                profile.password_changed_at = timezone.now()
                profile.save(update_fields=['password_changed_at'])
            except UserProfile.DoesNotExist:
                pass
            
            messages.success(request, _('Your password has been changed successfully.'))
            return redirect('accounts:profile')
        else:
            messages.error(request, _('Please correct the errors below.'))
    else:
        form = PasswordChangeForm(request.user)
    
    return render(request, 'accounts/change_password.html', {'form': form})


def password_reset_request(request: HttpRequest) -> HttpResponse:
    """
    Handle password reset request.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        HttpResponse: Password reset form or confirmation
    """
    if request.method == 'POST':
        form = PasswordResetForm(request.POST)
        if form.is_valid():
            email = form.cleaned_data['email']
            try:
                user = User.objects.get(email=email, is_active=True)
                
                # Generate password reset token
                token = default_token_generator.make_token(user)
                uid = urlsafe_base64_encode(force_bytes(user.pk))
                
                # Create reset URL
                reset_url = request.build_absolute_uri(
                    reverse('accounts:password_reset_confirm', kwargs={'uidb64': uid, 'token': token})
                )
                
                # Send password reset email
                subject = _('Password Reset Request')
                message = render_to_string('accounts/emails/password_reset.html', {
                    'user': user,
                    'reset_url': reset_url,
                    'site_name': settings.SITE_NAME,
                })
                
                send_mail(
                    subject=subject,
                    message=message,
                    from_email=settings.DEFAULT_FROM_EMAIL,
                    recipient_list=[email],
                    html_message=message
                )
                
                # Log password reset request
                log_security_event(
                    user=user,
                    event_type='password_reset',
                    severity='medium',
                    description='Password reset requested',
                    ip_address=get_client_ip(request)
                )
                
                messages.success(request, _('Password reset instructions have been sent to your email.'))
                return redirect('accounts:login')
                
            except User.DoesNotExist:
                # Don't reveal if email exists or not
                messages.success(request, _('If the email exists, password reset instructions have been sent.'))
                return redirect('accounts:login')
    else:
        form = PasswordResetForm()
    
    return render(request, 'accounts/password_reset.html', {'form': form})


# ============================================================================
# User Management Views
# ============================================================================

@login_required
def profile_view(request: HttpRequest) -> HttpResponse:
    """
    Display and edit user profile.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        HttpResponse: User profile page
    """
    try:
        profile = request.user.userprofile
    except UserProfile.DoesNotExist:
        profile = UserProfile.objects.create(user=request.user)
    
    if request.method == 'POST':
        form = UserProfileForm(request.POST, request.FILES, instance=profile)
        if form.is_valid():
            form.save()
            
            # Log profile update
            log_security_event(
                user=request.user,
                event_type='data_modification',
                severity='low',
                description='User profile updated',
                ip_address=get_client_ip(request)
            )
            
            messages.success(request, _('Your profile has been updated successfully.'))
            return redirect('accounts:profile')
        else:
            messages.error(request, _('Please correct the errors below.'))
    else:
        form = UserProfileForm(instance=profile)
    
    # Get user's recent sessions
    recent_sessions = UserSession.objects.filter(
        user=request.user
    ).order_by('-last_activity')[:5]
    
    # Get user's API keys
    api_keys = APIKey.objects.filter(
        user=request.user,
        is_active=True
    ).order_by('-created_at')
    
    context = {
        'form': form,
        'profile': profile,
        'recent_sessions': recent_sessions,
        'api_keys': api_keys,
    }
    
    return render(request, 'accounts/profile.html', context)


@login_required
@permission_required('accounts.view_user')
def user_list(request: HttpRequest) -> HttpResponse:
    """
    Display list of users with filtering and pagination.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        HttpResponse: User list page
    """
    # Get filter parameters
    search_query = request.GET.get('search', '')
    user_type_filter = request.GET.get('user_type', '')
    is_active_filter = request.GET.get('is_active', '')
    
    # Build queryset
    users = User.objects.select_related('userprofile').all()
    
    # Apply search filter
    if search_query:
        users = users.filter(
            Q(username__icontains=search_query) |
            Q(first_name__icontains=search_query) |
            Q(last_name__icontains=search_query) |
            Q(email__icontains=search_query)
        )
    
    # Apply user type filter
    if user_type_filter:
        users = users.filter(userprofile__user_type=user_type_filter)
    
    # Apply active status filter
    if is_active_filter:
        is_active = is_active_filter.lower() == 'true'
        users = users.filter(is_active=is_active)
    
    # Order by last login
    users = users.order_by('-last_login')
    
    # Pagination
    paginator = Paginator(users, 25)  # Show 25 users per page
    page = request.GET.get('page')
    
    try:
        users_page = paginator.page(page)
    except PageNotAnInteger:
        users_page = paginator.page(1)
    except EmptyPage:
        users_page = paginator.page(paginator.num_pages)
    
    # Get user type choices for filter
    user_type_choices = UserProfile.USER_TYPES
    
    context = {
        'users': users_page,
        'search_query': search_query,
        'user_type_filter': user_type_filter,
        'is_active_filter': is_active_filter,
        'user_type_choices': user_type_choices,
    }
    
    return render(request, 'accounts/user_list.html', context)


@login_required
@permission_required('accounts.view_user')
def user_detail(request: HttpRequest, user_id: int) -> HttpResponse:
    """
    Display detailed user information.
    
    Args:
        request (HttpRequest): The HTTP request object
        user_id (int): ID of the user to display
    
    Returns:
        HttpResponse: User detail page
    """
    user = get_object_or_404(User, id=user_id)
    
    try:
        profile = user.userprofile
    except UserProfile.DoesNotExist:
        profile = UserProfile.objects.create(user=user)
    
    # Get user's roles
    user_roles = UserRole.objects.filter(
        user=user,
        is_active=True
    ).select_related('role')
    
    # Get user's recent sessions
    recent_sessions = UserSession.objects.filter(
        user=user
    ).order_by('-last_activity')[:10]
    
    # Get user's security logs
    security_logs = SecurityLog.objects.filter(
        user=user
    ).order_by('-created_at')[:20]
    
    # Get user's API keys
    api_keys = APIKey.objects.filter(
        user=user
    ).order_by('-created_at')
    
    context = {
        'user_obj': user,  # Avoid conflict with request.user
        'profile': profile,
        'user_roles': user_roles,
        'recent_sessions': recent_sessions,
        'security_logs': security_logs,
        'api_keys': api_keys,
    }
    
    return render(request, 'accounts/user_detail.html', context)


# ============================================================================
# Role and Permission Management Views
# ============================================================================

@login_required
@permission_required('accounts.view_role')
def role_list(request: HttpRequest) -> HttpResponse:
    """
    Display list of roles with their permissions.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        HttpResponse: Role list page
    """
    roles = Role.objects.filter(is_active=True).prefetch_related('permissions')
    
    # Add permission count to each role
    for role in roles:
        role.permission_count = role.get_permission_count()
        role.user_count = role.get_user_count()
    
    context = {
        'roles': roles,
    }
    
    return render(request, 'accounts/role_list.html', context)


@login_required
@permission_required('accounts.add_role')
def role_create(request: HttpRequest) -> HttpResponse:
    """
    Create a new role.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        HttpResponse: Role creation form or redirect
    """
    if request.method == 'POST':
        form = RoleForm(request.POST)
        if form.is_valid():
            role = form.save(commit=False)
            role.created_by = request.user
            role.save()
            
            # Save many-to-many relationships
            form.save_m2m()
            
            # Log role creation
            log_security_event(
                user=request.user,
                event_type='admin_action',
                severity='medium',
                description=f'Created role: {role.name}',
                ip_address=get_client_ip(request),
                additional_data={'role_id': role.id, 'role_name': role.name}
            )
            
            messages.success(request, _(f'Role "{role.display_name}" has been created successfully.'))
            return redirect('accounts:role_list')
        else:
            messages.error(request, _('Please correct the errors below.'))
    else:
        form = RoleForm()
    
    context = {
        'form': form,
        'title': _('Create Role'),
    }
    
    return render(request, 'accounts/role_form.html', context)


@login_required
@permission_required('accounts.change_role')
def role_edit(request: HttpRequest, role_id: int) -> HttpResponse:
    """
    Edit an existing role.
    
    Args:
        request (HttpRequest): The HTTP request object
        role_id (int): ID of the role to edit
    
    Returns:
        HttpResponse: Role edit form or redirect
    """
    role = get_object_or_404(Role, id=role_id)
    
    if request.method == 'POST':
        form = RoleForm(request.POST, instance=role)
        if form.is_valid():
            role = form.save()
            
            # Log role update
            log_security_event(
                user=request.user,
                event_type='admin_action',
                severity='medium',
                description=f'Updated role: {role.name}',
                ip_address=get_client_ip(request),
                additional_data={'role_id': role.id, 'role_name': role.name}
            )
            
            messages.success(request, _(f'Role "{role.display_name}" has been updated successfully.'))
            return redirect('accounts:role_list')
        else:
            messages.error(request, _('Please correct the errors below.'))
    else:
        form = RoleForm(instance=role)
    
    context = {
        'form': form,
        'role': role,
        'title': _(f'Edit Role: {role.display_name}'),
    }
    
    return render(request, 'accounts/role_form.html', context)


@login_required
@permission_required('accounts.view_permission')
def permission_list(request: HttpRequest) -> HttpResponse:
    """
    Display list of permissions grouped by resource.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        HttpResponse: Permission list page
    """
    permissions = Permission.objects.filter(is_active=True).order_by('resource', 'action')
    
    # Group permissions by resource
    grouped_permissions = {}
    for permission in permissions:
        resource = permission.resource
        if resource not in grouped_permissions:
            grouped_permissions[resource] = []
        grouped_permissions[resource].append(permission)
    
    context = {
        'grouped_permissions': grouped_permissions,
    }
    
    return render(request, 'accounts/permission_list.html', context)


# ============================================================================
# Security Monitoring Views
# ============================================================================

@login_required
@permission_required('accounts.view_securitylog')
def security_logs(request: HttpRequest) -> HttpResponse:
    """
    Display security logs with filtering.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        HttpResponse: Security logs page
    """
    # Get filter parameters
    event_type_filter = request.GET.get('event_type', '')
    severity_filter = request.GET.get('severity', '')
    user_filter = request.GET.get('user', '')
    date_from = request.GET.get('date_from', '')
    date_to = request.GET.get('date_to', '')
    
    # Build queryset
    logs = SecurityLog.objects.select_related('user').all()
    
    # Apply filters
    if event_type_filter:
        logs = logs.filter(event_type=event_type_filter)
    
    if severity_filter:
        logs = logs.filter(severity=severity_filter)
    
    if user_filter:
        logs = logs.filter(user__username__icontains=user_filter)
    
    if date_from:
        try:
            date_from_obj = datetime.strptime(date_from, '%Y-%m-%d').date()
            logs = logs.filter(created_at__date__gte=date_from_obj)
        except ValueError:
            pass
    
    if date_to:
        try:
            date_to_obj = datetime.strptime(date_to, '%Y-%m-%d').date()
            logs = logs.filter(created_at__date__lte=date_to_obj)
        except ValueError:
            pass
    
    # Order by creation date (newest first)
    logs = logs.order_by('-created_at')
    
    # Pagination
    paginator = Paginator(logs, 50)  # Show 50 logs per page
    page = request.GET.get('page')
    
    try:
        logs_page = paginator.page(page)
    except PageNotAnInteger:
        logs_page = paginator.page(1)
    except EmptyPage:
        logs_page = paginator.page(paginator.num_pages)
    
    # Get filter choices
    event_type_choices = SecurityLog.EVENT_TYPES
    severity_choices = SecurityLog.SEVERITY_LEVELS
    
    context = {
        'logs': logs_page,
        'event_type_filter': event_type_filter,
        'severity_filter': severity_filter,
        'user_filter': user_filter,
        'date_from': date_from,
        'date_to': date_to,
        'event_type_choices': event_type_choices,
        'severity_choices': severity_choices,
    }
    
    return render(request, 'accounts/security_logs.html', context)


@login_required
@permission_required('accounts.view_usersession')
def active_sessions(request: HttpRequest) -> HttpResponse:
    """
    Display active user sessions.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        HttpResponse: Active sessions page
    """
    # Get active sessions
    sessions = UserSession.objects.filter(
        is_active=True,
        expires_at__gt=timezone.now()
    ).select_related('user').order_by('-last_activity')
    
    # Add session duration to each session
    for session in sessions:
        session.duration_minutes = int(session.duration.total_seconds() / 60)
    
    context = {
        'sessions': sessions,
    }
    
    return render(request, 'accounts/active_sessions.html', context)


# ============================================================================
# API Views
# ============================================================================

@login_required
@require_POST
def terminate_session(request: HttpRequest) -> JsonResponse:
    """
    Terminate a user session via AJAX.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        JsonResponse: Success or error response
    """
    try:
        session_id = request.POST.get('session_id')
        session = get_object_or_404(UserSession, id=session_id)
        
        # Check permissions
        if not (request.user.has_perm('accounts.change_usersession') or 
                session.user == request.user):
            return JsonResponse({
                'success': False,
                'error': _('Permission denied')
            }, status=403)
        
        # Terminate session
        session.terminate(reason='admin' if session.user != request.user else 'user')
        
        # Log session termination
        log_security_event(
            user=request.user,
            event_type='admin_action' if session.user != request.user else 'logout',
            severity='medium' if session.user != request.user else 'low',
            description=f'Session terminated for user: {session.user.username}',
            ip_address=get_client_ip(request),
            additional_data={
                'terminated_session_id': session.id,
                'terminated_user': session.user.username
            }
        )
        
        return JsonResponse({
            'success': True,
            'message': _('Session terminated successfully')
        })
        
    except Exception as e:
        logger.error(f'Error terminating session: {str(e)}')
        return JsonResponse({
            'success': False,
            'error': _('An error occurred while terminating the session')
        }, status=500)


@login_required
@require_POST
def generate_api_key_view(request: HttpRequest) -> JsonResponse:
    """
    Generate a new API key for the user.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        JsonResponse: API key data or error response
    """
    try:
        name = request.POST.get('name', '').strip()
        description = request.POST.get('description', '').strip()
        
        if not name:
            return JsonResponse({
                'success': False,
                'error': _('API key name is required')
            }, status=400)
        
        # Generate API key
        api_key_data = generate_api_key()
        
        # Create API key record
        api_key = APIKey.objects.create(
            user=request.user,
            name=name,
            key=api_key_data['hashed_key'],
            key_prefix=api_key_data['prefix'],
            description=description
        )
        
        # Log API key creation
        log_security_event(
            user=request.user,
            event_type='admin_action',
            severity='medium',
            description=f'Generated API key: {name}',
            ip_address=get_client_ip(request),
            additional_data={
                'api_key_id': api_key.id,
                'api_key_name': name
            }
        )
        
        return JsonResponse({
            'success': True,
            'api_key': api_key_data['raw_key'],
            'key_prefix': api_key_data['prefix'],
            'message': _('API key generated successfully. Please save it securely as it will not be shown again.')
        })
        
    except Exception as e:
        logger.error(f'Error generating API key: {str(e)}')
        return JsonResponse({
            'success': False,
            'error': _('An error occurred while generating the API key')
        }, status=500)


@login_required
@require_POST
def revoke_api_key(request: HttpRequest) -> JsonResponse:
    """
    Revoke an API key.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        JsonResponse: Success or error response
    """
    try:
        api_key_id = request.POST.get('api_key_id')
        api_key = get_object_or_404(APIKey, id=api_key_id)
        
        # Check permissions
        if not (request.user.has_perm('accounts.delete_apikey') or 
                api_key.user == request.user):
            return JsonResponse({
                'success': False,
                'error': _('Permission denied')
            }, status=403)
        
        # Revoke API key
        api_key.is_active = False
        api_key.save(update_fields=['is_active'])
        
        # Log API key revocation
        log_security_event(
            user=request.user,
            event_type='admin_action',
            severity='medium',
            description=f'Revoked API key: {api_key.name}',
            ip_address=get_client_ip(request),
            additional_data={
                'api_key_id': api_key.id,
                'api_key_name': api_key.name,
                'api_key_owner': api_key.user.username
            }
        )
        
        return JsonResponse({
            'success': True,
            'message': _('API key revoked successfully')
        })
        
    except Exception as e:
        logger.error(f'Error revoking API key: {str(e)}')
        return JsonResponse({
            'success': False,
            'error': _('An error occurred while revoking the API key')
        }, status=500)


@login_required
def user_stats_api(request: HttpRequest) -> JsonResponse:
    """
    Get user statistics for dashboard widgets.
    
    Args:
        request (HttpRequest): The HTTP request object
    
    Returns:
        JsonResponse: User statistics data
    """
    try:
        # Check permissions
        if not request.user.has_perm('accounts.view_user'):
            return JsonResponse({
                'success': False,
                'error': _('Permission denied')
            }, status=403)
        
        # Calculate statistics
        total_users = User.objects.count()
        active_users = User.objects.filter(is_active=True).count()
        inactive_users = total_users - active_users
        
        # Users by type
        user_types = UserProfile.objects.values('user_type').annotate(
            count=Count('user_type')
        )
        
        # Recent registrations (last 30 days)
        thirty_days_ago = timezone.now() - timedelta(days=30)
        recent_registrations = User.objects.filter(
            date_joined__gte=thirty_days_ago
        ).count()
        
        # Active sessions
        active_sessions_count = UserSession.objects.filter(
            is_active=True,
            expires_at__gt=timezone.now()
        ).count()
        
        # Security events (last 24 hours)
        twenty_four_hours_ago = timezone.now() - timedelta(hours=24)
        recent_security_events = SecurityLog.objects.filter(
            created_at__gte=twenty_four_hours_ago
        ).count()
        
        return JsonResponse({
            'success': True,
            'data': {
                'total_users': total_users,
                'active_users': active_users,
                'inactive_users': inactive_users,
                'user_types': list(user_types),
                'recent_registrations': recent_registrations,
                'active_sessions': active_sessions_count,
                'recent_security_events': recent_security_events,
            }
        })
        
    except Exception as e:
        logger.error(f'Error getting user statistics: {str(e)}')
        return JsonResponse({
            'success': False,
            'error': _('An error occurred while retrieving statistics')
        }, status=500)