import logging
import requests
from django.conf import settings

logger = logging.getLogger(__name__)

SITEVERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify"


def verify_turnstile(token: str, remote_ip: str | None = None) -> bool:
    """
    Verify a Cloudflare Turnstile token against the siteverify API.
    Returns True if valid, False otherwise.
    Skips verification when SSL is disabled (non-HTTPS env) or when
    CLOUDFLARE_TURNSTILE_SECRET_KEY is not configured.
    """
    if not getattr(settings, "USE_SSL", False):
        logger.debug("Turnstile: SSL disabled, skipping verification.")
        return True

    secret = getattr(settings, "CLOUDFLARE_TURNSTILE_SECRET_KEY", "")
    if not secret:
        logger.debug("Turnstile: no secret key configured, skipping verification.")
        return True

    payload = {"secret": secret, "response": token}
    if remote_ip:
        payload["remoteip"] = remote_ip

    try:
        resp = requests.post(SITEVERIFY_URL, data=payload, timeout=5)
        result = resp.json()
        if not result.get("success"):
            logger.warning("Turnstile verification failed: %s", result.get("error-codes"))
        return bool(result.get("success"))
    except Exception as e:
        logger.error("Turnstile: siteverify request failed: %s", e)
        return False