app.py

## app.py
from __future__ import annotations

import json
import re
import secrets
from typing import Any
from dotenv import load_dotenv

# .env 파일 로드 (환경 변수)
load_dotenv()

from pathlib import PurePosixPath

from flask import Flask, jsonify, redirect, render_template, request, send_from_directory, session, url_for, make_response, abort
from flask_cors import CORS, cross_origin
from flask_smorest import Api
from flask_socketio import SocketIO
from werkzeug.middleware.proxy_fix import ProxyFix
import requests

from auth import blueprint as auth_bp
from auth.sessions import load_remembered_user
from class_routes import blueprint as class_bp
from exports_routes import blueprint as export_bp
from chat_routes import blueprint as chat_bp
from vote_routes import blueprint as vote_bp
from arcade_routes import blueprint as arcade_bp, init_arcade_socketio
from shop_routes import blueprint as shop_bp
from event_routes import blueprint as event_bp
from public_api import public_api_bp, broadcast_public_status_update
from developer_routes import blueprint as developer_bp
from oauth import blueprint as oauth_bp
from account import blueprint as account_bp
from mcp_routes import blueprint as mcp_bp
from config import config
from extensions import db
from models import ClassConfig, ClassPin, ClassState
from config_loader import load_class_config
from utils import (
    after_request,
    before_request,
    burst_guard_allow,
    burst_guard_key,
    clear_teacher_session,
    is_teacher_session_active,
    mark_teacher_session,
    metrics,
    pin_guard_key,
    pin_guard_register_failure,
    pin_guard_reset,
    pin_guard_status,
    setup_logging,
    verify_csrf,
)
from content_filter import contains_slang
from ws import namespaces

import gspread


class _NoopSocketIO:
    def __init__(self, app: Flask):
        self.app = app
        self.app.extensions["socketio"] = self

    def on_namespace(self, _namespace) -> None:
        return None

    def emit(self, *_args, **_kwargs) -> None:
        return None

    def run(self, *_args, **_kwargs) -> None:
        raise RuntimeError("Socket.IO backend is unavailable")

app = Flask(__name__)
app.config.from_object(config)
# Reverse proxy(TLS terminator) headers trust: X-Forwarded-Proto/Host
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1)
setup_logging(config.LOG_LEVEL)

app.register_blueprint(auth_bp)
app.register_blueprint(class_bp)
app.register_blueprint(export_bp)
app.register_blueprint(chat_bp)
app.register_blueprint(vote_bp)
app.register_blueprint(arcade_bp)
app.register_blueprint(shop_bp)
app.register_blueprint(event_bp)
app.register_blueprint(public_api_bp)
app.register_blueprint(developer_bp)
app.register_blueprint(oauth_bp)
app.register_blueprint(account_bp)
app.register_blueprint(mcp_bp)
app.add_url_rule("/metrics", "metrics", metrics)

db.init_app(app)

socketio_async_mode = "threading"
try:
    socketio = SocketIO(
        app,
        cors_allowed_origins=config.FRONTEND_ORIGIN,
        async_mode=socketio_async_mode
    )
except ValueError as exc:  # pragma: no cover - depends on optional socket backends
    app.logger.warning("Socket.IO disabled: %s", exc)
    socketio = _NoopSocketIO(app)

CORS(
    app,
    resources={
        r"/public/*": {"origins": "*", "supports_credentials": False},
        r"/*": {"origins": [config.FRONTEND_ORIGIN], "supports_credentials": True},
    },
)
for ns in namespaces:
    socketio.on_namespace(ns)
init_arcade_socketio(socketio)

app.before_request(before_request)
app.after_request(after_request)
app.before_request(verify_csrf)


@app.before_request
def _apply_ddos_guard():
    path = request.path or ""
    rule_map = {
        "/api/version": config.DDOS_GUARD_API_VERSION_MAX_REQUESTS,
        "/healthz": config.DDOS_GUARD_HEALTHZ_MAX_REQUESTS,
        "/metrics": config.DDOS_GUARD_METRICS_MAX_REQUESTS,
        "/api/qrng": config.DDOS_GUARD_QRNG_MAX_REQUESTS,
    }
    max_requests = rule_map.get(path)
    if max_requests is None:
        return None

    allowed, retry_after = burst_guard_allow(
        burst_guard_key(f"http:{path}"),
        max_requests=max_requests,
        window_seconds=config.DDOS_GUARD_WINDOW_SECONDS,
    )
    if allowed:
        return None

    response = jsonify(
        {
            "error": {
                "code": "429",
                "message": "too many requests",
            }
        }
    )
    response.status_code = 429
    response.headers["Retry-After"] = str(retry_after)
    return response


def _set_no_store(response):
    response.headers["Cache-Control"] = "no-store, no-cache, must-revalidate, max-age=0"
    response.headers["Pragma"] = "no-cache"
    response.headers["Expires"] = "0"


def _set_short_revalidate_cache(response):
    response.headers["Cache-Control"] = "public, max-age=300, must-revalidate"
    response.headers.pop("Pragma", None)
    response.headers.pop("Expires", None)


@app.after_request
def _apply_cache_policy(response):
    path = (request.path or "").lower()
    mimetype = (response.mimetype or "").lower()
    host = (request.host or "").split(":", 1)[0].lower()

    def _maybe_set_hsts():
        if request.is_secure and host in _HTTPS_ENFORCED_HOSTS:
            response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"

    is_api_or_auth = path.startswith("/api/") or path.startswith("/auth/") or path == "/me"
    is_html = path == "/" or path.endswith(".html") or mimetype == "text/html"
    is_service_worker = path == "/service-worker.js"
    is_pwa_script = path == "/js/pwa.js"
    is_manifest = path == "/manifest.webmanifest"

    if is_api_or_auth or is_html or is_service_worker or is_pwa_script or is_manifest:
        _set_no_store(response)
        _maybe_set_hsts()
        return response

    if path.endswith((
        ".js",
        ".css",
        ".json",
        ".map",
        ".txt",
        ".xml",
        ".webmanifest",
        ".png",
        ".jpg",
        ".jpeg",
        ".gif",
        ".svg",
        ".webp",
        ".ico",
        ".woff",
        ".woff2",
        ".ttf",
        ".otf",
    )):
        _set_short_revalidate_cache(response)

    _maybe_set_hsts()

    return response


_SENSITIVE_PREFIXES = {
    ".env",
    "dimicheck-471412-85491c7985df.json",
    "instance",
    ".git",
    ".venv",
    "app.db",
}

_HTTPS_ENFORCED_HOSTS = {
    "dimicheck.com",
    "www.dimicheck.com",
    "chec.kro.kr",
    "www.chec.kro.kr",
}


@app.before_request
def _block_sensitive_files():
    path = (request.path or "").lstrip("/")
    lowered = path.lower()
    for prefix in _SENSITIVE_PREFIXES:
        prefix_lower = prefix.lower().rstrip("/")
        if lowered == prefix_lower or lowered.startswith(f"{prefix_lower}/") or f"/{prefix_lower}" in f"/{lowered}":
            abort(404)


@app.before_request
def _force_https_for_public_hosts():
    host = (request.host or "").split(":", 1)[0].lower()
    if host not in _HTTPS_ENFORCED_HOSTS:
        return None
    if request.is_secure:
        return None
    https_url = request.url.replace("http://", "https://", 1)
    return redirect(https_url, code=301)


@app.context_processor
def inject_asset_version():
    """Inject asset version for cache busting"""
    return {
        'asset_version': config.ASSET_VERSION,
        'app_version': config.APP_VERSION,
    }


@app.before_request
def _inject_remembered_session():
    load_remembered_user()


@app.before_request
def _refresh_user_session() -> None:
    if session.get("user"):
        session.permanent = True

@app.errorhandler(400)
@app.errorhandler(401)
@app.errorhandler(403)
@app.errorhandler(404)
@app.errorhandler(409)
def handle_error(err):
    code = getattr(err, "code", 500)
    message = getattr(err, "description", str(err))

    # JSON 요청 (예: fetch, axios) → JSON 반환
    if request.accept_mimetypes.best == "application/json" or request.is_json:
        return jsonify({"error": {"code": str(code), "message": message}}), code

    # 일반 브라우저 접근 → HTML 페이지
    return send_from_directory(".", "404.html"), code

@app.get("/healthz")
@cross_origin(origins=["https://checstat.netlify.app"])
def health() -> Any:
    return {"status": "ok"}


def _resolve_student_chat_page() -> str:
    user = session.get("user") or {}
    if str(user.get("type", "")).lower() != "student":
        return "chat.html"

    grade, section, _ = _derive_student_session()
    if grade is None or section is None:
        return "chat.html"

    try:
        class_config = load_class_config().get((grade, section)) or {}
    except Exception as exc:  # pylint: disable=broad-except
        app.logger.warning("Failed to load class config for chat gate: %s", exc)
        return "chat.html"

    return "chat.html" if bool(class_config.get("chat_enabled")) else "notice.html"


@app.get("/chat.html")
def chat_page():
    return send_from_directory(".", _resolve_student_chat_page())


@app.get("/user")
def user_page_alias():
    return redirect("/user.html")


@app.get("/user.html")
def user_page():
    user = session.get("user") or {}
    if str(user.get("type", "")).lower() == "teacher":
        return redirect(url_for("teacher_dashboard"))
    return send_from_directory(".", "user.html")


@app.get("/me")
def me() -> Any:
    user = session.get("user")
    teacher_session_active = is_teacher_session_active()
    if not user and not teacher_session_active:
        return jsonify({"error": {"code": "unauthorized", "message": "login required"}}), 401
    token = session.get("csrf_token")
    if not token:
        import secrets

        token = secrets.token_hex(16)
        session["csrf_token"] = token
    if not user and teacher_session_active:
        return jsonify({"type": "teacher", "csrf_token": token})
    user_data = {k: v for k, v in user.items() if k in {"id", "email", "name", "type", "grade", "class", "number"}}
    user_data["csrf_token"] = token
    return jsonify(user_data)

# Swagger UI
api_spec = {
    "title": "Presence API",
    "version": "1.0",
    "openapi_version": "3.0.2",
    "components": {"securitySchemes": {}},
    "name": "dimicheck-openapi"
}
api = Api(app, spec_kwargs=api_spec)

CLASS_CONFIGS = load_class_config()
QRNG_ENDPOINT = "https://qrng.anu.edu.au/API/jsonI.php"
QRNG_ALLOWED_TYPES = {"uint8", "uint16", "hex16"}
QRNG_MAX_LENGTH = 1024
DEFAULT_CHAT_CHANNEL = "home"

# 단축 상태 코드 → 내부 상태 키 매핑
STATUS_ALIASES = {
    "class": "section",
    "classroom": "section",
    "room": "section",
    "section": "section",
    "교실": "section",
    "toilet": "toilet",
    "화장실": "toilet",
    "bathroom": "toilet",
    "hallway": "hallway",
    "복도": "hallway",
    "club": "club",
    "동아리": "club",
    "afterschool": "afterschool",
    "after-school": "afterschool",
    "방과후": "afterschool",
    "project": "project",
    "프로젝트": "project",
    "early": "early",
    "조기입실": "early",
    "etc": "etc",
    "기타": "etc",
    "absence": "absence",
    "absent": "absence",
    "결석": "absence",
    "조퇴": "absence",
}

STATUS_LABELS = {
    "section": "교실",
    "toilet": "화장실",
    "hallway": "복도",
    "club": "동아리",
    "afterschool": "방과후",
    "project": "프로젝트",
    "early": "조기입실",
    "etc": "기타",
    "absence": "결석(조퇴)",
}

PRESERVE_STATE_FIELDS = [
    "reaction",
    "reactionPostedAt",
    "reactionExpiresAt",
    "thought",
    "thoughtPostedAt",
    "thoughtExpiresAt",
]


def _fallback_qrng(length: int, qtype: str) -> dict[str, Any]:
    if qtype == "uint16":
        data = [secrets.randbits(16) for _ in range(length)]
    elif qtype == "hex16":
        data = [f"{secrets.randbits(16):04x}" for _ in range(length)]
    else:  # default uint8
        data = list(secrets.token_bytes(length))

    return {"success": True, "data": data, "source": "fallback"}


def _coerce_int(value: Any) -> int | None:
    try:
        return int(value)
    except (TypeError, ValueError):
        return None


def _split_student_identifier(value: Any) -> tuple[int | None, int | None, int | None]:
    if value is None:
        return None, None, None
    digits = "".join(ch for ch in str(value) if ch.isdigit())
    if not digits:
        return None, None, None
    if len(digits) >= 3:
        grade = _coerce_int(digits[0])
        seat = _coerce_int(digits[-2:])
        section_digits = digits[1:-2]
        section = _coerce_int(section_digits) if section_digits else None
        return grade, section, seat
    return None, None, _coerce_int(digits)


def _derive_student_session() -> tuple[int | None, int | None, int | None]:
    user = session.get("user") or {}
    if str(user.get("type", "")).lower() != "student":
        return None, None, None

    grade = _coerce_int(user.get("grade") or user.get("grade_no") or user.get("gradeNo"))
    section = _coerce_int(
        user.get("class")
        or user.get("class_no")
        or user.get("classNo")
        or user.get("section")
        or user.get("section_no")
        or user.get("sectionNo")
    )
    identifier = (
        user.get("number")
        or user.get("student_number")
        or user.get("studentNumber")
        or user.get("student_no")
        or user.get("studentNo")
    )
    derived_grade, derived_section, seat = _split_student_identifier(identifier)
    if grade is None:
        grade = derived_grade
    if section is None:
        section = derived_section
    if seat is None:
        _, _, seat = _split_student_identifier(user.get("seat_number") or user.get("seatNumber") or user.get("number_only"))
    return grade, section, seat


def _normalize_status_param(raw_status: str | None) -> str | None:
    if not raw_status:
        return None
    cleaned = str(raw_status).strip().strip('"\'').lower()
    canonical = STATUS_ALIASES.get(cleaned, cleaned)
    if canonical in STATUS_LABELS:
        return canonical
    return None


def _normalize_channels(channels_raw) -> list[str]:
    channels = channels_raw if isinstance(channels_raw, list) else []
    normalized: list[str] = []
    seen = set()

    for ch in channels:
        if not isinstance(ch, str):
            continue
        name = ch.strip()
        if not name:
            continue
        key = name.casefold()
        if key in seen:
            continue
        seen.add(key)
        normalized.append(name[:30])

    if DEFAULT_CHAT_CHANNEL.casefold() not in seen:
        normalized.insert(0, DEFAULT_CHAT_CHANNEL)
    return normalized


def _normalize_channel_memberships(raw_memberships, channels: list[str], grade: int | None = None, section: int | None = None) -> dict[str, list[dict]]:
    memberships = raw_memberships if isinstance(raw_memberships, dict) else {}
    result: dict[str, list[dict]] = {}
    for ch in channels:
        entries = []
        seen = set()
        raw_entries = memberships.get(ch) if isinstance(memberships.get(ch), list) else []
        for entry in raw_entries:
            if not isinstance(entry, dict):
                continue
            g = _coerce_int(entry.get("grade"))
            s = _coerce_int(entry.get("section"))
            if g is None or s is None:
                continue
            key = f"{g}-{s}"
            if key in seen:
                continue
            seen.add(key)
            entries.append({"grade": g, "section": s})
        if grade is not None and section is not None:
            key = f"{grade}-{section}"
            if key not in seen:
                entries.append({"grade": grade, "section": section})
        result[ch] = entries
    return result


def _load_magnet_payload(state: ClassState | None) -> dict[str, dict[str, object]]:
    if not state or not state.data:
        return {"magnets": {}, "channels": [DEFAULT_CHAT_CHANNEL], "channelMemberships": {DEFAULT_CHAT_CHANNEL: []}}
    try:
        raw = json.loads(state.data)
    except json.JSONDecodeError:
        return {"magnets": {}, "channels": [DEFAULT_CHAT_CHANNEL], "channelMemberships": {DEFAULT_CHAT_CHANNEL: []}}
    if not isinstance(raw, dict):
        return {"magnets": {}, "channels": [DEFAULT_CHAT_CHANNEL], "channelMemberships": {DEFAULT_CHAT_CHANNEL: []}}
    magnets = raw.get("magnets")
    if not isinstance(magnets, dict):
        magnets = {}
    channels = _normalize_channels(raw.get("channels"))
    memberships = _normalize_channel_memberships(
        raw.get("channelMemberships"),
        channels,
        getattr(state, "grade", None),
        getattr(state, "section", None),
    )
    return {"magnets": magnets, "channels": channels, "channelMemberships": memberships}


def _persist_magnet_state(state: ClassState | None, grade: int, section: int, payload: dict[str, object]) -> ClassState:
    if not state:
        state = ClassState(grade=grade, section=section, data="")
        db.session.add(state)
    state.data = json.dumps(payload, ensure_ascii=False)
    db.session.commit()
    return state


def _upsert_student_status(
    magnets: dict[str, dict[str, object]],
    student_number: int,
    status_code: str,
    reason: str | None,
) -> dict[str, dict[str, object]]:
    normalized_reason = reason.strip() if reason else None
    payload: dict[str, object] = {"attachedTo": status_code}
    if status_code == "etc" and normalized_reason:
        payload["reason"] = normalized_reason
    elif status_code != "etc":
        payload.pop("reason", None)

    key = str(student_number)
    existing = magnets.get(key, {}) if isinstance(magnets, dict) else {}
    for field in PRESERVE_STATE_FIELDS:
        if field in existing and field not in payload:
            payload[field] = existing[field]

    magnets[key] = payload
    return magnets


@app.get("/api/qrng")
@cross_origin(origins=[config.FRONTEND_ORIGIN, "https://churchofquantum.netlify.app"])
def qrng_proxy():
    length = request.args.get("length", default=128, type=int)
    qtype = request.args.get("type", default="uint8")

    if not length or length < 1 or length > QRNG_MAX_LENGTH:
        return (
            jsonify(
                {
                    "success": False,
                    "error": "invalid_length",
                    "message": f"length must be between 1 and {QRNG_MAX_LENGTH}",
                }
            ),
            400,
        )

    if qtype not in QRNG_ALLOWED_TYPES:
        qtype = "uint8"

    try:
        upstream = requests.get(
            QRNG_ENDPOINT,
            params={"length": length, "type": qtype},
            timeout=5,
        )
        upstream.raise_for_status()
        data = upstream.json()
        if data.get("success"):
            return jsonify(data)
        app.logger.warning("QRNG upstream responded without success flag: %s", data)
    except requests.RequestException as exc:
        app.logger.warning("QRNG upstream error: %s", exc)
    except ValueError:
        app.logger.warning("QRNG upstream returned invalid JSON")

    fallback = _fallback_qrng(length, qtype)
    return jsonify(fallback), 200

@app.route("/board", methods=["GET", "POST"])
def board():
    CLASS_CONFIGS = load_class_config()

    grade = request.args.get("grade", type=int)
    section = request.args.get("section", type=int)

    class_config = CLASS_CONFIGS.get((grade, section))
    if not class_config:
        return send_from_directory(".", "404.html")

    guard_key = pin_guard_key(f"board:{grade}:{section}")

    if request.method == "POST":
        allowed, _, locked_for = pin_guard_status(guard_key, max_attempts=5, window_seconds=300, lock_seconds=900)
        if not allowed:
            return make_response("Too many attempts. 잠시 후 다시 시도해주세요.", 429)

        pin = request.form.get("pin")
        if str(class_config["pin"]) == pin:
            session[f"board_verified_{grade}_{section}"] = True
            session.permanent = True
            pin_guard_reset(guard_key)
            return render_template("index.html", arcade_debug_allow_any_time=config.ARCADE_DEBUG_ALLOW_ANY_TIME)

        attempts_left, lock_remaining = pin_guard_register_failure(
            guard_key, max_attempts=5, window_seconds=300, lock_seconds=900
        )
        status_code = 429 if lock_remaining else 401
        return make_response("잘못된 PIN 입니다.", status_code)

    if session.get(f"board_verified_{grade}_{section}"):
        return render_template("index.html", arcade_debug_allow_any_time=config.ARCADE_DEBUG_ALLOW_ANY_TIME)

    return send_from_directory(".", "enter_pin.html")


def _parse_short_board_code(code: str) -> tuple[int | None, int | None]:
    if not re.fullmatch(r"\d{2}", str(code or "")):
        return None, None

    grade = int(code[0])
    section = int(code[1])

    if grade not in {1, 2, 3} or section not in {1, 2, 3, 4, 5, 6}:
        return None, None

    return grade, section


@app.before_request
def _redirect_short_board_code():
    path = (request.path or "").strip("/")
    if "/" in path:
        return None

    grade, section = _parse_short_board_code(path)
    if grade is None or section is None:
        return None

    if not load_class_config().get((grade, section)):
        abort(404)

    return redirect(url_for("board", grade=grade, section=section))


def _validate_teacher_pin(pin: str) -> bool:
    allowed = config.TEACHER_PINS
    if not allowed:
        return False
    return pin in allowed


def _teacher_session_valid() -> bool:
    if is_teacher_session_active():
        return True
    clear_teacher_session()
    return False


@app.route("/teacher", methods=["GET", "POST"])
def teacher_dashboard():
    if _teacher_session_valid():
        return render_template("teacher.html", csrf_token=session.get("csrf_token"))

    error = None
    guard_key = pin_guard_key("teacher")

    if request.method == "POST":
        allowed, attempts_left, locked_for = pin_guard_status(guard_key, max_attempts=5, window_seconds=300, lock_seconds=900)
        if not allowed:
            error = f"시도가 잠겼어요. {locked_for}초 후 다시 시도하세요."
            return render_template(
                "teacher_pin.html",
                error=error,
                has_pin=bool(config.TEACHER_PINS),
            )

        pin = (request.form.get("pin") or "").strip()
        remember = request.form.get("remember") == "on"

        if not config.TEACHER_PINS:
            error = "교사용 PIN이 설정되지 않았습니다. 관리자에게 문의하세요."
        elif _validate_teacher_pin(pin):
            duration = (
                config.TEACHER_SESSION_REMEMBER_SECONDS
                if remember
                else config.TEACHER_SESSION_DURATION_SECONDS
            )
            mark_teacher_session(duration_seconds=duration, remember=remember)
            pin_guard_reset(guard_key)
            return redirect(url_for("teacher_dashboard"))
        else:
            attempts_left, lock_remaining = pin_guard_register_failure(
                guard_key, max_attempts=5, window_seconds=300, lock_seconds=900
            )
            if lock_remaining:
                error = f"PIN이 여러 번 틀렸어요. {lock_remaining}초 후 다시 시도하세요."
            elif attempts_left > 0:
                error = f"PIN이 올바르지 않습니다. 다시 시도해주세요. (남은 시도 {attempts_left}회)"
            else:
                error = "PIN이 올바르지 않습니다. 잠시 후 다시 시도해주세요."

    return render_template(
        "teacher_pin.html",
        error=error,
        has_pin=bool(config.TEACHER_PINS),
    )


@app.get("/teacher/notices")
def teacher_notices_page():
    if not _teacher_session_valid():
        return redirect(url_for("teacher_dashboard"))
    return render_template("teacher_notices.html", csrf_token=session.get("csrf_token"))


@app.get("/teacher/wallpapers")
def teacher_wallpapers_page():
    if not _teacher_session_valid():
        return redirect(url_for("teacher_dashboard"))
    return render_template("teacher_wallpapers.html", csrf_token=session.get("csrf_token"))


@app.get("/teacher/events")
def teacher_events_page():
    if not _teacher_session_valid():
        return redirect(url_for("teacher_dashboard"))
    return render_template("teacher_events.html", csrf_token=session.get("csrf_token"))


@app.get("/teacher.html")
def teacher_legacy_redirect():
    return redirect(url_for("teacher_dashboard"))

@app.route("/", methods=["GET", "POST"])
def index():  # type: ignore[override]
    user = session.get("user")
    if user:
        user_type = str(user.get("type", "")).lower()
        if user_type == "teacher":
            return redirect(url_for("teacher_dashboard"))
        if user_type == "student":
            return redirect("/user.html")

    return send_from_directory(".", "login.html") 

@app.get("/privacy")
def privacy():
    return send_from_directory(".", "privacy.html")


@app.get("/set")
def quick_apply_status_get():
    raw_status = request.args.get("status")
    reason_input = request.args.get("reason") or ""
    reason = str(reason_input).strip() or None
    status_code = _normalize_status_param(raw_status)
    allowed_codes = sorted(STATUS_LABELS.keys())
    user = session.get("user") or {}
    status_label = STATUS_LABELS.get(status_code, status_code) if status_code else None

    if reason and contains_slang(reason):
        return (
            render_template(
                "set_status.html",
                success=False,
                status_code=status_code or raw_status,
                status_label=status_label,
                allowed_codes=allowed_codes,
                labels=STATUS_LABELS,
                error="invalid_reason",
                pending_status=None,
                pending_reason=None,
                pending_apply=False,
                requires_login=False,
                csrf_token=session.get("csrf_token"),
            ),
            400,
        )

    if status_code:
        if not user:
            return render_template(
                "set_status.html",
                success=False,
                pending_status=status_code,
                pending_reason=reason if status_code == "etc" else None,
                pending_apply=False,
                requires_login=True,
                status_code=status_code,
                status_label=status_label,
                allowed_codes=allowed_codes,
                labels=STATUS_LABELS,
                csrf_token=None,
                error=None,
            )

        if str(user.get("type", "")).lower() != "student":
            return (
                render_template(
                    "set_status.html",
                    success=False,
                    status_code=status_code,
                    status_label=status_label,
                    allowed_codes=allowed_codes,
                    labels=STATUS_LABELS,
                    error="unsupported_user",
                    pending_status=None,
                    pending_reason=None,
                    pending_apply=False,
                    requires_login=False,
                    csrf_token=session.get("csrf_token"),
                ),
                403,
            )

        grade, section, seat = _derive_student_session()
        if grade is None or section is None or seat is None:
            return (
                render_template(
                    "set_status.html",
                    success=False,
                    status_code=status_code,
                    status_label=status_label,
                    allowed_codes=allowed_codes,
                    labels=STATUS_LABELS,
                    error="missing_profile",
                    pending_status=None,
                    pending_reason=None,
                    pending_apply=False,
                    requires_login=False,
                    csrf_token=session.get("csrf_token"),
                ),
                400,
            )

        if not session.get("csrf_token"):
            session["csrf_token"] = secrets.token_hex(16)
        return render_template(
            "set_status.html",
            success=False,
            pending_status=status_code,
            pending_reason=reason if status_code == "etc" else None,
            pending_apply=True,
            requires_login=False,
            status_code=status_code,
            status_label=status_label,
            allowed_codes=allowed_codes,
            labels=STATUS_LABELS,
            csrf_token=session.get("csrf_token"),
            error=None,
        )

    return (
        render_template(
            "set_status.html",
            success=False,
            status_code=None,
            status_label=None,
            allowed_codes=allowed_codes,
            labels=STATUS_LABELS,
            error="method_not_allowed",
            pending_status=None,
            pending_reason=None,
            pending_apply=False,
            requires_login=False,
            csrf_token=session.get("csrf_token"),
        ),
        405,
    )


@app.post("/set")
def quick_apply_status():
    payload = request.get_json(silent=True) if request.is_json else None
    raw_status = (
        (payload.get("status") if isinstance(payload, dict) else None)
        or request.form.get("status")
        or request.args.get("status")
    )
    reason_input = (
        (payload.get("reason") if isinstance(payload, dict) else None)
        or request.form.get("reason")
        or request.args.get("reason")
        or ""
    )
    reason = str(reason_input).strip() or None
    status_code = _normalize_status_param(raw_status)
    allowed_codes = sorted(STATUS_LABELS.keys())

    if not status_code:
        return (
            render_template(
                "set_status.html",
                success=False,
                status_code=raw_status,
                status_label=None,
                allowed_codes=allowed_codes,
                labels=STATUS_LABELS,
                error="invalid_status",
                pending_status=None,
                pending_reason=None,
                pending_apply=False,
                requires_login=False,
                csrf_token=session.get("csrf_token"),
            ),
            400,
        )

    if reason and contains_slang(reason):
        return (
            render_template(
                "set_status.html",
                success=False,
                status_code=status_code,
                status_label=STATUS_LABELS.get(status_code, status_code),
                allowed_codes=allowed_codes,
                labels=STATUS_LABELS,
                error="invalid_reason",
                pending_status=None,
                pending_reason=None,
                pending_apply=False,
                requires_login=False,
                csrf_token=session.get("csrf_token"),
            ),
            400,
        )

    user = session.get("user")
    if not user:
        return redirect(
            url_for(
                "auth.login",
                next=url_for(
                    "quick_apply_status_get",
                    status=status_code,
                    reason=reason or "",
                ),
            )
        )

    if str(user.get("type", "")).lower() != "student":
        return (
            render_template(
                "set_status.html",
                success=False,
                status_code=status_code,
                status_label=None,
                allowed_codes=allowed_codes,
                labels=STATUS_LABELS,
                error="unsupported_user",
                pending_status=None,
                pending_reason=None,
                pending_apply=False,
                requires_login=False,
                csrf_token=session.get("csrf_token"),
            ),
            403,
        )

    grade, section, seat = _derive_student_session()
    if grade is None or section is None or seat is None:
        return (
            render_template(
                "set_status.html",
                success=False,
                status_code=status_code,
                status_label=None,
                allowed_codes=allowed_codes,
                labels=STATUS_LABELS,
                error="missing_profile",
                pending_status=None,
                pending_reason=None,
                pending_apply=False,
                requires_login=False,
                csrf_token=session.get("csrf_token"),
            ),
            400,
        )

    try:
        state = ClassState.query.filter_by(grade=grade, section=section).first()
        payload = _load_magnet_payload(state)
        magnets = payload.get("magnets", {})
        channels = _normalize_channels(payload.get("channels"))
        payload["channels"] = channels
        _upsert_student_status(magnets, seat, status_code, reason)
        payload["magnets"] = magnets
        state = _persist_magnet_state(state, grade, section, payload)
    except Exception as exc:
        db.session.rollback()
        app.logger.exception("Failed to apply status via /set: %s", exc)
        return (
            render_template(
                "set_status.html",
                success=False,
                status_code=status_code,
                status_label=None,
                allowed_codes=allowed_codes,
                labels=STATUS_LABELS,
                error="save_failed",
                pending_status=None,
                pending_reason=None,
                pending_apply=False,
                requires_login=False,
                csrf_token=session.get("csrf_token"),
            ),
            500,
        )

    try:
        if socketio:
            socketio.emit(
                "state_updated",
                {"grade": grade, "section": section, "magnets": magnets},
                namespace=f"/ws/classes/{grade}/{section}",
            )
    except Exception as exc:
        app.logger.warning("Websocket broadcast failed for /set: %s", exc)

    try:
        broadcast_public_status_update(grade, section)
    except Exception as exc:
        app.logger.warning("Public status broadcast failed for /set: %s", exc)

    status_label = STATUS_LABELS.get(status_code, status_code)
    return render_template(
        "set_status.html",
        success=True,
        status_code=status_code,
        status_label=status_label,
        reason=reason if status_code == "etc" else None,
        allowed_codes=allowed_codes,
        labels=STATUS_LABELS,
        grade=grade,
        section=section,
        pending_status=None,
        pending_reason=None,
        pending_apply=False,
        requires_login=False,
        csrf_token=session.get("csrf_token"),
    )


@app.route("/reload-configs")
def reload_configs():
    global CLASS_CONFIGS
    CLASS_CONFIGS = load_class_config(force_refresh=True)
    return jsonify({"status": "reloaded"})


@app.route("/api/version")
def get_version():
    """Get current asset version for cache busting"""
    return jsonify({
        "version": config.ASSET_VERSION,
        "assetVersion": config.ASSET_VERSION,
        "appVersion": config.APP_VERSION,
    })

@app.route("/sitemap.xml")
def sitemap():
    return send_from_directory(".", "sitemap.xml", mimetype="application/xml")

@app.route("/robots.txt")
def robots():
    return send_from_directory(".", "robots.txt", mimetype="text/plain")


_PUBLIC_STATIC_EXTENSIONS = {
    ".css",
    ".js",
    ".map",
    ".png",
    ".jpg",
    ".jpeg",
    ".gif",
    ".svg",
    ".webp",
    ".ico",
    ".woff",
    ".woff2",
    ".ttf",
    ".eot",
    ".otf",
    ".mp3",
    ".wav",
    ".ogg",
    ".mp4",
    ".webm",
    ".html",
    ".webmanifest",
}
_PUBLIC_STATIC_JSON_FILES = {"wallpaper.json", "timetable-phases.json"}
_PUBLIC_STATIC_DIRS = {"js", "src", "bsod"}
_BLOCKED_STATIC_EXTENSIONS = {
    ".py",
    ".pyc",
    ".db",
    ".sqlite",
    ".sqlite3",
    ".env",
    ".ini",
    ".toml",
    ".lock",
    ".yml",
    ".yaml",
}


@app.get("/<path:filename>")
def public_static_file(filename: str):
    path = PurePosixPath(filename)
    if path.is_absolute() or ".." in path.parts or any(part.startswith(".") for part in path.parts):
        abort(404)

    suffix = path.suffix.lower()
    root_name = path.name
    is_json_allowlisted = suffix == ".json" and root_name in _PUBLIC_STATIC_JSON_FILES
    is_public_ext = suffix in _PUBLIC_STATIC_EXTENSIONS
    is_public_dir = len(path.parts) > 1 and path.parts[0] in _PUBLIC_STATIC_DIRS

    if suffix in _BLOCKED_STATIC_EXTENSIONS:
        abort(404)
    if not (is_public_ext or is_json_allowlisted or is_public_dir):
        abort(404)

    return send_from_directory(".", filename)

if __name__ == "__main__":
    with app.app_context():
        db.create_all()

        # 스케줄러 시작 (2월 28일 데이터 초기화)
        from scheduler import start_scheduler
        start_scheduler()

    socketio.run(app, host="0.0.0.0", port=5000, allow_unsafe_werkzeug=True, debug=True)