import bcrypt
from db import get_cursor

def verify_admin(username: str, password: str) -> bool:
    """Verify that the user exists, is admin, is active, and password matches."""
    with get_cursor() as cur:
        cur.execute(
            """
            SELECT username, password_hash
            FROM users
            WHERE username = %s AND role = 'admin' AND is_active = TRUE
            """,
            (username,),
        )
        row = cur.fetchone()
    if not row:
        return False
    stored = row["password_hash"]
    # Support bcrypt (e.g. $2b$...) or legacy salt:hash
    if stored.startswith("$2"):
        return bcrypt.checkpw(password.encode("utf-8"), stored.encode("utf-8"))
    # Legacy: "salt:hash" (e.g. md5 or similar) - optional simple check
    if ":" in stored:
        salt, expected = stored.split(":", 1)
        import hashlib
        got = hashlib.sha256((salt + password).encode()).hexdigest()
        return got == expected
    return False