from datetime import datetime
from typing import Optional
from pydantic import BaseModel


class Token(BaseModel):
    access_token: str
    refresh_token: str
    token_type: str = "bearer"
    must_change_password: bool = False
    # Session-policy expiry windows derived from the refresh JWT. Frontend
    # uses these to drive the "your session ends soon" toast and to know
    # when /auth/refresh will reject for absolute expiry. See
    # docs/plans/2026-05-13-session-expiration-policy.md §4.2.
    idle_expires_at: Optional[datetime] = None
    absolute_expires_at: Optional[datetime] = None


class TokenPayload(BaseModel):
    sub: Optional[str] = None
    exp: Optional[int] = None
    type: Optional[str] = None