import base64
import hashlib


def _salt_for_username(username: str) -> bytes:
    return hashlib.sha256(username.encode('utf-8')).digest()


def _derive_password(password_plain: str, salt: bytes) -> bytes:
    return hashlib.pbkdf2_hmac('sha256', password_plain.encode('utf-8'), salt, 100_000, dklen=32)


def get_user_by_username(username: str):
    """
    Placeholder for ES lookup. Returns fixed JSON for a demo user.
    In production this should query ES with the given mapping.

    Demo user:
    - username: admin
    - password: Password123! (stored as PBKDF2-derived secret only)
    - user_id: 1
    - premission: 0 (admin)
    """
    if username != 'admin':
        return None

    salt = _salt_for_username(username)
    # Demo: derive and store secret from a known password for the placeholder
    derived = _derive_password('Password123!', salt)
    return {
        'user_id': 1,
        'username': 'admin',
        # Store only the derived secret, not the plaintext password
        'password': base64.b64encode(derived).decode('ascii'),
        'premission': 0,
        # Expose salt to the client during challenge so both sides derive consistently
        'salt': base64.b64encode(salt).decode('ascii'),
    }