"""Admin authentication dependency."""

import secrets
from typing import Annotated

from fastapi import Header, HTTPException, status

from app.config import settings


def validate_admin_key(
    x_admin_api_key: Annotated[str, Header(description="Admin API key")],
) -> str:
    """
    Validate the admin API key.

    Uses constant-time comparison to prevent timing attacks.
    """
    if not secrets.compare_digest(x_admin_api_key, settings.ADMIN_API_KEY):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid admin API key",
        )
    return x_admin_api_key


# Type alias for dependency injection
AdminKeyDep = Annotated[str, validate_admin_key]