letsbe-orchestrator/app/dependencies/admin_auth.py

"""Admin authentication dependency for protected endpoints."""

import secrets

from fastapi import Depends, Header, HTTPException, status

from app.config import get_settings


async def verify_admin_api_key(
    x_admin_api_key: str = Header(..., alias="X-Admin-Api-Key"),
) -> None:
    """
    Verify admin API key for protected endpoints.

    Used to protect sensitive operations like registration token management.

    Raises:
        HTTPException: 401 if API key is missing or invalid
    """
    settings = get_settings()

    # Use timing-safe comparison to prevent timing attacks
    if not secrets.compare_digest(x_admin_api_key, settings.ADMIN_API_KEY):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid admin API key",
            headers={"WWW-Authenticate": "ApiKey"},
        )


# Dependency that can be used in route decorators
AdminAuthDep = Depends(verify_admin_api_key)
feat: add secure token-based agent registration and multi-tenant isolation - Add RegistrationToken model for secure agent registration - Add secret_hash field to Agent model (SHA-256 hashed credentials) - Create admin auth dependency for protected endpoints - Create agent auth dependency with X-Agent-Id/X-Agent-Secret headers - Add backward compatibility with legacy Bearer token auth - Add registration token CRUD endpoints under /tenants/{id}/registration-tokens - Update agent registration to use registration tokens - Add authentication to task endpoints with tenant isolation - Add comprehensive tests for auth and registration flows Breaking changes: - /tasks/next no longer accepts agent_id query param (uses auth headers) - PATCH /tasks/{id} now requires authentication 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-07 11:11:32 +01:00			`"""Admin authentication dependency for protected endpoints."""`

			`import secrets`

			`from fastapi import Depends, Header, HTTPException, status`

			`from app.config import get_settings`


			`async def verify_admin_api_key(`
			`x_admin_api_key: str = Header(..., alias="X-Admin-Api-Key"),`
			`) -> None:`
			`"""`
			`Verify admin API key for protected endpoints.`

			`Used to protect sensitive operations like registration token management.`

			`Raises:`
			`HTTPException: 401 if API key is missing or invalid`
			`"""`
			`settings = get_settings()`

			`# Use timing-safe comparison to prevent timing attacks`
			`if not secrets.compare_digest(x_admin_api_key, settings.ADMIN_API_KEY):`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Invalid admin API key",`
			`headers={"WWW-Authenticate": "ApiKey"},`
			`)`


			`# Dependency that can be used in route decorators`
			`AdminAuthDep = Depends(verify_admin_api_key)`