letsbe-orchestrator/app/dependencies/admin_auth.py

"""Admin authentication dependency for protected endpoints."""

import secrets

from fastapi import Depends, Header, HTTPException, status

from app.config import get_settings


async def verify_admin_api_key(
    x_admin_api_key: str = Header(..., alias="X-Admin-Api-Key"),
) -> None:
    """
    Verify admin API key for protected endpoints.

    Used to protect sensitive operations like registration token management.

    Raises:
        HTTPException: 401 if API key is missing or invalid
    """
    settings = get_settings()

    # Use timing-safe comparison to prevent timing attacks
    if not secrets.compare_digest(x_admin_api_key, settings.ADMIN_API_KEY):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid admin API key",
            headers={"WWW-Authenticate": "ApiKey"},
        )


# Dependency that can be used in route decorators
AdminAuthDep = Depends(verify_admin_api_key)