src/lib/admin-auth.ts

import { NextRequest, NextResponse } from 'next/server';
import { timingSafeEqual } from 'crypto';

export function validateAdminApiKey(request: NextRequest): boolean {
  const apiKey = request.headers.get('x-api-key');
  const expectedKey = process.env.ADMIN_API_KEY;

  if (!expectedKey || !apiKey) {
    if (!expectedKey) console.warn('ADMIN_API_KEY not configured');
    return false;
  }

  if (apiKey.length !== expectedKey.length) {
    return false;
  }

  return timingSafeEqual(Buffer.from(apiKey), Buffer.from(expectedKey));
}

export function unauthorizedResponse() {
  return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
chore: sync with Gitea master and restore local-only files Reset local main to gitea/master (new source of truth) and restored local-only files: web scrapers, admin dashboard, ChromaDB integration, debug scripts, and utility libraries that aren't tracked in Gitea. Gitea master adds: discovermass, buscarmisas-network, hk-parishes, bohosluzby, kerknet, gottesdienstzeiten, miserend importers, ClaimRequest model, forward geocoding, heartbeat healthcheck. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-12 19:11:22 -04:00			`import { NextRequest, NextResponse } from 'next/server';`
			`import { timingSafeEqual } from 'crypto';`

			`export function validateAdminApiKey(request: NextRequest): boolean {`
			`const apiKey = request.headers.get('x-api-key');`
			`const expectedKey = process.env.ADMIN_API_KEY;`

			`if (!expectedKey \|\| !apiKey) {`
			`if (!expectedKey) console.warn('ADMIN_API_KEY not configured');`
			`return false;`
			`}`

			`if (apiKey.length !== expectedKey.length) {`
			`return false;`
			`}`

			`return timingSafeEqual(Buffer.from(apiKey), Buffer.from(expectedKey));`
			`}`

			`export function unauthorizedResponse() {`
			`return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });`
			`}`