import { NextRequest, NextResponse } from 'next/server';
import { timingSafeEqual } from 'crypto';

export function validateAdminApiKey(request: NextRequest): boolean {
  const apiKey = request.headers.get('x-api-key');
  const expectedKey = process.env.ADMIN_API_KEY;

  if (!expectedKey || !apiKey) {
    if (!expectedKey) console.warn('ADMIN_API_KEY not configured');
    return false;
  }

  if (apiKey.length !== expectedKey.length) {
    return false;
  }

  return timingSafeEqual(Buffer.from(apiKey), Buffer.from(expectedKey));
}

export function unauthorizedResponse() {
  return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}