import type { MiddlewareHandler } from 'hono';

/**
 * Service-Key-Middleware für DSGVO-Endpunkte und sonstige
 * service-zu-service-Calls.
 *
 * Heute (Phase 5): vergleicht `X-Service-Key`-Header per
 * constant-time-Compare gegen `process.env.CARDS_DSGVO_SERVICE_KEY`.
 *
 * Phase F-1: ersetzt durch Verifikation gegen mana-auth's
 * `apps.app_service_keys` Tabelle (caller-App = `mana-admin`).
 */

function constantTimeEquals(a: string, b: string): boolean {
	if (a.length !== b.length) return false;
	let mismatch = 0;
	for (let i = 0; i < a.length; i++) {
		mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
	}
	return mismatch === 0;
}

export function serviceKeyAuth(opts: { envVar: string }): MiddlewareHandler {
	return async (c, next) => {
		const expected = process.env[opts.envVar];
		if (!expected) {
			return c.json(
				{
					error: 'service_key_not_configured',
					detail: `${opts.envVar} env-var is not set`,
				},
				500
			);
		}
		const provided = c.req.header('X-Service-Key');
		if (!provided || !constantTimeEquals(provided, expected)) {
			return c.json({ error: 'service_key_invalid' }, 401);
		}
		await next();
	};
}