"""Token authentication utilities.

DEPRECATED: Use shared.session_auth for new code.
This module kept for backward compatibility.
"""

import os
from fastapi import HTTPException, Request


def _get_admin_token() -> str:
    """Get admin token from env, checked dynamically."""
    return os.getenv("BLOG_ADMIN_TOKEN") or os.getenv("ADMIN_TOKEN") or os.getenv("HOFFDESK_SECRET") or "changeme-please-update"


def verify_admin_token(request: Request) -> str:
    """Verify admin token from query param or header.
    
    Checks X-Admin-Token header first, then ?token= query param.
    Returns the token if valid, raises 401 if not.
    
    DEPRECATED: Use require_auth from shared.session_auth instead.
    """
    # Try Bearer token / X-Hoffdesk-Secret first (machine-to-machine)
    from shared.session_auth import get_bearer_auth
    bearer = get_bearer_auth(request)
    if bearer:
        return _get_admin_token()
    
    # Fallback to legacy token param/header
    token = request.headers.get("X-Admin-Token") or request.query_params.get("token")
    if token != _get_admin_token():
        raise HTTPException(status_code=401, detail="Unauthorized - invalid or missing token")
    return token