"""Authentication helpers for adacam-api."""
import hashlib
from functools import wraps
from flask import request, jsonify


def get_device_serial():
    """Get device serial from liberate.sh-generated file."""
    try:
        return open('/data/adacam/device_serial').read().strip()
    except:
        return 'unknown'


def get_api_token():
    """Derive API token from device serial (matches liberate.sh output)."""
    serial = get_device_serial()
    return hashlib.sha256(f"adacam-api-{serial}-token".encode()).hexdigest()[:32]


def require_auth(f):
    """Decorator: require valid Bearer token for protected endpoints."""
    @wraps(f)
    def decorated(*args, **kwargs):
        auth = request.headers.get('Authorization', '')
        token = auth.replace('Bearer ', '').strip()
        if token != get_api_token():
            return jsonify({'error': 'unauthorized'}), 401
        return f(*args, **kwargs)
    return decorated