from typing import Optional
from fastapi import HTTPException, Security
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from firebase_admin import auth as firebase_auth

_bearer = HTTPBearer(auto_error=False)


async def require_firebase_token(
    credentials: Optional[HTTPAuthorizationCredentials] = Security(_bearer),
) -> dict:
    """Verify a Firebase ID token from the Authorization: Bearer header."""
    if not credentials:
        raise HTTPException(status_code=401, detail="Missing authorization token")
    try:
        return firebase_auth.verify_id_token(credentials.credentials)
    except Exception:
        raise HTTPException(status_code=401, detail="Invalid or expired token")


async def require_admin_token(
    credentials: Optional[HTTPAuthorizationCredentials] = Security(_bearer),
) -> dict:
    """Verify a Firebase ID token AND require the admin custom claim."""
    decoded = await require_firebase_token(credentials)
    if not decoded.get("admin"):
        raise HTTPException(status_code=403, detail="Admin access required")
    return decoded