import os
from fastapi import HTTPException, Security, Query
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from typing import Optional

_AUTH_TOKEN = os.environ.get("AUTH_TOKEN", "changeme")

_bearer_scheme = HTTPBearer(auto_error=False)


async def verify_token(
    credentials: Optional[HTTPAuthorizationCredentials] = Security(_bearer_scheme),
    token: Optional[str] = Query(default=None),
) -> str:
    """
    Verify the bearer token from Authorization header or ?token= query param.
    Raises 401 if missing or invalid.
    """
    provided: Optional[str] = None

    if credentials is not None:
        provided = credentials.credentials
    elif token is not None:
        provided = token

    if provided is None or provided != _AUTH_TOKEN:
        raise HTTPException(
            status_code=401,
            detail="Invalid or missing authentication token",
            headers={"WWW-Authenticate": "Bearer"},
        )

    return provided