app/core/security.py

"""Security utilities for API key verification."""

import secrets
from app.core.config import settings
from app.core.exceptions import AuthenticationError


def verify_api_key(api_key: str) -> bool:
    """
    Verify if the provided API key is valid using timing-safe comparison.

    Args:
        api_key: The API key to verify

    Returns:
        True if the API key is valid

    Raises:
        AuthenticationError: If the API key is invalid or missing
    """
    if not api_key:
        raise AuthenticationError("Missing API key")

    if not settings.api_keys_set:
        raise AuthenticationError("No API keys configured on server")

    for valid_key in settings.api_keys_set:
        if secrets.compare_digest(api_key, valid_key):
            return True

    raise AuthenticationError("Invalid API key")