From 50aa6008e399461acd6340c92d13a75c55b544d6 Mon Sep 17 00:00:00 2001
From: William Valentin <william.valentin.info@gmail.com>
Date: Sun, 1 Feb 2026 02:45:45 -0800
Subject: [PATCH] feat: add admin token config and auth helper

---
 packages/config/src/adminAuth.test.ts | 14 ++++++++++++++
 packages/config/src/adminAuth.ts      |  7 +++++++
 packages/config/src/index.ts          |  8 +++++++-
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 packages/config/src/adminAuth.test.ts
 create mode 100644 packages/config/src/adminAuth.ts

diff --git a/packages/config/src/adminAuth.test.ts b/packages/config/src/adminAuth.test.ts
new file mode 100644
index 0000000..36ea26c
--- /dev/null
+++ b/packages/config/src/adminAuth.test.ts
@@ -0,0 +1,14 @@
+import { test, expect } from "bun:test";
+import { isAdminRequest } from "./adminAuth";
+
+test("isAdminRequest returns false when ADMIN_TOKEN unset", () => {
+  expect(isAdminRequest({ adminToken: undefined }, { headerToken: "x" })).toBe(
+    false,
+  );
+});
+
+test("isAdminRequest returns true when header token matches", () => {
+  expect(
+    isAdminRequest({ adminToken: "secret" }, { headerToken: "secret" }),
+  ).toBe(true);
+});
diff --git a/packages/config/src/adminAuth.ts b/packages/config/src/adminAuth.ts
new file mode 100644
index 0000000..42ccabf
--- /dev/null
+++ b/packages/config/src/adminAuth.ts
@@ -0,0 +1,7 @@
+export function isAdminRequest(
+  env: { adminToken: string | undefined },
+  input: { headerToken: string | null | undefined },
+) {
+  if (!env.adminToken) return false;
+  return input.headerToken === env.adminToken;
+}
diff --git a/packages/config/src/index.ts b/packages/config/src/index.ts
index 7aebbc7..6a9b785 100644
--- a/packages/config/src/index.ts
+++ b/packages/config/src/index.ts
@@ -2,7 +2,8 @@ import { z } from "zod";
 
 const envSchema = z.object({
   APP_NAME: z.string().min(1).default("porthole"),
-  NEXT_PUBLIC_APP_NAME: z.string().min(1).optional()
+  NEXT_PUBLIC_APP_NAME: z.string().min(1).optional(),
+  ADMIN_TOKEN: z.string().min(1).optional(),
 });
 
 let cachedEnv: z.infer<typeof envSchema> | undefined;
@@ -23,3 +24,8 @@ export function getAppName() {
   const env = getEnv();
   return env.NEXT_PUBLIC_APP_NAME ?? env.APP_NAME;
 }
+
+export function getAdminToken() {
+  const env = getEnv();
+  return env.ADMIN_TOKEN;
+}