import { NextResponse } from "next/server";
import { setFlag } from "@/lib/feature-flags";
import { timingSafeStringEq } from "@/lib/server/timing-safe";

export async function POST(request: Request) {
  const expected = process.env.NEXTAUTH_SECRET ?? "";
  if (!expected) {
    return NextResponse.json(
      { error: "NEXTAUTH_SECRET not configured" },
      { status: 503 },
    );
  }
  const auth = request.headers.get("authorization") ?? "";
  const bearer = auth.toLowerCase().startsWith("bearer ")
    ? auth.slice(7).trim()
    : "";
  if (!bearer || !timingSafeStringEq(expected, bearer)) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }
  await setFlag("path_b_disabled", false);
  return NextResponse.json({
    ok: true,
    flag: "path_b_disabled",
    value: false,
    note: "Path B re-enabled.",
  });
}