Harden auth and persist report schedules

app/routers/admin.py

@@ -5,12 +5,13 @@ Provides admin-specific endpoints for triggering calibration,
 toggling AI generation, and resetting normalization.
 """
 
-from typing import Any, Dict, Optional
+from typing import Any, Dict
 
-from fastapi import APIRouter, Depends, Header, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
+from app.core.auth import AuthContext, get_auth_context, require_website_auth
 from app.core.config import get_settings
 from app.database import get_db
 from app.models import Tryout, TryoutStats
@@ -23,35 +24,6 @@ router = APIRouter(prefix="/admin", tags=["admin"])
 settings = get_settings()
 
 
-def get_admin_website_id(
-    x_website_id: Optional[str] = Header(None, alias="X-Website-ID"),
-) -> int:
-    """
-    Extract and validate website_id from request header for admin operations.
-
-    Args:
-        x_website_id: Website ID from header
-
-    Returns:
-        Validated website ID as integer
-
-    Raises:
-        HTTPException: If header is missing or invalid
-    """
-    if x_website_id is None:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail="X-Website-ID header is required",
-        )
-    try:
-        return int(x_website_id)
-    except ValueError:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail="X-Website-ID must be a valid integer",
-        )
-
-
 @router.post(
     "/{tryout_id}/calibrate",
     summary="Trigger IRT calibration",
@@ -60,7 +32,7 @@ def get_admin_website_id(
 async def admin_trigger_calibration(
     tryout_id: str,
     db: AsyncSession = Depends(get_db),
-    website_id: int = Depends(get_admin_website_id),
+    auth: AuthContext = Depends(get_auth_context),
 ) -> Dict[str, Any]:
     """
     Trigger IRT calibration for all items in a tryout.
@@ -79,6 +51,8 @@ async def admin_trigger_calibration(
     Raises:
         HTTPException: If tryout not found or calibration fails
     """
+    website_id = require_website_auth(auth, allowed_roles={"admin", "system_admin"})
+
     # Verify tryout exists
     tryout_result = await db.execute(
         select(Tryout).where(
@@ -121,7 +95,7 @@ async def admin_trigger_calibration(
 async def admin_toggle_ai_generation(
     tryout_id: str,
     db: AsyncSession = Depends(get_db),
-    website_id: int = Depends(get_admin_website_id),
+    auth: AuthContext = Depends(get_auth_context),
 ) -> Dict[str, Any]:
     """
     Toggle AI generation for a tryout.
@@ -139,6 +113,8 @@ async def admin_toggle_ai_generation(
     Raises:
         HTTPException: If tryout not found
     """
+    website_id = require_website_auth(auth, allowed_roles={"admin", "system_admin"})
+
     # Get tryout
     result = await db.execute(
         select(Tryout).where(
@@ -175,7 +151,7 @@ async def admin_toggle_ai_generation(
 async def admin_reset_normalization(
     tryout_id: str,
     db: AsyncSession = Depends(get_db),
-    website_id: int = Depends(get_admin_website_id),
+    auth: AuthContext = Depends(get_auth_context),
 ) -> Dict[str, Any]:
     """
     Reset normalization for a tryout.
@@ -193,6 +169,8 @@ async def admin_reset_normalization(
     Raises:
         HTTPException: If tryout or stats not found
     """
+    website_id = require_website_auth(auth, allowed_roles={"admin", "system_admin"})
+
     # Get tryout stats
     stats_result = await db.execute(
         select(TryoutStats).where(