use axum::{
    extract::Request,
    http::StatusCode,
    middleware::Next,
    response::Response,
};

/// API key auth middleware. Checks X-API-Key header against configured key.
pub async fn api_key_auth(
    request: Request,
    next: Next,
) -> Result<Response, StatusCode> {
    // Get the expected key from the request extensions (set by the layer)
    let expected_key = request.extensions().get::<ApiKey>().cloned();

    if let Some(expected) = expected_key {
        let provided = request
            .headers()
            .get("x-api-key")
            .and_then(|v| v.to_str().ok());

        match provided {
            Some(key) if key == expected.0 => {}
            _ => {
                tracing::warn!("unauthorized request: missing or invalid API key");
                return Err(StatusCode::UNAUTHORIZED);
            }
        }
    }

    Ok(next.run(request).await)
}

/// Wrapper type for the API key, stored in request extensions.
#[derive(Clone)]
pub struct ApiKey(pub String);