"""API key authentication dependency."""

from fastapi import Depends, HTTPException, Request, status
from fastapi.security import APIKeyHeader

_api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)


async def require_api_key(
    request: Request,
    api_key: str | None = Depends(_api_key_header),
) -> None:
    """FastAPI dependency that enforces X-API-Key header authentication.

    If no API key is configured on the server (empty string), all requests
    are allowed — this is intended for local development only.
    """
    expected: str = request.app.state.api_key
    if not expected:
        return  # dev mode: no key set, allow all
    if api_key != expected:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Invalid or missing API key",
        )