require('dotenv').config();

const VALID_KEYS = new Set(
  (process.env.API_KEYS || '').split(',').map(k => k.trim()).filter(Boolean)
);

function authMiddleware(req, res, next) {
  const key = req.headers['x-api-key'];

  if (!key) {
    return res.status(401).json({ error: 'API key ausente. Use o header: x-api-key' });
  }

  if (!VALID_KEYS.has(key)) {
    return res.status(403).json({ error: 'API key inválida.' });
  }

  next();
}

module.exports = authMiddleware;