/**
 * API Key middleware
 * Reads key from X-API-Key header (preferred) or ?api_key= query param (fallback)
 */

function validateApiKey(req, res, next) {
  const apiKey = req.headers['x-api-key'] || req.query.api_key;

  if (!apiKey || apiKey !== process.env.API_KEY) {
    return res.status(401).json({ error: 'Unauthorized - Invalid API key' });
  }

  next();
}

module.exports = { validateApiKey };