"""API key authentication. No fallback: missing or invalid key returns 401."""
import logging
from typing import Annotated

from fastapi import Header, HTTPException

from app.config import get_api_keys

logger = logging.getLogger(__name__)

HEADER = "X-API-Key"


def _valid_keys() -> list[str]:
    return get_api_keys()


def require_api_key(
    x_api_key: Annotated[str | None, Header(alias=HEADER)] = None,
) -> str:
    """Dependency: validate X-API-Key header and return the key id (same value)."""
    if not x_api_key or not x_api_key.strip():
        logger.warning("Missing %s header", HEADER)
        raise HTTPException(status_code=401, detail="Missing API key")
    key = x_api_key.strip()
    if key not in _valid_keys():
        logger.warning("Invalid API key attempt")
        raise HTTPException(status_code=401, detail="Invalid API key")
    return key