using System.Security.Claims;

namespace Nexus.Api.Middleware;

/// <summary>
/// Middleware that authenticates requests via the X-Nexus-Api-Key header.
/// On match, sets a ClaimsPrincipal with role "Service".
/// On mismatch or absent header, passes through to next middleware (JWT auth).
/// </summary>
public sealed class ApiKeyMiddleware(RequestDelegate next)
{
    public async Task InvokeAsync(HttpContext context)
    {
        var configuration = context.RequestServices.GetRequiredService<IConfiguration>();
        var apiKey = configuration["NexusApiKey"];

        if (!string.IsNullOrWhiteSpace(apiKey) &&
            context.Request.Headers.TryGetValue("X-Nexus-Api-Key", out var providedKey) &&
            string.Equals(apiKey, providedKey, StringComparison.Ordinal))
        {
            var claims = new[]
            {
                new Claim(ClaimTypes.NameIdentifier, "service"),
                new Claim(ClaimTypes.Name, "ApiService"),
                new Claim(ClaimTypes.Role, "Service")
            };
            var identity = new ClaimsIdentity(claims, "ApiKey");
            context.User = new ClaimsPrincipal(identity);
        }

        await next(context);
    }
}

public static class ApiKeyMiddlewareExtensions
{
    public static IApplicationBuilder UseApiKeyAuthentication(this IApplicationBuilder builder)
        => builder.UseMiddleware<ApiKeyMiddleware>();
}