"""
Authentication middleware for T6 Mem0 v2 REST API
"""

from fastapi import HTTPException, Security, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from config import settings

# Security scheme
security = HTTPBearer()


async def verify_api_key(
    credentials: HTTPAuthorizationCredentials = Security(security)
) -> str:
    """
    Verify API key from Authorization header

    Args:
        credentials: HTTP Bearer credentials

    Returns:
        The verified API key

    Raises:
        HTTPException: If authentication fails
    """
    if not credentials:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Missing authentication credentials",
            headers={"WWW-Authenticate": "Bearer"},
        )

    token = credentials.credentials

    # Verify token matches configured API key
    if token != settings.api_key:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid or expired API key",
            headers={"WWW-Authenticate": "Bearer"},
        )

    return token


async def optional_api_key(
    credentials: HTTPAuthorizationCredentials = Security(security)
) -> str | None:
    """
    Optional API key verification (for public endpoints)

    Args:
        credentials: HTTP Bearer credentials

    Returns:
        The API key if provided, None otherwise
    """
    if not credentials:
        return None

    try:
        return await verify_api_key(credentials)
    except HTTPException:
        return None