package middlewares

import (
	"crypto/subtle"
	"net/http"

	"github.com/gin-gonic/gin"

	"GoMembership/internal/config"
)

func APIKeyMiddleware() gin.HandlerFunc {
	return func(c *gin.Context) {
		clientAPIKey := c.GetHeader("X-API-Key")

		if clientAPIKey == "" {
			c.JSON(http.StatusUnauthorized, gin.H{"error": "API key is missing"})
			c.Abort()
			return
		}

		// Using subtle.ConstantTimeCompare to mitigate timing attacks
		if subtle.ConstantTimeCompare([]byte(clientAPIKey), []byte(config.Auth.APIKEY)) != 1 {
			c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid API key"})
			c.Abort()
			return
		}

		c.Next()
	}
}