package main

import (
	"net/http"
)

// authMiddleware validates authentication credentials
func (s *Server) authMiddleware(next http.HandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		// Check if any authentication is configured
		hasAuth := s.config.Server.Username != "" || s.config.Server.Password != "" || s.config.Server.AuthKey != ""

		if !hasAuth {
			// No authentication configured, allow access
			next(w, r)
			return
		}

		authenticated := false

		// Check for API key authentication (x-api-key header or Authorization bearer token)
		if s.config.Server.AuthKey != "" {
			// Check x-api-key header
			apiKey := r.Header.Get("x-api-key")
			if apiKey == s.config.Server.AuthKey {
				authenticated = true
			}

			// Check Authorization header for bearer token
			if !authenticated {
				authHeader := r.Header.Get("Authorization")
				if len(authHeader) > 7 && authHeader[:7] == "Bearer " {
					token := authHeader[7:]
					if token == s.config.Server.AuthKey {
						authenticated = true
					}
				}
			}
		}

		// Check for username/password authentication (HTTP Basic Auth)
		if !authenticated && s.config.Server.Username != "" && s.config.Server.Password != "" {
			username, password, ok := r.BasicAuth()
			if ok && username == s.config.Server.Username && password == s.config.Server.Password {
				authenticated = true
			}
		}

		if !authenticated {
			w.Header().Set("WWW-Authenticate", `Basic realm="WhatsHooked Server"`)
			http.Error(w, "Unauthorized", http.StatusUnauthorized)
			return
		}

		next(w, r)
	}
}