/** * Proxy API key validator. * Clients must send Authorization: Bearer . * If PROXY_API_KEY is not set, allow all requests. */ function extractBearerToken(req) { const auth = req.headers.authorization || req.headers.Authorization || ""; if (auth.toLowerCase().startsWith("bearer ")) { return auth.slice(7).trim(); } return auth.trim(); } function validateProxyApiKey(req, res) { const expected = process.env.PROXY_API_KEY; if (!expected) { return true; } const provided = extractBearerToken(req); if (provided !== expected) { res.status(401).json({ ok: false, error: "Unauthorized", message: "Invalid or missing PROXY_API_KEY. Send Authorization: Bearer .", }); return false; } return true; } module.exports = { validateProxyApiKey, extractBearerToken };