/**
 * Internal Auth Middleware
 * Validates shared secret between CF Worker and Simulator service
 */
import type { Request, Response, NextFunction } from 'express';

export function internalAuthMiddleware(req: Request, res: Response, next: NextFunction): void {
  const secret = req.headers['x-internal-secret'];
  const expected = process.env['INTERNAL_API_SECRET'];

  if (!expected) {
    // No secret configured — skip auth in development
    if (process.env['NODE_ENV'] !== 'production') {
      next();
      return;
    }
    res.status(500).json({ success: false, error: 'INTERNAL_API_SECRET not configured' });
    return;
  }

  if (!secret || secret !== expected) {
    res.status(401).json({ success: false, error: 'Unauthorized — invalid internal secret' });
    return;
  }

  next();
}