"""
Security middleware and utilities for Nur Brain
"""
from fastapi import HTTPException, Security, status
from fastapi.security import APIKeyHeader
from app.config import get_settings

# Define the header key
api_key_header = APIKeyHeader(name="X-Nur-Internal-Key", auto_error=False)


async def verify_internal_key(
    api_key: str = Security(api_key_header)
) -> str:
    """
    Verify the internal API key from the header.
    This ensures only authorized services (The Body) can access The Brain.
    """
    settings = get_settings()
    
    if api_key is None:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="X-Nur-Internal-Key header is required",
            headers={"WWW-Authenticate": "ApiKey"}
        )
    
    if api_key != settings.nur_internal_key:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Invalid internal key - Access denied"
        )
    
    return api_key