fix: update frontend API key handling and improve export documentation

backend/app/api/export.py

@@ -9,8 +9,7 @@ from app.core.config import settings
 from app.core.rate_limit import limiter
 from app.db.models import Publication, PublicationDownload, Researcher
 from app.db.session import get_db
-from app.security.api_key import get_api_key
-from app.security.jwt import get_optional_current_researcher
+from app.security.export_auth import require_export_access
 from app.services.sword_generator import SWORDGenerator
 from app.services.zip_generator import ZIPGenerator
 from app.utils.orcid_validator import ORCID_PATTERN, is_valid_orcid
@@ -89,8 +88,7 @@ async def export_multiple_sword(
     request: Request,
     pub_ids: List[UUID] = Body(..., min_length=1, max_length=settings.MAX_PUB_IDS_BATCH),
     db: Session = Depends(get_db),
-    _: str = Depends(get_api_key),
-    current: Researcher | None = Depends(get_optional_current_researcher),
+    current: Researcher | None = Depends(require_export_access),
 ):
     _validate_pub_ids(pub_ids)
 
@@ -118,8 +116,7 @@ async def export_researcher_sword(
     request: Request,
     orcid_id: str = Path(min_length=19, max_length=19, pattern=ORCID_PATTERN),
     db: Session = Depends(get_db),
-    _: str = Depends(get_api_key),
-    current: Researcher | None = Depends(get_optional_current_researcher),
+    current: Researcher | None = Depends(require_export_access),
 ):
     if not is_valid_orcid(orcid_id):
         raise HTTPException(status_code=400, detail="Invalid ORCID iD")
@@ -149,8 +146,7 @@ async def export_multiple_zip(
     request: Request,
     pub_ids: List[UUID] = Body(..., min_length=1, max_length=settings.MAX_PUB_IDS_BATCH),
     db: Session = Depends(get_db),
-    _: str = Depends(get_api_key),
-    current: Researcher | None = Depends(get_optional_current_researcher),
+    current: Researcher | None = Depends(require_export_access),
 ):
     _validate_pub_ids(pub_ids)
 
@@ -178,8 +174,7 @@ async def export_researcher_zip(
     request: Request,
     orcid_id: str = Path(min_length=19, max_length=19, pattern=ORCID_PATTERN),
     db: Session = Depends(get_db),
-    _: str = Depends(get_api_key),
-    current: Researcher | None = Depends(get_optional_current_researcher),
+    current: Researcher | None = Depends(require_export_access),
 ):
     if not is_valid_orcid(orcid_id):
         raise HTTPException(status_code=400, detail="Invalid ORCID iD")

backend/app/security/api_key.py

@@ -27,6 +27,10 @@ def _is_valid_key(provided: str | None) -> bool:
     return hmac.compare_digest(provided.encode("utf-8"), settings.API_KEY_VALUE.encode("utf-8"))
 
 
+def is_valid_api_key(provided: str | None) -> bool:
+    return _is_valid_key(provided)
+
+
 def get_api_key(api_key: str | None = Depends(api_key_header)) -> str:
     if not _is_valid_key(api_key):
         raise HTTPException(

backend/app/security/export_auth.py

@@ -0,0 +1,35 @@
+"""
+Autorización para exportaciones.
+
+Permite descargas desde la web (proxy inyecta X-API-Key) o con JWT de usuario,
+pero bloquea llamadas directas anónimas sin credenciales.
+"""
+
+from __future__ import annotations
+
+from fastapi import Depends, HTTPException, status
+
+from app.db.models import Researcher
+from app.security.api_key import api_key_header, is_valid_api_key
+from app.security.jwt import get_optional_current_researcher
+
+
+def require_export_access(
+    api_key: str | None = Depends(api_key_header),
+    current: Researcher | None = Depends(get_optional_current_researcher),
+) -> Researcher | None:
+    if api_key is not None:
+        if not is_valid_api_key(api_key):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid API key",
+            )
+        return current
+
+    if current is not None:
+        return current
+
+    raise HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Invalid or missing API key",
+    )