fix: update frontend API key handling and improve export documentation

backend/app/security/api_key.py

@@ -27,6 +27,10 @@ def _is_valid_key(provided: str | None) -> bool:
     return hmac.compare_digest(provided.encode("utf-8"), settings.API_KEY_VALUE.encode("utf-8"))
 
 
+def is_valid_api_key(provided: str | None) -> bool:
+    return _is_valid_key(provided)
+
+
 def get_api_key(api_key: str | None = Depends(api_key_header)) -> str:
     if not _is_valid_key(api_key):
         raise HTTPException(

backend/app/security/export_auth.py

@@ -0,0 +1,35 @@
+"""
+Autorización para exportaciones.
+
+Permite descargas desde la web (proxy inyecta X-API-Key) o con JWT de usuario,
+pero bloquea llamadas directas anónimas sin credenciales.
+"""
+
+from __future__ import annotations
+
+from fastapi import Depends, HTTPException, status
+
+from app.db.models import Researcher
+from app.security.api_key import api_key_header, is_valid_api_key
+from app.security.jwt import get_optional_current_researcher
+
+
+def require_export_access(
+    api_key: str | None = Depends(api_key_header),
+    current: Researcher | None = Depends(get_optional_current_researcher),
+) -> Researcher | None:
+    if api_key is not None:
+        if not is_valid_api_key(api_key):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid API key",
+            )
+        return current
+
+    if current is not None:
+        return current
+
+    raise HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Invalid or missing API key",
+    )