fix: update frontend API key handling and improve export documentation

2026-05-19 09:52:50 +02:00
parent 8d29fb054d
commit 59eda988d2
8 changed files with 79 additions and 42 deletions
@@ -0,0 +1,35 @@
+"""
+Autorización para exportaciones.
+
+Permite descargas desde la web (proxy inyecta X-API-Key) o con JWT de usuario,
+pero bloquea llamadas directas anónimas sin credenciales.
+"""
+
+from __future__ import annotations
+
+from fastapi import Depends, HTTPException, status
+
+from app.db.models import Researcher
+from app.security.api_key import api_key_header, is_valid_api_key
+from app.security.jwt import get_optional_current_researcher
+
+
+def require_export_access(
+    api_key: str | None = Depends(api_key_header),
+    current: Researcher | None = Depends(get_optional_current_researcher),
+) -> Researcher | None:
+    if api_key is not None:
+        if not is_valid_api_key(api_key):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid API key",
+            )
+        return current
+
+    if current is not None:
+        return current
+
+    raise HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Invalid or missing API key",
+    )