"""
Autorización para exportaciones.

Permite descargas desde la web (proxy inyecta X-API-Key) o con JWT de usuario,
pero bloquea llamadas directas anónimas sin credenciales.
"""

from __future__ import annotations

from fastapi import Depends, HTTPException, status

from app.db.models import Researcher
from app.security.api_key import api_key_header, is_valid_api_key
from app.security.jwt import get_optional_current_researcher


def require_export_access(
    api_key: str | None = Depends(api_key_header),
    current: Researcher | None = Depends(get_optional_current_researcher),
) -> Researcher | None:
    if api_key is not None:
        if not is_valid_api_key(api_key):
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail="Invalid API key",
            )
        return current

    if current is not None:
        return current

    raise HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Invalid or missing API key",
    )