<?php

declare(strict_types=1);

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;

/**
 * Bearer token auth for write API endpoints.
 *
 * Set API_TOKEN in .env. Blesta module sends it in Authorization header.
 * Read-only endpoints are public.
 */
class ApiTokenAuth
{
    public function handle(Request $request, Closure $next): mixed
    {
        $token = config('chain.api_token', '');

        // Skip auth if no token configured (dev mode)
        if (empty($token)) {
            return $next($request);
        }

        $bearer = $request->bearerToken();

        if ($bearer !== $token) {
            return response()->json([
                'error' => 'Unauthorised. Bearer token required.',
            ], 401);
        }

        return $next($request);
    }
}