function requireApiKey(req, res, next) {
  const expected = process.env.FRONTEND_API_KEY
  const provided = req.headers["x-api-key"]

  if (!expected) {
    return res.status(500).json({ error: "API key not configured" })
  }
  if (!provided || String(provided) !== String(expected)) {
    return res.status(401).json({ error: "Unauthorized" })
  }

  return next()
}

module.exports = requireApiKey