export default defineEventHandler((event) => {
  const path = event.path || event.node.req.url || ""

  // Le middleware ne s'applique qu'aux routes API, sauf l'endpoint de ping
  // qui reste public pour les tests de connectivite.
  if (!path.startsWith("/api/") || path === "/api/ping") {
    return
  }

  const runtimeConfig = useRuntimeConfig(event)
  const authorization = getHeader(event, "authorization")
  const expectedToken = runtimeConfig.apiSecretKey

  // Si aucun secret n'est configure cote serveur, on refuse la requete.
  if (!expectedToken) {
    throw createError({
      statusCode: 401,
      statusMessage: "Unauthorized"
    })
  }

  // Le header doit correspondre exactement au format attendu :
  // Authorization: Bearer <token>
  if (authorization !== `Bearer ${expectedToken}`) {
    throw createError({
      statusCode: 401,
      statusMessage: "Unauthorized"
    })
  }
})