From c0b2b4cf5731f3dd65d9b650592612fde3b47ce8 Mon Sep 17 00:00:00 2001
From: Joshua <joshua@cnjmail.com>
Date: Mon, 18 May 2026 17:45:25 -0400
Subject: [PATCH] CUB-184: API key auth middleware

---
 internal/auth/middleware.go | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 internal/auth/middleware.go

diff --git a/internal/auth/middleware.go b/internal/auth/middleware.go
new file mode 100644
index 0000000..9bd04e9
--- /dev/null
+++ b/internal/auth/middleware.go
@@ -0,0 +1,33 @@
+// Package auth provides API key authentication middleware.
+package auth
+
+import (
+	"net/http"
+	"strings"
+)
+
+// Middleware returns a Chi middleware that validates the X-API-Key header.
+func Middleware(apiKey string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			header := r.Header.Get("X-API-Key")
+			if apiKey == "" {
+				// No API key configured — allow all requests (kiosk mode)
+				next.ServeHTTP(w, r)
+				return
+			}
+			if header == "" || header != apiKey {
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusUnauthorized)
+				w.Write([]byte(`{"error":"unauthorized"}`))
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// ExtractKey reads and returns the API key from the request, or empty string.
+func ExtractKey(r *http.Request) string {
+	return r.Header.Get("X-API-Key")
+}