package middleware

import (
	"net/http"
	"os"
	"strings"

	"github.com/gin-gonic/gin"
)

// CronAuth 定时任务鉴权：校验 X-Cron-Secret 请求头或 ?secret= 参数与 CRON_SECRET 环境变量一致
// 若 CRON_SECRET 未配置则直接放行（开发环境兼容）
func CronAuth() gin.HandlerFunc {
	return func(c *gin.Context) {
		secret := strings.TrimSpace(os.Getenv("CRON_SECRET"))
		if secret == "" {
			c.Next()
			return
		}
		provided := c.GetHeader("X-Cron-Secret")
		if provided == "" {
			provided = c.Query("secret")
		}
		if provided != secret {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"success": false, "error": "cron secret 不匹配"})
			return
		}
		c.Next()
	}
}