dotenvy = "0.15"

    Form, Json, Router,

    extract::{Path, Request, State},

    middleware::{self, Next},

    routing::{delete, get, post},

use std::collections::HashSet;

struct ServerConfig {

    api_key: Option<String>,

    auth_endpoints: HashSet<String>,

}

impl ServerConfig {

    fn from_env() -> Self {

        let api_key = std::env::var("SIPP_API_KEY").ok();

        let auth_endpoints = match std::env::var("SIPP_AUTH_ENDPOINTS") {

            Ok(val) if val.trim().eq_ignore_ascii_case("none") => HashSet::new(),

            Ok(val) => val.split(',').map(|s| s.trim().to_lowercase()).collect(),

            Err(_) => HashSet::new(),

        };

        ServerConfig { api_key, auth_endpoints }

    }

    fn requires_auth(&self, name: &str) -> bool {

        self.auth_endpoints.contains("all") || self.auth_endpoints.contains(name)

    }

}

#[derive(Clone)]

    server_config: ServerConfig,

async fn require_api_key(

    State(state): State<AppState>,

    headers: HeaderMap,

    request: Request,

    next: Next,

) -> Result<Response, (StatusCode, Json<serde_json::Value>)> {

    let server_key = match &state.server_config.api_key {

        None => return Err((

            StatusCode::FORBIDDEN,

            Json(serde_json::json!({"error": "No API key configured on server"})),

        )),

        Some(k) if k == server_key => Ok(next.run(request).await),

        _ => Err((

            StatusCode::UNAUTHORIZED,

            Json(serde_json::json!({"error": "Invalid or missing API key"})),

        )),

) -> Json<Vec<Snippet>> {

    Json(db::get_all_snippets(&state.db))

fn build_api_routes(state: &AppState) -> Router<AppState> {

    let config = &state.server_config;

    let auth_layer = middleware::from_fn_with_state(state.clone(), require_api_key);

    // /api/snippets — GET (api_list) and POST (api_create)

    let list_authed = config.requires_auth("api_list");

    let create_authed = config.requires_auth("api_create");

    // /api/snippets/{short_id} — GET (api_get) and DELETE (api_delete)

    let get_authed = config.requires_auth("api_get");

    let delete_authed = config.requires_auth("api_delete");

    // Build authed router

    let mut authed = Router::new();

    if list_authed {

        authed = authed.route("/api/snippets", get(api_list_snippets));

    }

    if create_authed {

        authed = authed.route("/api/snippets", post(api_create_snippet));

    }

    if get_authed {

        authed = authed.route("/api/snippets/{short_id}", get(api_get_snippet));

    }

    if delete_authed {

        authed = authed.route("/api/snippets/{short_id}", delete(api_delete_snippet));

    }

    let authed = authed.route_layer(auth_layer);

    // Build open router

    let mut open = Router::new();

    if !list_authed {

        open = open.route("/api/snippets", get(api_list_snippets));

    }

    if !create_authed {

        open = open.route("/api/snippets", post(api_create_snippet));

    }

    if !get_authed {

        open = open.route("/api/snippets/{short_id}", get(api_get_snippet));

    }

    if !delete_authed {

        open = open.route("/api/snippets/{short_id}", delete(api_delete_snippet));

    }

    authed.merge(open)

}

    dotenvy::dotenv().ok();

    let server_config = ServerConfig::from_env();

    // Validate endpoint names

    let known = ["api_list", "api_create", "api_get", "api_delete", "all", "none"];

    for name in &server_config.auth_endpoints {

        if !known.contains(&name.as_str()) {

            eprintln!("Warning: unknown auth endpoint name '{}' in SIPP_AUTH_ENDPOINTS", name);

        }

    }

    if !server_config.auth_endpoints.is_empty() && server_config.api_key.is_none() {

        eprintln!("Warning: SIPP_AUTH_ENDPOINTS is set but SIPP_API_KEY is not configured");

    }

    if server_config.auth_endpoints.is_empty() {

        println!("Auth: disabled (no endpoints require authentication)");

    } else {

        let names: Vec<&str> = server_config.auth_endpoints.iter().map(|s| s.as_str()).collect();

        println!("Auth: enabled for endpoints: {}", names.join(", "));

    }

        server_config,

    let api_routes = build_api_routes(&state);

        .merge(api_routes)