package api

import (
	"net/http"
)

// ipKey is the rate-limit key for endpoints scoped by source IP only
// (e.g. POST /auth/signup). XFF/X-Real-IP are honoured because in the
// homelab the API sits behind Traefik.
func ipKey(r *http.Request) string {
	return clientIP(r)
}

// pathKey returns a path-parameter as the rate-limit key — used for the
// token-scoped endpoints so an attacker brute-forcing a single token is
// limited regardless of the IPs they rotate through.
func pathKey(name string) KeyFunc {
	return func(r *http.Request) string {
		return r.PathValue(name)
	}
}

// userIDKey extracts the authenticated user id from the request context.
// Returns "" when the route isn't behind requireAuth, in which case the
// middleware bypasses (fail-open) — the route's own auth layer handles
// rejection.
func userIDKey(r *http.Request) string {
	uid, ok := UserIDFromContext(r.Context())
	if !ok {
		return ""
	}
	return uid.String()
}

// KeyFunc mirrors ratelimit.KeyFunc so call sites don't have to import the
// inner package.
type KeyFunc = func(r *http.Request) string