Initial web

web/lib/auth.ts

@@ -0,0 +1,22 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/**
+ * Returns true if the request carries a valid API token.
+ * Accepts token via `?token=` query param or `Authorization: Bearer <token>` header.
+ */
+export function isAuthorized(req: NextRequest): boolean {
+  const expected = process.env.API_TOKEN;
+  if (!expected) return false;
+
+  const queryToken = req.nextUrl.searchParams.get('token');
+  if (queryToken === expected) return true;
+
+  const authHeader = req.headers.get('authorization');
+  if (authHeader === `Bearer ${expected}`) return true;
+
+  return false;
+}
+
+export function unauthorized(): NextResponse {
+  return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+}