from fastapi import Header, HTTPException


async def get_user_id(x_user_id: str = Header(...)) -> str:
    """
    Extract the user identity injected by the main backend proxy.
    The main backend validates the JWT and forwards the user ID via this header.
    Doc-service trusts it because it is only reachable from backend on backend-net.
    """
    if not x_user_id:
        raise HTTPException(status_code=400, detail="Missing X-User-Id header")
    return x_user_id