from fastapi import Header, HTTPException


async def get_user_id(x_user_id: str = Header(...)) -> str:
    """
    Extract the user identity injected by the main backend proxy.
    The main backend validates the JWT and forwards the user ID via this header.
    Doc-service trusts it because it is only reachable from backend on backend-net.
    """
    if not x_user_id:
        raise HTTPException(status_code=400, detail="Missing X-User-Id header")
    return x_user_id


async def get_user_groups(x_user_groups: str = Header(default="")) -> list[str]:
    """
    Extract the group IDs injected by the main backend proxy.
    Comma-separated list of group UUIDs the current user belongs to.
    Returns an empty list if the header is absent or empty.
    """
    if not x_user_groups:
        return []
    return [g.strip() for g in x_user_groups.split(",") if g.strip()]


async def get_user_is_admin(x_user_is_admin: str = Header(default="false")) -> bool:
    """
    Extract the admin flag injected by the main backend proxy.
    Returns True only if the header value is exactly "true" (lowercase).
    """
    return x_user_is_admin.lower() == "true"