header('X-License-Key') ?? $request->input('license_key') ?? $request->query('license_key'); if (!$key) { return response()->json(['error' => 'License key required'], 401); } $casino = OperatorCasino::findByKey((string) $key); if (!$casino) { return response()->json(['error' => 'Invalid license key'], 401); } if (!$casino->isActive()) { return response()->json(['error' => 'Casino license inactive'], 403); } // IP whitelist — skip when the list is empty if (!empty($casino->ip_whitelist)) { $ip = $request->ip(); if (!in_array($ip, $casino->ip_whitelist, true)) { return response()->json(['error' => "IP not authorized: {$ip}"], 403); } } // Attach casino to request so controllers can use it without re-querying $request->attributes->set('operator_casino', $casino); return $next($request); } }