BetiX/app/Http/Middleware/ValidateLicenseKey.php

<?php

namespace App\Http\Middleware;

use App\Models\OperatorCasino;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class ValidateLicenseKey
{
    public function handle(Request $request, Closure $next): Response
    {
        // Accept the key from X-License-Key header, body field, or query parameter
        $key = $request->header('X-License-Key')
            ?? $request->input('license_key')
            ?? $request->query('license_key');

        if (!$key) {
            return response()->json(['error' => 'License key required'], 401);
        }

        $casino = OperatorCasino::findByKey((string) $key);

        if (!$casino) {
            return response()->json(['error' => 'Invalid license key'], 401);
        }

        if (!$casino->isActive()) {
            return response()->json(['error' => 'Casino license inactive'], 403);
        }

        // IP whitelist — skip when the list is empty
        if (!empty($casino->ip_whitelist)) {
            $ip = $request->ip();
            if (!in_array($ip, $casino->ip_whitelist, true)) {
                return response()->json(['error' => "IP not authorized: {$ip}"], 403);
            }
        }

        // Attach casino to request so controllers can use it without re-querying
        $request->attributes->set('operator_casino', $casino);

        return $next($request);
    }
}