Address review: document PaProviderRegistry TTL, extract auth path check into helper

Agent-Logs-Url: https://github.com/xtekky/gpt4free/sessions/e0daf662-ee35-43ac-bdef-27dd570bc00d

Co-authored-by: hlohaus <983577+hlohaus@users.noreply.github.com>

g4f/api/__init__.py

@@ -218,6 +218,16 @@ class Api:
         if has_crypto:
             private_key, _ = create_or_read_keys()
             session_key = get_session_key()
+
+        def _requires_api_key(path: str, demo: bool) -> bool:
+            """Return ``True`` when *path* must present a G4F API key."""
+            return (
+                path.startswith("/v1")
+                or path.startswith("/api/")
+                or path.startswith("/pa/")
+                or (demo and path == "/backend-api/v2/upload_cookies")
+            )
+
         @self.app.middleware("http")
         async def authorization(request: Request, call_next):
             user = None
@@ -267,7 +277,7 @@ class Api:
                 else:
                     user = "admin"
                 path = request.url.path
-                if path.startswith("/v1") or path.startswith("/api/") or path.startswith("/pa/") or (AppConfig.demo and path == '/backend-api/v2/upload_cookies'):
+                if _requires_api_key(path, AppConfig.demo):
                     if request.method != "OPTIONS" and not path.endswith("/models"):
                         if not user_g4f_api_key:
                             return ErrorResponse.from_message("G4F API key required", HTTP_401_UNAUTHORIZED)

g4f/mcp/pa_provider.py

@@ -501,6 +501,10 @@ class PaProviderRegistry:
     """
 
     #: How long (in seconds) the cached entries remain valid.
+    #: A short TTL (5 s) is intentional: PA provider files are typically edited
+    #: interactively during development, so near-instant pick-up of changes is
+    #: more important than avoiding the cheap filesystem scan.  Production
+    #: deployments that want to reduce I/O can increase this value.
     TTL: float = 5.0
 
     def __init__(self) -> None: