Secure cache refresh API endpoint with API key authentication

Co-authored-by: csharpfritz <[email protected]>

Author: Copilot

.github/workflows/content-sync.yml

@@ -38,13 +38,17 @@ jobs:
 
       - name: Refresh Web App Cache
         if: success()
+        env:
+          CACHE_REFRESH_API_KEY: ${{ secrets.CACHE_REFRESH_API_KEY }}
         run: |
           echo "Refreshing web application cache..."
           # Wait a moment for the content to be fully uploaded
           sleep 5
           
-          # Call the cache refresh endpoint
-          response=$(curl -s -w "%{http_code}" -X POST "https://copilotthatjawn.com/api/cache/refresh" -o /tmp/cache_response.json)
+          # Call the cache refresh endpoint with API key authentication
+          response=$(curl -s -w "%{http_code}" -X POST "https://copilotthatjawn.com/api/cache/refresh" \
+            -H "X-API-Key: $CACHE_REFRESH_API_KEY" \
+            -o /tmp/cache_response.json)
           
           if [ "$response" = "200" ]; then
             echo "Cache refresh successful"

Web/Extensions/EndpointExtensions.cs

@@ -195,12 +195,29 @@ public static class EndpointExtensions
 
     public static void MapCacheRefreshEndpoint(this WebApplication app)
     {
-        app.MapPost("/api/cache/refresh", async (IContentService contentService, ILogger<Program> logger, IWebHostEnvironment environment) =>
+        app.MapPost("/api/cache/refresh", async (HttpContext context, IContentService contentService, ILogger<Program> logger, IWebHostEnvironment environment, IConfiguration configuration) =>
         {
             try
             {
                 logger.LogInformation("Cache refresh requested via API endpoint");
 
+                // Validate API key for security
+                var expectedApiKey = configuration["CacheRefresh:ApiKey"];
+                if (!string.IsNullOrEmpty(expectedApiKey))
+                {
+                    var providedApiKey = context.Request.Headers["X-API-Key"].FirstOrDefault();
+                    if (string.IsNullOrEmpty(providedApiKey) || providedApiKey != expectedApiKey)
+                    {
+                        logger.LogWarning("Cache refresh request rejected: Invalid or missing API key");
+                        return Results.Unauthorized();
+                    }
+                }
+                else if (!environment.IsDevelopment())
+                {
+                    logger.LogWarning("Cache refresh API key not configured in production environment");
+                    return Results.Problem("API key not configured", statusCode: 500);
+                }
+                
                 // Only perform cache refresh in non-development environments
                 // In development, the cache isn't as critical and may require Azure Table Storage
                 if (environment.IsDevelopment())
@@ -226,6 +243,6 @@ public static void MapCacheRefreshEndpoint(this WebApplication app)
         })
         .WithName("RefreshCache")
         .WithSummary("Refresh the content cache")
-        .WithDescription("Triggers a refresh of the in-memory content cache from Azure Table Storage");
+        .WithDescription("Triggers a refresh of the in-memory content cache from Azure Table Storage. Requires X-API-Key header for authentication.");
     }
 }