test(inbound-api): X-API-Key review nits — whitespace-auth fallthrough test + dedupe + comment wording
- Add WhitespaceAuthorization_ValidXApiKey_Returns200: pins the IsNullOrWhiteSpace
fall-through — a present-but-blank Authorization header is treated as absent so a
valid X-API-Key still authenticates (200).
- Remove MissingBearer_Returns401 (added in 510559e): identical path to
NeitherHeader_Returns401 (no Authorization + no X-API-Key → 401); keep the
descriptively-named NeitherHeader variant.
- Change "legacy 'X-API-Key'" -> "alternate 'X-API-Key'" in EndpointExtensions.cs and
the BuildPostWithApiKeyHeader/HappyPath doc comments to avoid implying Bearer is
the older transport (Bearer was itself introduced by the prior auth re-arch).
This commit is contained in:
Joseph Doherty
@@ -82,7 +82,7 @@ public static class EndpointExtensions
|
||||
|
||||
// Auth re-arch (A+B) + X-API-Key restore: the inbound credential is accepted
|
||||
// from EITHER the Authorization header ("Bearer sbk_<keyId>_<secret>") OR the
|
||||
// legacy "X-API-Key: sbk_<keyId>_<secret>" header (raw token). Both are passed
|
||||
// alternate "X-API-Key: sbk_<keyId>_<secret>" header (raw token). Both are passed
|
||||
// to the SAME shared ZB.MOM.WW.Auth.ApiKeys verifier — the parser strips an
|
||||
// optional "Bearer " prefix and otherwise accepts a bare token, so the
|
||||
// peppered-HMAC constant-time secret compare is identical for both transports.
|
||||
|
||||
Reference in New Issue
Block a user