Merge feature/inbound-xapikey: accept X-API-Key as inbound-API credential transport

Inbound API now accepts the credential from either Authorization: Bearer sbk_... OR
X-API-Key: sbk_... (raw token), via the SAME peppered-HMAC verifier (Authorization
precedence preserved; failure path / scope checks unchanged). 16/16 inbound-auth tests.

src/ZB.MOM.WW.ScadaBridge.InboundAPI/EndpointExtensions.cs

@@ -80,14 +80,19 @@ public static class EndpointExtensions
         var routeHelper = httpContext.RequestServices.GetRequiredService<RouteHelper>();
         var options = httpContext.RequestServices.GetRequiredService<IOptions<InboundApiOptions>>().Value;
 
-        // Auth re-arch (A+B): the inbound credential is now a Bearer token
-        // (Authorization: Bearer sbk_<keyId>_<secret>) verified by the shared
-        // ZB.MOM.WW.Auth.ApiKeys verifier — peppered-HMAC constant-time secret
-        // compare is handled inside the library verifier. The raw X-API-Key header
-        // and the in-repo ApiKeyValidator are retired on this path.
+        // Auth re-arch (A+B) + X-API-Key restore: the inbound credential is accepted
+        // from EITHER the Authorization header ("Bearer sbk_<keyId>_<secret>") OR the
+        // alternate "X-API-Key: sbk_<keyId>_<secret>" header (raw token). Both are passed
+        // to the SAME shared ZB.MOM.WW.Auth.ApiKeys verifier — the parser strips an
+        // optional "Bearer " prefix and otherwise accepts a bare token, so the
+        // peppered-HMAC constant-time secret compare is identical for both transports.
+        // Authorization takes precedence when both headers are present.
         var authorizationHeader = httpContext.Request.Headers.Authorization.ToString();
+        var credential = !string.IsNullOrWhiteSpace(authorizationHeader)
+            ? authorizationHeader
+            : httpContext.Request.Headers["X-API-Key"].ToString();
         var verification = await verifier.VerifyAsync(
-            authorizationHeader, httpContext.RequestAborted);
+            credential, httpContext.RequestAborted);
 
         if (!verification.Succeeded)
         {

tests/ZB.MOM.WW.ScadaBridge.InboundAPI.Tests/EndpointExtensionsTests.cs

@@ -114,16 +114,96 @@ public sealed class EndpointExtensionsTests : IDisposable
     }
 
     [Fact]
-    public async Task MissingBearer_Returns401()
+    public async Task HappyPath_ValidXApiKeyInScope_Returns200WithScriptResultJson()
     {
-        var method = SeedMethod(1, "noKey", "return 1;");
+        // X-API-Key restore: the SAME seeded key, presented in the alternate
+        // "X-API-Key: sbk_<keyId>_<secret>" header (raw token, no "Bearer " prefix),
+        // must authenticate through the SAME shared verifier and reach the script —
+        // proving the broadened credential extraction feeds X-API-Key to VerifyAsync.
+        var method = SeedMethod(1, "echo", "return Parameters[\"value\"];",
+            """[{"name":"value","type":"Integer","required":true}]""");
 
         using var host = await BuildHostAsync(method);
-        await SeedKeyAsync(host, "key1", "noKey-caller", new[] { "noKey" });
+        var token = await SeedKeyAsync(host, keyId: "key1", displayName: "echo-caller",
+            scopes: new[] { "echo" });
         var client = host.GetTestClient();
 
-        // No Authorization header — auth should reject with 401.
-        var request = new HttpRequestMessage(HttpMethod.Post, "/api/noKey")
+        var request = BuildPostWithApiKeyHeader("echo", """{"value":7}""", token);
+        var response = await client.SendAsync(request);
+        var body = await response.Content.ReadAsStringAsync();
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        Assert.Contains("7", body);
+    }
+
+    [Fact]
+    public async Task BothHeadersPresent_AuthorizationWins_ValidBearerBeatsGarbageXApiKey()
+    {
+        // Precedence: when BOTH headers are present, the Authorization header is the
+        // credential passed to the verifier. A VALID Bearer token alongside a GARBAGE
+        // X-API-Key must authenticate (200) — proving Authorization, not X-API-Key,
+        // was the value extracted and verified.
+        var method = SeedMethod(1, "echo", "return Parameters[\"value\"];",
+            """[{"name":"value","type":"Integer","required":true}]""");
+
+        using var host = await BuildHostAsync(method);
+        var validToken = await SeedKeyAsync(host, keyId: "key1", displayName: "echo-caller",
+            scopes: new[] { "echo" });
+        var client = host.GetTestClient();
+
+        var request = new HttpRequestMessage(HttpMethod.Post, "/api/echo")
+        {
+            Content = new StringContent("""{"value":7}""", Encoding.UTF8, "application/json"),
+        };
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", validToken);
+        request.Headers.Add("X-API-Key", "sbk_garbage_not-a-real-secret");
+        var response = await client.SendAsync(request);
+        var body = await response.Content.ReadAsStringAsync();
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        Assert.Contains("7", body);
+    }
+
+    [Fact]
+    public async Task BothHeadersPresent_AuthorizationWins_GarbageBearerBeatsValidXApiKey_Returns401()
+    {
+        // Precedence (the converse): a GARBAGE Bearer alongside an otherwise-VALID
+        // X-API-Key must STILL fail with 401 — the present (non-blank) Authorization
+        // header takes precedence and is the value handed to the verifier, so the
+        // valid X-API-Key is never consulted. This nails down that Authorization wins
+        // because it is PRESENT, not because it happened to be valid.
+        var method = SeedMethod(1, "echo", "return Parameters[\"value\"];",
+            """[{"name":"value","type":"Integer","required":true}]""");
+
+        using var host = await BuildHostAsync(method);
+        var validToken = await SeedKeyAsync(host, keyId: "key1", displayName: "echo-caller",
+            scopes: new[] { "echo" });
+        var client = host.GetTestClient();
+
+        var request = new HttpRequestMessage(HttpMethod.Post, "/api/echo")
+        {
+            Content = new StringContent("""{"value":7}""", Encoding.UTF8, "application/json"),
+        };
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "not-a-real-token");
+        request.Headers.Add("X-API-Key", validToken);
+        var response = await client.SendAsync(request);
+
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task NeitherHeader_Returns401()
+    {
+        // X-API-Key restore must NOT weaken the failure path: with NEITHER the
+        // Authorization nor the X-API-Key header present, the empty credential still
+        // fails the verifier and maps to the same generic 401.
+        var method = SeedMethod(1, "echo", "return 1;");
+
+        using var host = await BuildHostAsync(method);
+        await SeedKeyAsync(host, "key1", "echo-caller", new[] { "echo" });
+        var client = host.GetTestClient();
+
+        var request = new HttpRequestMessage(HttpMethod.Post, "/api/echo")
         {
             Content = new StringContent("{}", Encoding.UTF8, "application/json"),
         };
@@ -132,6 +212,31 @@ public sealed class EndpointExtensionsTests : IDisposable
         Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
     }
 
+    [Fact]
+    public async Task WhitespaceAuthorization_ValidXApiKey_Returns200()
+    {
+        // IsNullOrWhiteSpace fall-through: a PRESENT but whitespace-only Authorization
+        // header is treated as absent, so a valid X-API-Key in the same request must
+        // still authenticate (200). This pins the IsNullOrWhiteSpace check: without
+        // it, a non-null-but-blank Authorization value would be passed straight to
+        // the verifier (which would fail), and the X-API-Key would never be consulted.
+        var method = SeedMethod(1, "echo", "return Parameters[\"value\"];",
+            """[{"name":"value","type":"Integer","required":true}]""");
+
+        using var host = await BuildHostAsync(method);
+        var token = await SeedKeyAsync(host, keyId: "key1", displayName: "echo-caller",
+            scopes: new[] { "echo" });
+        var client = host.GetTestClient();
+
+        var request = BuildPostWithApiKeyHeader("echo", """{"value":7}""", token);
+        request.Headers.TryAddWithoutValidation("Authorization", "   ");
+        var response = await client.SendAsync(request);
+        var body = await response.Content.ReadAsStringAsync();
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        Assert.Contains("7", body);
+    }
+
     [Fact]
     public async Task GarbageBearer_Returns401()
     {
@@ -453,6 +558,23 @@ public sealed class EndpointExtensionsTests : IDisposable
         return request;
     }
 
+    /// <summary>
+    /// X-API-Key restore: builds a POST carrying the credential in the alternate
+    /// <c>X-API-Key: sbk_&lt;keyId&gt;_&lt;secret&gt;</c> header (the RAW token, no
+    /// "Bearer " prefix) instead of Authorization. The endpoint must extract this
+    /// header value and feed it to the SAME shared verifier.
+    /// </summary>
+    private static HttpRequestMessage BuildPostWithApiKeyHeader(
+        string methodName, string body, string apiKeyToken)
+    {
+        var request = new HttpRequestMessage(HttpMethod.Post, "/api/" + methodName)
+        {
+            Content = new StringContent(body, Encoding.UTF8, "application/json"),
+        };
+        request.Headers.Add("X-API-Key", apiKeyToken);
+        return request;
+    }
+
     /// <summary>
     /// Seeds a key with the given scopes into the library SQLite store via
     /// <see cref="ApiKeyAdminCommands.CreateKeyAsync"/> (the public admin seam) and