Secure DELETE /api/v1/gods with API key authentication and admin authorization

[Copilot]

The DELETE /api/v1/gods endpoint was publicly accessible, allowing any caller to wipe the entire gods table.

Changes

Authentication & Authorization

• Added ApiKeyAuthenticationHandler for API key validation via X-API-Key header
• Configured authentication scheme and "AdminOnly" authorization policy in Program.cs
• Middleware placed before endpoint registration to ensure proper execution order

Protected Endpoint

gods.MapDelete("", DeleteAllGods).RequireAuthorization("AdminOnly");

Repository Implementation

• Added DeleteAllGodsAsync() to IGodRepository
• Uses ExecuteDeleteAsync() for server-side bulk deletion (avoids materializing entities)
• Logs deletions at warning level with count

Test Coverage

• Unit tests verify endpoint behavior with mocked repository
• Integration tests validate: 401 for missing/invalid keys, 200 with admin key, actual deletion

Security Model

• Authentication: Valid API key required (X-API-Key header)
• Authorization: Admin role required via policy
• Status codes: 401 for auth failures, 403 for insufficient permissions

Note: Demo uses hardcoded admin key admin-key-12345. Production should use configuration/Key Vault.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[CRITICAL] DELETE /api/v1/gods endpoint has no authentication or authorization</issue_title>
<issue_description>## Summary

The DELETE /api/v1/gods endpoint is a destructive bulk-delete operation that is exposed without any authentication, authorization, or confirmation mechanism. Any anonymous caller can wipe all data from the database.

Description

In src/Endpoints/v1/Gods.cs (line 21), the DeleteAllGods endpoint is registered as a publicly accessible MapDelete route. There is no .RequireAuthorization() call, no authentication middleware protecting it, and no confirmation step. This means:

• Any unauthenticated user can call DELETE /api/v1/gods and permanently remove all god records.
• There is no soft-delete or recovery mechanism — the repository calls RemoveRange on the entire Gods DbSet.
• The only trace is a Log.Warning message, which is insufficient for a destructive operation.

This violates the project security policy: "Validate and authenticate all incoming requests" and "Limit permissions and access to only what is necessary."

Implementation

1. Add authentication middleware to the application pipeline in src/Program.cs.
2. Apply .RequireAuthorization() to the DELETE endpoint registration in src/Endpoints/v1/Gods.cs.
3. Consider restricting this endpoint to an admin-only policy (e.g., .RequireAuthorization("AdminOnly")).
4. Optionally, add a confirmation mechanism (e.g., require a confirmation header or query parameter).
5. Add integration tests verifying that unauthenticated requests return 401 Unauthorized.

References

• src/Endpoints/v1/Gods.cs, line 21
• src/Gods/DBRepositories/GodRepository.cs, DeleteAllGodsAsync method
• src/Program.cs — missing auth middleware</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [CRITICAL] DELETE /api/v1/gods endpoint has no authentication or authorization #19

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.