Skip to content

Require X-Sync-Trigger-Key header on /api/sync endpoint#2

Merged
hajekj merged 4 commits intomainfrom
copilot/add-sync-trigger-key-config
Mar 21, 2026
Merged

Require X-Sync-Trigger-Key header on /api/sync endpoint#2
hajekj merged 4 commits intomainfrom
copilot/add-sync-trigger-key-config

Conversation

Copy link
Contributor

Copilot AI commented Mar 21, 2026
edited
Loading

  • Add SyncTriggerKey config key to SyncController.cs (read from configuration)
  • Validate X-Sync-Trigger-Key header in the /api/sync endpoint – return 401 if missing or incorrect, 500 if key is not configured
  • Use string.Equals with StringComparison.Ordinal for key comparison
  • Log error when SyncTriggerKey is not configured; print startup warning via Program.cs
  • Update README.md Secrets reference section to document SyncTriggerKey
Original prompt

This section details on the original issue you should resolve

<issue_title>Add a synchronization trigger key into configuration and require it when the synchronization is run</issue_title>
<issue_description>When running the synchronization endpoint /api/sync, the endpoint can be triggered anonymously. Add a key which will be required to trigger this specific endpoint, so that it cannot be triggered anonymously. The key should be configurable via configuration (also update Secrets reference in README). The key should be provided as a header X-Sync-Trigger-Key.</issue_description>

Comments on the Issue (you are @copilot in this section)

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Copilot AI changed the title [WIP] Add synchronization trigger key requirement for sync endpoint Require X-Sync-Trigger-Key header on /api/sync endpoint Mar 21, 2026
Copilot AI requested a review from hajekj March 21, 2026 01:19
hajekj
hajekj reviewed Mar 21, 2026
View reviewed changes
Web/Controllers/SyncController.cs Outdated
return new UnauthorizedResult();
}

if (!CryptographicOperations.FixedTimeEquals(
Copy link
Member

@hajekj hajekj Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot use equals instead of this comparison

Copy link
Contributor Author

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in b065b8c — replaced the CryptographicOperations.FixedTimeEquals byte-array comparison with string.Equals(providedKey.FirstOrDefault(), _syncTriggerKey, StringComparison.Ordinal) and removed the now-unused System.Security.Cryptography import.

Copilot AI requested a review from hajekj March 21, 2026 01:22
@hajekj hajekj marked this pull request as ready for review March 21, 2026 01:23
@hajekj hajekj merged commit 6f31c30 into main Mar 21, 2026
1 check passed
@hajekj hajekj deleted the copilot/add-sync-trigger-key-config branch March 21, 2026 01:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@hajekj hajekj hajekj approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@hajekj hajekj

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add a synchronization trigger key into configuration and require it when the synchronization is run

2 participants

@hajekj