Initial import into Gitea

Creative/Security/InternalAuthFilter.cs

@@ -0,0 +1,50 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Filters;
+
+namespace Creative.Security;
+
+/// <summary>
+/// Validates X-Internal-Key header on internal endpoints.
+/// Gateway sends this key when forwarding requests.
+/// </summary>
+public class InternalAuthFilter : IActionFilter
+{
+    private readonly IConfiguration _config;
+    private readonly ILogger<InternalAuthFilter> _logger;
+
+    public InternalAuthFilter(IConfiguration config, ILogger<InternalAuthFilter> logger)
+    {
+        _config = config;
+        _logger = logger;
+    }
+
+    public void OnActionExecuting(ActionExecutingContext context)
+    {
+        // Get expected key from config or environment
+        var expectedKey = _config["InternalKey"]
+            ?? Environment.GetEnvironmentVariable("CREATIVE_INTERNAL_KEY")
+            ?? "";
+
+        // If no key configured, allow all (dev mode)
+        if (string.IsNullOrWhiteSpace(expectedKey))
+        {
+            _logger.LogWarning("[InternalAuth] No internal key configured - allowing all requests");
+            return;
+        }
+
+        // Validate header
+        var providedKey = context.HttpContext.Request.Headers["X-Internal-Key"].FirstOrDefault();
+
+        if (string.IsNullOrWhiteSpace(providedKey) || providedKey != expectedKey)
+        {
+            _logger.LogWarning("[InternalAuth] Invalid or missing X-Internal-Key");
+            context.Result = new UnauthorizedObjectResult(new
+            {
+                ok = false,
+                error = "Unauthorized: invalid internal key"
+            });
+        }
+    }
+
+    public void OnActionExecuted(ActionExecutedContext context) { }
+}