Remove dead AI API-key auth residue

BenjaminMichaelis · BenjaminMichaelis · commit acfe52ba60e7 · 2026-04-22T14:31:32.000-07:00
- Remove AIOptions.ApiKey property (was never read at runtime)
- Remove [Obsolete] AddAzureOpenAIServicesWithApiKey method (zero callers)
- Remove ApiKey from appsettings.json defaults
- Remove ai-apikey KV secret ref and AIOptions__ApiKey env var from
  both staging and production deploy blocks

All active paths already use DefaultAzureCredential.
diff --git a/.github/workflows/Build-Test-And-Deploy.yml b/.github/workflows/Build-Test-And-Deploy.yml
@@ -152,7 +152,7 @@ jobs:
               emailsender-email=keyvaultref:$KEYVAULTURI/secrets/authmessagesender-sendfromemail,identityref:$MANAGEDIDENTITYID connectionstring=keyvaultref:$KEYVAULTURI/secrets/connectionstrings-essentialcsharpwebcontextconnection,identityref:$MANAGEDIDENTITYID \
               captcha-sitekey=keyvaultref:$KEYVAULTURI/secrets/captcha-sitekey,identityref:$MANAGEDIDENTITYID captcha-secretkey=keyvaultref:$KEYVAULTURI/secrets/captcha-secretkey,identityref:$MANAGEDIDENTITYID \
               appinsights-connectionstring=keyvaultref:$KEYVAULTURI/secrets/applicationinsights-connectionstring,identityref:$MANAGEDIDENTITYID \
-              ai-endpoint=keyvaultref:$KEYVAULTURI/secrets/AIOptions--Endpoint,identityref:$MANAGEDIDENTITYID ai-apikey=keyvaultref:$KEYVAULTURI/secrets/AIOptions--ApiKey,identityref:$MANAGEDIDENTITYID \
+              ai-endpoint=keyvaultref:$KEYVAULTURI/secrets/AIOptions--Endpoint,identityref:$MANAGEDIDENTITYID \
               ai-vectordeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--VectorGenerationDeploymentName,identityref:$MANAGEDIDENTITYID ai-chatdeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--ChatDeploymentName,identityref:$MANAGEDIDENTITYID \
               ai-systemprompt=keyvaultref:$KEYVAULTURI/secrets/AIOptions--SystemPrompt,identityref:$MANAGEDIDENTITYID \
               postgres-vectorstore-connectionstring=keyvaultref:$KEYVAULTURI/secrets/ConnectionStrings--PostgresVectorStore,identityref:$MANAGEDIDENTITYID
@@ -162,10 +162,9 @@ jobs:
               Authentication__microsoft__clientId=secretref:msft-clientid Authentication__microsoft__clientSecret=secretref:msft-clientsecret AuthMessageSender__ApiKey=secretref:emailsender-apikey AuthMessageSender__SecretKey=secretref:emailsender-secret \
               AuthMessageSender__SendFromName=secretref:emailsender-name AuthMessageSender__SendFromEmail=secretref:emailsender-email ConnectionStrings__EssentialCSharpWebContextConnection=secretref:connectionstring ASPNETCORE_ENVIRONMENT=Staging \
               AZURE_CLIENT_ID=$AZURECLIENTID HCaptcha__SiteKey=secretref:captcha-sitekey HCaptcha__SecretKey=secretref:captcha-secretkey APPLICATIONINSIGHTS_CONNECTION_STRING=secretref:appinsights-connectionstring \
-              AIOptions__Endpoint=secretref:ai-endpoint AIOptions__ApiKey=secretref:ai-apikey AIOptions__VectorGenerationDeploymentName=secretref:ai-vectordeployment AIOptions__ChatDeploymentName=secretref:ai-chatdeployment \
+              AIOptions__Endpoint=secretref:ai-endpoint AIOptions__VectorGenerationDeploymentName=secretref:ai-vectordeployment AIOptions__ChatDeploymentName=secretref:ai-chatdeployment \
               AIOptions__SystemPrompt=secretref:ai-systemprompt ConnectionStrings__PostgresVectorStore=secretref:postgres-vectorstore-connectionstring \
               TryDotNet__Origin=$TRYDOTNET_ORIGIN DataProtection__AzureKeyVaultKeyUri=$KEYVAULTURI/keys/dataprotection
-
       - name: Logout of Azure CLI
         if: always()
         uses: azure/CLI@v3
@@ -244,7 +243,7 @@ jobs:
               emailsender-email=keyvaultref:$KEYVAULTURI/secrets/authmessagesender-sendfromemail,identityref:$MANAGEDIDENTITYID connectionstring=keyvaultref:$KEYVAULTURI/secrets/connectionstrings-essentialcsharpwebcontextconnection,identityref:$MANAGEDIDENTITYID \
               captcha-sitekey=keyvaultref:$KEYVAULTURI/secrets/captcha-sitekey,identityref:$MANAGEDIDENTITYID captcha-secretkey=keyvaultref:$KEYVAULTURI/secrets/captcha-secretkey,identityref:$MANAGEDIDENTITYID \
               appinsights-connectionstring=keyvaultref:$KEYVAULTURI/secrets/applicationinsights-connectionstring,identityref:$MANAGEDIDENTITYID \
-              ai-endpoint=keyvaultref:$KEYVAULTURI/secrets/AIOptions--Endpoint,identityref:$MANAGEDIDENTITYID ai-apikey=keyvaultref:$KEYVAULTURI/secrets/AIOptions--ApiKey,identityref:$MANAGEDIDENTITYID \
+              ai-endpoint=keyvaultref:$KEYVAULTURI/secrets/AIOptions--Endpoint,identityref:$MANAGEDIDENTITYID \
               ai-vectordeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--VectorGenerationDeploymentName,identityref:$MANAGEDIDENTITYID ai-chatdeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--ChatDeploymentName,identityref:$MANAGEDIDENTITYID \
               ai-systemprompt=keyvaultref:$KEYVAULTURI/secrets/AIOptions--SystemPrompt,identityref:$MANAGEDIDENTITYID \
               postgres-vectorstore-connectionstring=keyvaultref:$KEYVAULTURI/secrets/ConnectionStrings--PostgresVectorStore,identityref:$MANAGEDIDENTITYID
@@ -254,7 +253,7 @@ jobs:
               Authentication__microsoft__clientId=secretref:msft-clientid Authentication__microsoft__clientSecret=secretref:msft-clientsecret AuthMessageSender__ApiKey=secretref:emailsender-apikey AuthMessageSender__SecretKey=secretref:emailsender-secret \
               AuthMessageSender__SendFromName=secretref:emailsender-name AuthMessageSender__SendFromEmail=secretref:emailsender-email ConnectionStrings__EssentialCSharpWebContextConnection=secretref:connectionstring ASPNETCORE_ENVIRONMENT=Production \
               AZURE_CLIENT_ID=$AZURECLIENTID HCaptcha__SiteKey=secretref:captcha-sitekey HCaptcha__SecretKey=secretref:captcha-secretkey APPLICATIONINSIGHTS_CONNECTION_STRING=secretref:appinsights-connectionstring \
-              AIOptions__Endpoint=secretref:ai-endpoint AIOptions__ApiKey=secretref:ai-apikey AIOptions__VectorGenerationDeploymentName=secretref:ai-vectordeployment AIOptions__ChatDeploymentName=secretref:ai-chatdeployment \
+              AIOptions__Endpoint=secretref:ai-endpoint AIOptions__VectorGenerationDeploymentName=secretref:ai-vectordeployment AIOptions__ChatDeploymentName=secretref:ai-chatdeployment \
               AIOptions__SystemPrompt=secretref:ai-systemprompt ConnectionStrings__PostgresVectorStore=secretref:postgres-vectorstore-connectionstring \
               TryDotNet__Origin=$TRYDOTNET_ORIGIN DataProtection__AzureKeyVaultKeyUri=$KEYVAULTURI/keys/dataprotection
 
diff --git a/EssentialCSharp.Chat.Shared/Extensions/ServiceCollectionExtensions.cs b/EssentialCSharp.Chat.Shared/Extensions/ServiceCollectionExtensions.cs
@@ -176,74 +176,4 @@ private static IServiceCollection AddPostgresVectorStoreWithManagedIdentity(
         return services;
     }
 
-    /// <summary>
-    /// Adds Azure OpenAI and related AI services to the service collection using API key authentication (legacy)
-    /// </summary>
-    /// <param name="services">The service collection to add services to</param>
-    /// <param name="aiOptions">The AI configuration options</param>
-    /// <param name="postgresConnectionString">The PostgreSQL connection string for the vector store</param>
-    /// <param name="apiKey">The API key for Azure OpenAI authentication</param>
-    /// <returns>The service collection for chaining</returns>
-    [Obsolete("API key authentication is not recommended for production. Use AddAzureOpenAIServices with Managed Identity instead.")]
-    public static IServiceCollection AddAzureOpenAIServicesWithApiKey(
-        this IServiceCollection services,
-        AIOptions aiOptions,
-        string postgresConnectionString,
-        string apiKey)
-    {
-        if (string.IsNullOrEmpty(apiKey))
-        {
-            throw new ArgumentException("API key cannot be null or empty.", nameof(apiKey));
-        }
-
-        if (string.IsNullOrEmpty(aiOptions.Endpoint))
-        {
-            throw new InvalidOperationException("AIOptions.Endpoint is required.");
-        }
-
-        var endpoint = new Uri(aiOptions.Endpoint);
-
-        // Register Azure OpenAI services with API key authentication
-#pragma warning disable SKEXP0010 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
-        services.AddAzureOpenAIChatClient(
-            aiOptions.ChatDeploymentName,
-            aiOptions.Endpoint,
-            apiKey);
-
-        services.AddSingleton(provider =>
-            new AzureOpenAIClient(endpoint, new Azure.AzureKeyCredential(apiKey)));
-
-        services.AddAzureOpenAIChatCompletion(
-            aiOptions.ChatDeploymentName,
-            aiOptions.Endpoint,
-            apiKey);
-
-        // Register NpgsqlDataSource with UseVector() enabled for API key scenario as well
-        services.AddSingleton<NpgsqlDataSource>(sp =>
-        {
-            var dataSourceBuilder = new NpgsqlDataSourceBuilder(postgresConnectionString);
-            // IMPORTANT: UseVector() must be called to enable pgvector support
-            dataSourceBuilder.UseVector();
-            return dataSourceBuilder.Build();
-        });
-
-        // Add PostgreSQL vector store using the NpgsqlDataSource from DI
-        services.AddPostgresVectorStore();
-
-        services.AddEmbeddingGenerator(sp =>
-            sp.GetRequiredService<AzureOpenAIClient>()
-              .GetEmbeddingClient(aiOptions.VectorGenerationDeploymentName)
-              .AsIEmbeddingGenerator())
-            .UseLogging()
-            .UseOpenTelemetry();
-#pragma warning restore SKEXP0010
-
-        // Register shared AI services
-        services.AddSingleton<EmbeddingService>();
-        services.AddSingleton<AISearchService>();
-        services.AddSingleton<AIChatService>();
-        services.AddSingleton<MarkdownChunkingService>();
-
-        return services;
-    }
 }
diff --git a/EssentialCSharp.Chat.Shared/Models/AIOptions.cs b/EssentialCSharp.Chat.Shared/Models/AIOptions.cs
@@ -22,8 +22,4 @@ public class AIOptions
     /// </summary>
     public string Endpoint { get; set; } = string.Empty;
 
-    /// <summary>
-    /// The API key for accessing Azure OpenAI services.
-    /// </summary>
-    public string ApiKey { get; set; } = string.Empty;
 }
diff --git a/EssentialCSharp.Web/appsettings.json b/EssentialCSharp.Web/appsettings.json
@@ -22,8 +22,7 @@
     "VectorGenerationDeploymentName": "text-embedding-3-large-v1",
     "ChatDeploymentName": "gpt-5",
     "SystemPrompt": "You are a helpful AI assistant with expertise in C# programming and the Essential C# book content. You can help users understand C# concepts, answer programming questions, and provide guidance based on the Essential C# book materials. Be concise but thorough in your explanations.",
-    "Endpoint": "",
-    "ApiKey": ""
+    "Endpoint": ""
   },
   "SiteSettings": {
     "BaseUrl": "https://essentialcsharp.com"

Original file line number	Diff line number	Diff line change
`@@ -22,8 +22,4 @@ public class AIOptions`
`22`	`22`	`/// </summary>`
`23`	`23`	`public string Endpoint { get; set; } = string.Empty;`
`24`	`24`
`25`		`- /// <summary>`
`26`		`- /// The API key for accessing Azure OpenAI services.`
`27`		`- /// </summary>`
`28`		`- public string ApiKey { get; set; } = string.Empty;`
`29`	`25`	`}`