Add currentRole to Health Summary Report at /health

[Copilot]

Why make this change?

Adds currentRole to the /health endpoint response to surface the effective role of the requesting user, enabling easier authentication testing without needing external tooling to inspect request headers.

What is this change?

• ComprehensiveHealthCheckReport: New currentRole string property (JSON: "currentRole") inserted after timestamp in the report header.
• HealthCheckHelper.ReadRoleHeaders(HttpContext): Replaces the former StoreIncomingRoleHeader method. Instead of writing to mutable instance fields, it returns a (roleHeader, roleToken) tuple that the caller holds as request-local values, eliminating a singleton race condition under concurrent requests.
• HealthCheckHelper.GetCurrentRole(roleHeader, roleToken): Determines the effective role using a three-way fallback: explicit X-MS-API-ROLE header → "authenticated" (if a bearer token is present) → "anonymous". This correctly handles authenticated users who provide a bearer token without an explicit role header.
• HealthCheckHelper.IsUserAllowedToAccessHealthCheck / GetHealthCheckResponseAsync: Updated to accept roleHeader/roleToken as explicit parameters; the values flow down the entire private call chain (UpdateHealthCheckDetailsAsync → UpdateEntityHealthCheckResultsAsync → PopulateEntityHealthAsync → ExecuteRestEntityQueryAsync / ExecuteGraphQlEntityQueryAsync) so no per-request state is stored on the singleton.
• ComprehensiveHealthReportResponseWriter: Reads role headers once per request into locals, passes them through all downstream calls, and stamps currentRole per-request after cache retrieval (using a non-destructive with expression) so cached responses never leak one caller's role to another request. The cache now stores the ComprehensiveHealthCheckReport object (without currentRole) rather than a serialized string.

Example response shape:

{
  "status": "Healthy",
  "version": "1.x.x",
  "app-name": "dab_oss_1.x.x",
  "timestamp": "2026-02-24T22:28:30Z",
  "currentRole": "authenticated",
  "configuration": { ... },
  "checks": [ ... ]
}

How was this tested?

• Integration Tests
• Unit Tests

Sample Request(s)

GET /health
X-MS-API-ROLE: myrole

Response includes "currentRole": "myrole".

GET /health
Authorization: ******

Response includes "currentRole": "authenticated" (bearer token present, no explicit role header).

GET /health

Response includes "currentRole": "anonymous" (no role header, no bearer token).

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Enh]: Add to Health Summary</issue_title>
<issue_description>## What?

1. Add to the header part of the Health Summary Report returned at /health a scalar property "currentRole" which returns the current role "anonymous", "authenticated", etc.

Why?

To help with authentication testing.</issue_description>

<agent_instructions>with as little new code as possible</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [Enh]: Add to Health Summary #3157

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[JerryNixon]

@copilot revert your change of global.json

[Copilot]

@copilot revert your change of global.json

Done. Reverted global.json back to 8.0.418 in commit 158097b.

[Copilot]

Pull request overview

Adds visibility into the caller’s effective role by including a currentRole field in the comprehensive health report returned from /health, which helps validate authentication/authorization behavior during testing.

Changes:

• Added CurrentRole ("currentRole") to ComprehensiveHealthCheckReport.
• Populated CurrentRole in HealthCheckHelper.GetHealthCheckResponseAsync based on the incoming role header (fallbacking to anonymous).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/Service/HealthCheck/Model/ComprehensiveHealthCheckReport.cs	Extends the health report contract with a new currentRole property.
src/Service/HealthCheck/HealthCheckHelper.cs	Sets CurrentRole when generating the comprehensive health report.

[Copilot]

HealthCheckHelper is registered as a singleton (see Startup.cs) but CurrentRole is sourced from the mutable instance field _incomingRoleHeader, which is set per-request in StoreIncomingRoleHeader. Under concurrent requests this can race and cause the /health response to report the wrong role (and potentially leak another request’s role). Refactor to avoid per-request state on a singleton (e.g., read the role into a local in the response writer and pass it into helper methods, or store it in HttpContext.Items, or change lifetimes so the helper is scoped/transient).

[JerryNixon]

@copilot apply changes based on this feedback

[Copilot]

Fixed in 4931f45. Removed the mutable _incomingRoleHeader and _incomingRoleToken instance fields entirely from the singleton. StoreIncomingRoleHeader was replaced by ReadRoleHeaders(HttpContext) which returns a (roleHeader, roleToken) tuple — the caller in ComprehensiveHealthReportResponseWriter holds these as locals and passes them into GetHealthCheckResponseAsync, GetCurrentRole, and IsUserAllowedToAccessHealthCheck. The values flow down through the private call chain (UpdateHealthCheckDetailsAsync → UpdateEntityHealthCheckResultsAsync → PopulateEntityHealthAsync → ExecuteRestEntityQueryAsync/ExecuteGraphQlEntityQueryAsync) as parameters, so concurrent requests never share state.

[JerryNixon]

@copilot The logic is: if _incomingRoleHeader is null or empty, default to "anonymous". It will never show "authenticated" on its own — it only shows the literal value of the incoming X-MS-API-ROLE header. The _incomingRoleHeader field is initialized to string.Empty and is only updated when the X-MS-API-ROLE header is explicitly present in the request. The problem is the last case. An authenticated user who provides a valid bearer token but does not include the X-MS-API-ROLE header will be reported as "anonymous" rather than "authenticated". The PR doesn't inspect the authentication state of the request (e.g., httpContext.User.Identity.IsAuthenticated) — it relies solely on the role header. To properly reflect "authenticated", the fallback logic should also check whether the user is authenticated. Something like this:

comprehensiveHealthCheckReport.CurrentRole = !string.IsNullOrEmpty(_incomingRoleHeader)
    ? _incomingRoleHeader
    : !string.IsNullOrEmpty(_incomingRoleToken)
        ? AuthorizationResolver.ROLE_AUTHENTICATED
        : AuthorizationResolver.ROLE_ANONYMOUS;

[Copilot]

@copilot The logic is: if _incomingRoleHeader is null or empty, default to "anonymous". It will never show "authenticated" on its own — it only shows the literal value of the incoming X-MS-API-ROLE ...

Done in commit 76db65c. Added GetCurrentRole() to HealthCheckHelper with the corrected three-way fallback: explicit role header → bearer token present → anonymous. Also moved CurrentRole assignment out of the cacheable path so each request always sees its own effective role regardless of cache state.