api/revoke_api_key.php

<?php
// API endpoint for revoking API keys (Admin only)
error_reporting(E_ALL);
ini_set('display_errors', 0);

// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

ob_start();

try {
    // Load config
    require_once dirname(__DIR__) . '/config/config.php';

    // Load models
    require_once dirname(__DIR__) . '/models/ApiKeyModel.php';
    require_once dirname(__DIR__) . '/models/AuditLogModel.php';

    // Check authentication via session
    session_start();
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        throw new Exception("Authentication required");
    }

    // Check admin privileges
    if (!isset($_SESSION['user']['is_admin']) || !$_SESSION['user']['is_admin']) {
        throw new Exception("Admin privileges required");
    }

    // CSRF Protection
    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            throw new Exception("Invalid CSRF token");
        }
    }

    // Only allow POST
    if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
        http_response_code(405);
        throw new Exception("Method not allowed");
    }

    // Get request data
    $input = json_decode(file_get_contents('php://input'), true);
    if (!$input) {
        throw new Exception("Invalid request data");
    }

    $keyId = (int)($input['key_id'] ?? 0);

    if ($keyId <= 0) {
        throw new Exception("Valid key ID is required");
    }

    // Create database connection
    $conn = new mysqli(
        $GLOBALS['config']['DB_HOST'],
        $GLOBALS['config']['DB_USER'],
        $GLOBALS['config']['DB_PASS'],
        $GLOBALS['config']['DB_NAME']
    );

    if ($conn->connect_error) {
        throw new Exception("Database connection failed");
    }

    // Get key info for audit log
    $apiKeyModel = new ApiKeyModel($conn);
    $keyInfo = $apiKeyModel->getKeyById($keyId);

    if (!$keyInfo) {
        throw new Exception("API key not found");
    }

    if (!$keyInfo['is_active']) {
        throw new Exception("API key is already revoked");
    }

    // Revoke the key
    $success = $apiKeyModel->revokeKey($keyId);

    if (!$success) {
        throw new Exception("Failed to revoke API key");
    }

    // Log the action
    $auditLog = new AuditLogModel($conn);
    $auditLog->log(
        $_SESSION['user']['user_id'],
        'revoke',
        'api_key',
        $keyId,
        ['key_name' => $keyInfo['key_name'], 'key_prefix' => $keyInfo['key_prefix']]
    );

    $conn->close();

    // Clear output buffer
    ob_end_clean();

    // Return success
    header('Content-Type: application/json');
    echo json_encode([
        'success' => true,
        'message' => 'API key revoked successfully'
    ]);

} catch (Exception $e) {
    ob_end_clean();
    header('Content-Type: application/json');
    http_response_code(isset($conn) ? 400 : 500);
    echo json_encode([
        'success' => false,
        'error' => $e->getMessage()
    ]);
}
feat: Add 9 new features for enhanced UX and security Quick Wins: - Feature 1: Ticket linking in comments (#123456789 auto-links) - Feature 6: Checkbox click area fix (click anywhere in cell) - Feature 7: User groups display in settings modal UI Enhancements: - Feature 4: Collapsible sidebar with localStorage persistence - Feature 5: Inline ticket preview popup on hover (300ms delay) - Feature 2: Mobile responsive improvements (44px touch targets, iOS zoom fix) Major Features: - Feature 3: Kanban card view with status columns (toggle with localStorage) - Feature 9: API key generation admin panel (/admin/api-keys) - Feature 8: Ticket visibility levels (public/internal/confidential) New files: - views/admin/ApiKeysView.php - api/generate_api_key.php - api/revoke_api_key.php - migrations/008_ticket_visibility.sql Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 10:01:50 -05:00			`<?php`
			`// API endpoint for revoking API keys (Admin only)`
			`error_reporting(E_ALL);`
			`ini_set('display_errors', 0);`

			`// Apply rate limiting`
			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

			`ob_start();`

			`try {`
			`// Load config`
			`require_once dirname(__DIR__) . '/config/config.php';`

			`// Load models`
			`require_once dirname(__DIR__) . '/models/ApiKeyModel.php';`
			`require_once dirname(__DIR__) . '/models/AuditLogModel.php';`

			`// Check authentication via session`
			`session_start();`
			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`throw new Exception("Authentication required");`
			`}`

			`// Check admin privileges`
			`if (!isset($_SESSION['user']['is_admin']) \|\| !$_SESSION['user']['is_admin']) {`
			`throw new Exception("Admin privileges required");`
			`}`

			`// CSRF Protection`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
			`$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`http_response_code(403);`
			`throw new Exception("Invalid CSRF token");`
			`}`
			`}`

			`// Only allow POST`
			`if ($_SERVER['REQUEST_METHOD'] !== 'POST') {`
			`http_response_code(405);`
			`throw new Exception("Method not allowed");`
			`}`

			`// Get request data`
			`$input = json_decode(file_get_contents('php://input'), true);`
			`if (!$input) {`
			`throw new Exception("Invalid request data");`
			`}`

			`$keyId = (int)($input['key_id'] ?? 0);`

			`if ($keyId <= 0) {`
			`throw new Exception("Valid key ID is required");`
			`}`

			`// Create database connection`
			`$conn = new mysqli(`
			`$GLOBALS['config']['DB_HOST'],`
			`$GLOBALS['config']['DB_USER'],`
			`$GLOBALS['config']['DB_PASS'],`
			`$GLOBALS['config']['DB_NAME']`
			`);`

			`if ($conn->connect_error) {`
			`throw new Exception("Database connection failed");`
			`}`

			`// Get key info for audit log`
			`$apiKeyModel = new ApiKeyModel($conn);`
			`$keyInfo = $apiKeyModel->getKeyById($keyId);`

			`if (!$keyInfo) {`
			`throw new Exception("API key not found");`
			`}`

			`if (!$keyInfo['is_active']) {`
			`throw new Exception("API key is already revoked");`
			`}`

			`// Revoke the key`
			`$success = $apiKeyModel->revokeKey($keyId);`

			`if (!$success) {`
			`throw new Exception("Failed to revoke API key");`
			`}`

			`// Log the action`
			`$auditLog = new AuditLogModel($conn);`
			`$auditLog->log(`
			`$_SESSION['user']['user_id'],`
			`'revoke',`
			`'api_key',`
			`$keyId,`
			`['key_name' => $keyInfo['key_name'], 'key_prefix' => $keyInfo['key_prefix']]`
			`);`

			`$conn->close();`

			`// Clear output buffer`
			`ob_end_clean();`

			`// Return success`
			`header('Content-Type: application/json');`
			`echo json_encode([`
			`'success' => true,`
			`'message' => 'API key revoked successfully'`
			`]);`

			`} catch (Exception $e) {`
			`ob_end_clean();`
			`header('Content-Type: application/json');`
			`http_response_code(isset($conn) ? 400 : 500);`
			`echo json_encode([`
			`'success' => false,`
			`'error' => $e->getMessage()`
			`]);`
			`}`