api/generate_api_key.php

<?php
// API endpoint for generating API keys (Admin only)
error_reporting(E_ALL);
ini_set('display_errors', 0);

// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

ob_start();

try {
    // Load config
    require_once dirname(__DIR__) . '/config/config.php';

    // Load models
    require_once dirname(__DIR__) . '/models/ApiKeyModel.php';
    require_once dirname(__DIR__) . '/models/AuditLogModel.php';

    // Check authentication via session
    session_start();
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        throw new Exception("Authentication required");
    }

    // Check admin privileges
    if (!isset($_SESSION['user']['is_admin']) || !$_SESSION['user']['is_admin']) {
        throw new Exception("Admin privileges required");
    }

    // CSRF Protection
    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            throw new Exception("Invalid CSRF token");
        }
    }

    // Only allow POST
    if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
        http_response_code(405);
        throw new Exception("Method not allowed");
    }

    // Get request data
    $input = json_decode(file_get_contents('php://input'), true);
    if (!$input) {
        throw new Exception("Invalid request data");
    }

    $keyName = trim($input['key_name'] ?? '');
    $expiresInDays = $input['expires_in_days'] ?? null;

    if (empty($keyName)) {
        throw new Exception("Key name is required");
    }

    if (strlen($keyName) > 100) {
        throw new Exception("Key name must be 100 characters or less");
    }

    // Validate expires_in_days if provided
    if ($expiresInDays !== null && $expiresInDays !== '') {
        $expiresInDays = (int)$expiresInDays;
        if ($expiresInDays < 1 || $expiresInDays > 3650) {
            throw new Exception("Expiration must be between 1 and 3650 days");
        }
    } else {
        $expiresInDays = null;
    }

    // Create database connection
    $conn = new mysqli(
        $GLOBALS['config']['DB_HOST'],
        $GLOBALS['config']['DB_USER'],
        $GLOBALS['config']['DB_PASS'],
        $GLOBALS['config']['DB_NAME']
    );

    if ($conn->connect_error) {
        throw new Exception("Database connection failed");
    }

    // Generate API key
    $apiKeyModel = new ApiKeyModel($conn);
    $result = $apiKeyModel->createKey($keyName, $_SESSION['user']['user_id'], $expiresInDays);

    if (!$result['success']) {
        throw new Exception($result['error'] ?? "Failed to generate API key");
    }

    // Log the action
    $auditLog = new AuditLogModel($conn);
    $auditLog->log(
        $_SESSION['user']['user_id'],
        'create',
        'api_key',
        $result['key_id'],
        ['key_name' => $keyName, 'expires_in_days' => $expiresInDays]
    );

    $conn->close();

    // Clear output buffer
    ob_end_clean();

    // Return success with the plaintext key (shown only once)
    header('Content-Type: application/json');
    echo json_encode([
        'success' => true,
        'api_key' => $result['api_key'],
        'key_prefix' => $result['key_prefix'],
        'key_id' => $result['key_id'],
        'expires_at' => $result['expires_at']
    ]);

} catch (Exception $e) {
    ob_end_clean();
    header('Content-Type: application/json');
    http_response_code(isset($conn) ? 400 : 500);
    echo json_encode([
        'success' => false,
        'error' => $e->getMessage()
    ]);
}
feat: Add 9 new features for enhanced UX and security Quick Wins: - Feature 1: Ticket linking in comments (#123456789 auto-links) - Feature 6: Checkbox click area fix (click anywhere in cell) - Feature 7: User groups display in settings modal UI Enhancements: - Feature 4: Collapsible sidebar with localStorage persistence - Feature 5: Inline ticket preview popup on hover (300ms delay) - Feature 2: Mobile responsive improvements (44px touch targets, iOS zoom fix) Major Features: - Feature 3: Kanban card view with status columns (toggle with localStorage) - Feature 9: API key generation admin panel (/admin/api-keys) - Feature 8: Ticket visibility levels (public/internal/confidential) New files: - views/admin/ApiKeysView.php - api/generate_api_key.php - api/revoke_api_key.php - migrations/008_ticket_visibility.sql Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 10:01:50 -05:00			`<?php`
			`// API endpoint for generating API keys (Admin only)`
			`error_reporting(E_ALL);`
			`ini_set('display_errors', 0);`

			`// Apply rate limiting`
			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

			`ob_start();`

			`try {`
			`// Load config`
			`require_once dirname(__DIR__) . '/config/config.php';`

			`// Load models`
			`require_once dirname(__DIR__) . '/models/ApiKeyModel.php';`
			`require_once dirname(__DIR__) . '/models/AuditLogModel.php';`

			`// Check authentication via session`
			`session_start();`
			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`throw new Exception("Authentication required");`
			`}`

			`// Check admin privileges`
			`if (!isset($_SESSION['user']['is_admin']) \|\| !$_SESSION['user']['is_admin']) {`
			`throw new Exception("Admin privileges required");`
			`}`

			`// CSRF Protection`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
			`$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`http_response_code(403);`
			`throw new Exception("Invalid CSRF token");`
			`}`
			`}`

			`// Only allow POST`
			`if ($_SERVER['REQUEST_METHOD'] !== 'POST') {`
			`http_response_code(405);`
			`throw new Exception("Method not allowed");`
			`}`

			`// Get request data`
			`$input = json_decode(file_get_contents('php://input'), true);`
			`if (!$input) {`
			`throw new Exception("Invalid request data");`
			`}`

			`$keyName = trim($input['key_name'] ?? '');`
			`$expiresInDays = $input['expires_in_days'] ?? null;`

			`if (empty($keyName)) {`
			`throw new Exception("Key name is required");`
			`}`

			`if (strlen($keyName) > 100) {`
			`throw new Exception("Key name must be 100 characters or less");`
			`}`

			`// Validate expires_in_days if provided`
			`if ($expiresInDays !== null && $expiresInDays !== '') {`
			`$expiresInDays = (int)$expiresInDays;`
			`if ($expiresInDays < 1 \|\| $expiresInDays > 3650) {`
			`throw new Exception("Expiration must be between 1 and 3650 days");`
			`}`
			`} else {`
			`$expiresInDays = null;`
			`}`

			`// Create database connection`
			`$conn = new mysqli(`
			`$GLOBALS['config']['DB_HOST'],`
			`$GLOBALS['config']['DB_USER'],`
			`$GLOBALS['config']['DB_PASS'],`
			`$GLOBALS['config']['DB_NAME']`
			`);`

			`if ($conn->connect_error) {`
			`throw new Exception("Database connection failed");`
			`}`

			`// Generate API key`
			`$apiKeyModel = new ApiKeyModel($conn);`
			`$result = $apiKeyModel->createKey($keyName, $_SESSION['user']['user_id'], $expiresInDays);`

			`if (!$result['success']) {`
			`throw new Exception($result['error'] ?? "Failed to generate API key");`
			`}`

			`// Log the action`
			`$auditLog = new AuditLogModel($conn);`
			`$auditLog->log(`
			`$_SESSION['user']['user_id'],`
			`'create',`
			`'api_key',`
			`$result['key_id'],`
			`['key_name' => $keyName, 'expires_in_days' => $expiresInDays]`
			`);`

			`$conn->close();`

			`// Clear output buffer`
			`ob_end_clean();`

			`// Return success with the plaintext key (shown only once)`
			`header('Content-Type: application/json');`
			`echo json_encode([`
			`'success' => true,`
			`'api_key' => $result['api_key'],`
			`'key_prefix' => $result['key_prefix'],`
			`'key_id' => $result['key_id'],`
			`'expires_at' => $result['expires_at']`
			`]);`

			`} catch (Exception $e) {`
			`ob_end_clean();`
			`header('Content-Type: application/json');`
			`http_response_code(isset($conn) ? 400 : 500);`
			`echo json_encode([`
			`'success' => false,`
			`'error' => $e->getMessage()`
			`]);`
			`}`