api/revoke_api_key.php

<?php
// API endpoint for revoking API keys (Admin only)
error_reporting(E_ALL);
ini_set('display_errors', 0);

// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

ob_start();

try {
    // Load config
    require_once dirname(__DIR__) . '/config/config.php';
    require_once dirname(__DIR__) . '/helpers/Database.php';

    // Load models
    require_once dirname(__DIR__) . '/models/ApiKeyModel.php';
    require_once dirname(__DIR__) . '/models/AuditLogModel.php';

    // Check authentication via session
    session_start();
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        throw new Exception("Authentication required");
    }

    // Check admin privileges
    if (!isset($_SESSION['user']['is_admin']) || !$_SESSION['user']['is_admin']) {
        throw new Exception("Admin privileges required");
    }

    // CSRF Protection
    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            throw new Exception("Invalid CSRF token");
        }
    }

    // Only allow POST
    if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
        http_response_code(405);
        throw new Exception("Method not allowed");
    }

    // Get request data
    $input = json_decode(file_get_contents('php://input'), true);
    if (!$input) {
        throw new Exception("Invalid request data");
    }

    $keyId = (int)($input['key_id'] ?? 0);

    if ($keyId <= 0) {
        throw new Exception("Valid key ID is required");
    }

    // Use centralized database connection
    $conn = Database::getConnection();

    // Get key info for audit log
    $apiKeyModel = new ApiKeyModel($conn);
    $keyInfo = $apiKeyModel->getKeyById($keyId);

    if (!$keyInfo) {
        throw new Exception("API key not found");
    }

    if (!$keyInfo['is_active']) {
        throw new Exception("API key is already revoked");
    }

    // Revoke the key
    $success = $apiKeyModel->revokeKey($keyId);

    if (!$success) {
        throw new Exception("Failed to revoke API key");
    }

    // Log the action
    $auditLog = new AuditLogModel($conn);
    $auditLog->log(
        $_SESSION['user']['user_id'],
        'revoke',
        'api_key',
        $keyId,
        ['key_name' => $keyInfo['key_name'], 'key_prefix' => $keyInfo['key_prefix']]
    );

    // Clear output buffer
    ob_end_clean();

    // Return success
    header('Content-Type: application/json');
    echo json_encode([
        'success' => true,
        'message' => 'API key revoked successfully'
    ]);

} catch (Exception $e) {
    ob_end_clean();
    error_log("Revoke API key error: " . $e->getMessage());
    header('Content-Type: application/json');
    http_response_code(isset($conn) ? 400 : 500);
    echo json_encode([
        'success' => false,
        'error' => 'An internal error occurred'
    ]);
}
feat: Add 9 new features for enhanced UX and security Quick Wins: - Feature 1: Ticket linking in comments (#123456789 auto-links) - Feature 6: Checkbox click area fix (click anywhere in cell) - Feature 7: User groups display in settings modal UI Enhancements: - Feature 4: Collapsible sidebar with localStorage persistence - Feature 5: Inline ticket preview popup on hover (300ms delay) - Feature 2: Mobile responsive improvements (44px touch targets, iOS zoom fix) Major Features: - Feature 3: Kanban card view with status columns (toggle with localStorage) - Feature 9: API key generation admin panel (/admin/api-keys) - Feature 8: Ticket visibility levels (public/internal/confidential) New files: - views/admin/ApiKeysView.php - api/generate_api_key.php - api/revoke_api_key.php - migrations/008_ticket_visibility.sql Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 10:01:50 -05:00			`<?php`
			`// API endpoint for revoking API keys (Admin only)`
			`error_reporting(E_ALL);`
			`ini_set('display_errors', 0);`

			`// Apply rate limiting`
			`require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';`
			`RateLimitMiddleware::apply('api');`

			`ob_start();`

			`try {`
			`// Load config`
			`require_once dirname(__DIR__) . '/config/config.php';`
Add performance, security, and reliability improvements - Consolidate all 20 API files to use centralized Database helper - Add optimistic locking to ticket updates to prevent concurrent conflicts - Add caching to StatsModel (60s TTL) for dashboard performance - Add health check endpoint (api/health.php) for monitoring - Improve rate limit cleanup with cron script and efficient DirectoryIterator - Enable rate limit response headers (X-RateLimit-*) - Add audit logging for workflow transitions - Log Discord webhook failures instead of silencing - Fix visibility check on export_tickets.php - Add database migration system with performance indexes - Fix cron recurring tickets to use assignTicket method Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 14:39:13 -05:00			`require_once dirname(__DIR__) . '/helpers/Database.php';`
feat: Add 9 new features for enhanced UX and security Quick Wins: - Feature 1: Ticket linking in comments (#123456789 auto-links) - Feature 6: Checkbox click area fix (click anywhere in cell) - Feature 7: User groups display in settings modal UI Enhancements: - Feature 4: Collapsible sidebar with localStorage persistence - Feature 5: Inline ticket preview popup on hover (300ms delay) - Feature 2: Mobile responsive improvements (44px touch targets, iOS zoom fix) Major Features: - Feature 3: Kanban card view with status columns (toggle with localStorage) - Feature 9: API key generation admin panel (/admin/api-keys) - Feature 8: Ticket visibility levels (public/internal/confidential) New files: - views/admin/ApiKeysView.php - api/generate_api_key.php - api/revoke_api_key.php - migrations/008_ticket_visibility.sql Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 10:01:50 -05:00
			`// Load models`
			`require_once dirname(__DIR__) . '/models/ApiKeyModel.php';`
			`require_once dirname(__DIR__) . '/models/AuditLogModel.php';`

			`// Check authentication via session`
			`session_start();`
			`if (!isset($_SESSION['user']) \|\| !isset($_SESSION['user']['user_id'])) {`
			`throw new Exception("Authentication required");`
			`}`

			`// Check admin privileges`
			`if (!isset($_SESSION['user']['is_admin']) \|\| !$_SESSION['user']['is_admin']) {`
			`throw new Exception("Admin privileges required");`
			`}`

			`// CSRF Protection`
			`require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
			`$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
			`if (!CsrfMiddleware::validateToken($csrfToken)) {`
			`http_response_code(403);`
			`throw new Exception("Invalid CSRF token");`
			`}`
			`}`

			`// Only allow POST`
			`if ($_SERVER['REQUEST_METHOD'] !== 'POST') {`
			`http_response_code(405);`
			`throw new Exception("Method not allowed");`
			`}`

			`// Get request data`
			`$input = json_decode(file_get_contents('php://input'), true);`
			`if (!$input) {`
			`throw new Exception("Invalid request data");`
			`}`

			`$keyId = (int)($input['key_id'] ?? 0);`

			`if ($keyId <= 0) {`
			`throw new Exception("Valid key ID is required");`
			`}`

Add performance, security, and reliability improvements - Consolidate all 20 API files to use centralized Database helper - Add optimistic locking to ticket updates to prevent concurrent conflicts - Add caching to StatsModel (60s TTL) for dashboard performance - Add health check endpoint (api/health.php) for monitoring - Improve rate limit cleanup with cron script and efficient DirectoryIterator - Enable rate limit response headers (X-RateLimit-*) - Add audit logging for workflow transitions - Log Discord webhook failures instead of silencing - Fix visibility check on export_tickets.php - Add database migration system with performance indexes - Fix cron recurring tickets to use assignTicket method Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 14:39:13 -05:00			`// Use centralized database connection`
			`$conn = Database::getConnection();`
feat: Add 9 new features for enhanced UX and security Quick Wins: - Feature 1: Ticket linking in comments (#123456789 auto-links) - Feature 6: Checkbox click area fix (click anywhere in cell) - Feature 7: User groups display in settings modal UI Enhancements: - Feature 4: Collapsible sidebar with localStorage persistence - Feature 5: Inline ticket preview popup on hover (300ms delay) - Feature 2: Mobile responsive improvements (44px touch targets, iOS zoom fix) Major Features: - Feature 3: Kanban card view with status columns (toggle with localStorage) - Feature 9: API key generation admin panel (/admin/api-keys) - Feature 8: Ticket visibility levels (public/internal/confidential) New files: - views/admin/ApiKeysView.php - api/generate_api_key.php - api/revoke_api_key.php - migrations/008_ticket_visibility.sql Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 10:01:50 -05:00
			`// Get key info for audit log`
			`$apiKeyModel = new ApiKeyModel($conn);`
			`$keyInfo = $apiKeyModel->getKeyById($keyId);`

			`if (!$keyInfo) {`
			`throw new Exception("API key not found");`
			`}`

			`if (!$keyInfo['is_active']) {`
			`throw new Exception("API key is already revoked");`
			`}`

			`// Revoke the key`
			`$success = $apiKeyModel->revokeKey($keyId);`

			`if (!$success) {`
			`throw new Exception("Failed to revoke API key");`
			`}`

			`// Log the action`
			`$auditLog = new AuditLogModel($conn);`
			`$auditLog->log(`
			`$_SESSION['user']['user_id'],`
			`'revoke',`
			`'api_key',`
			`$keyId,`
			`['key_name' => $keyInfo['key_name'], 'key_prefix' => $keyInfo['key_prefix']]`
			`);`

			`// Clear output buffer`
			`ob_end_clean();`

			`// Return success`
			`header('Content-Type: application/json');`
			`echo json_encode([`
			`'success' => true,`
			`'message' => 'API key revoked successfully'`
			`]);`

			`} catch (Exception $e) {`
			`ob_end_clean();`
Fix error message disclosure in API endpoints Replace exception getMessage() exposure with generic error messages to prevent internal information disclosure. Errors are now logged with full details while clients receive sanitized responses. Affected endpoints: - add_comment, update_comment, delete_comment - update_ticket, export_tickets - generate_api_key, revoke_api_key - manage_templates, manage_workflows, manage_recurring - custom_fields, get_users Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 18:56:29 -05:00			`error_log("Revoke API key error: " . $e->getMessage());`
feat: Add 9 new features for enhanced UX and security Quick Wins: - Feature 1: Ticket linking in comments (#123456789 auto-links) - Feature 6: Checkbox click area fix (click anywhere in cell) - Feature 7: User groups display in settings modal UI Enhancements: - Feature 4: Collapsible sidebar with localStorage persistence - Feature 5: Inline ticket preview popup on hover (300ms delay) - Feature 2: Mobile responsive improvements (44px touch targets, iOS zoom fix) Major Features: - Feature 3: Kanban card view with status columns (toggle with localStorage) - Feature 9: API key generation admin panel (/admin/api-keys) - Feature 8: Ticket visibility levels (public/internal/confidential) New files: - views/admin/ApiKeysView.php - api/generate_api_key.php - api/revoke_api_key.php - migrations/008_ticket_visibility.sql Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 10:01:50 -05:00			`header('Content-Type: application/json');`
			`http_response_code(isset($conn) ? 400 : 500);`
			`echo json_encode([`
			`'success' => false,`
Fix error message disclosure in API endpoints Replace exception getMessage() exposure with generic error messages to prevent internal information disclosure. Errors are now logged with full details while clients receive sanitized responses. Affected endpoints: - add_comment, update_comment, delete_comment - update_ticket, export_tickets - generate_api_key, revoke_api_key - manage_templates, manage_workflows, manage_recurring - custom_fields, get_users Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 18:56:29 -05:00			`'error' => 'An internal error occurred'`
feat: Add 9 new features for enhanced UX and security Quick Wins: - Feature 1: Ticket linking in comments (#123456789 auto-links) - Feature 6: Checkbox click area fix (click anywhere in cell) - Feature 7: User groups display in settings modal UI Enhancements: - Feature 4: Collapsible sidebar with localStorage persistence - Feature 5: Inline ticket preview popup on hover (300ms delay) - Feature 2: Mobile responsive improvements (44px touch targets, iOS zoom fix) Major Features: - Feature 3: Kanban card view with status columns (toggle with localStorage) - Feature 9: API key generation admin panel (/admin/api-keys) - Feature 8: Ticket visibility levels (public/internal/confidential) New files: - views/admin/ApiKeysView.php - api/generate_api_key.php - api/revoke_api_key.php - migrations/008_ticket_visibility.sql Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 10:01:50 -05:00			`]);`
			`}`