From 3b0b7621e0c559e5e034694ccdfb6873057dd4ce Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Sat, 11 Apr 2026 21:44:35 -0400
Subject: [PATCH] Block web access to generate_api_key.php

Added php_sapi_name() CLI guard matching the pattern used in migrate.php
and cleanup_ratelimit.php. Without this, the script was web-accessible
and could generate an API key without authentication if no keys existed yet.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 generate_api_key.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/generate_api_key.php b/generate_api_key.php
index 23cdd95..ab47fd6 100644
--- a/generate_api_key.php
+++ b/generate_api_key.php
@@ -6,6 +6,12 @@
  * Usage: php generate_api_key.php
  */
 
+// Prevent web access
+if (php_sapi_name() !== 'cli') {
+    http_response_code(403);
+    exit('CLI access only');
+}
+
 require_once __DIR__ . '/config/config.php';
 require_once __DIR__ . '/models/ApiKeyModel.php';
 require_once __DIR__ . '/models/UserModel.php';