feat: Add 9 new features for enhanced UX and security
Quick Wins: - Feature 1: Ticket linking in comments (#123456789 auto-links) - Feature 6: Checkbox click area fix (click anywhere in cell) - Feature 7: User groups display in settings modal UI Enhancements: - Feature 4: Collapsible sidebar with localStorage persistence - Feature 5: Inline ticket preview popup on hover (300ms delay) - Feature 2: Mobile responsive improvements (44px touch targets, iOS zoom fix) Major Features: - Feature 3: Kanban card view with status columns (toggle with localStorage) - Feature 9: API key generation admin panel (/admin/api-keys) - Feature 8: Ticket visibility levels (public/internal/confidential) New files: - views/admin/ApiKeysView.php - api/generate_api_key.php - api/revoke_api_key.php - migrations/008_ticket_visibility.sql Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
127
api/generate_api_key.php
Normal file
127
api/generate_api_key.php
Normal file
@@ -0,0 +1,127 @@
|
||||
<?php
|
||||
// API endpoint for generating API keys (Admin only)
|
||||
error_reporting(E_ALL);
|
||||
ini_set('display_errors', 0);
|
||||
|
||||
// Apply rate limiting
|
||||
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
|
||||
RateLimitMiddleware::apply('api');
|
||||
|
||||
ob_start();
|
||||
|
||||
try {
|
||||
// Load config
|
||||
require_once dirname(__DIR__) . '/config/config.php';
|
||||
|
||||
// Load models
|
||||
require_once dirname(__DIR__) . '/models/ApiKeyModel.php';
|
||||
require_once dirname(__DIR__) . '/models/AuditLogModel.php';
|
||||
|
||||
// Check authentication via session
|
||||
session_start();
|
||||
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
|
||||
throw new Exception("Authentication required");
|
||||
}
|
||||
|
||||
// Check admin privileges
|
||||
if (!isset($_SESSION['user']['is_admin']) || !$_SESSION['user']['is_admin']) {
|
||||
throw new Exception("Admin privileges required");
|
||||
}
|
||||
|
||||
// CSRF Protection
|
||||
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
$csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
|
||||
if (!CsrfMiddleware::validateToken($csrfToken)) {
|
||||
http_response_code(403);
|
||||
throw new Exception("Invalid CSRF token");
|
||||
}
|
||||
}
|
||||
|
||||
// Only allow POST
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
http_response_code(405);
|
||||
throw new Exception("Method not allowed");
|
||||
}
|
||||
|
||||
// Get request data
|
||||
$input = json_decode(file_get_contents('php://input'), true);
|
||||
if (!$input) {
|
||||
throw new Exception("Invalid request data");
|
||||
}
|
||||
|
||||
$keyName = trim($input['key_name'] ?? '');
|
||||
$expiresInDays = $input['expires_in_days'] ?? null;
|
||||
|
||||
if (empty($keyName)) {
|
||||
throw new Exception("Key name is required");
|
||||
}
|
||||
|
||||
if (strlen($keyName) > 100) {
|
||||
throw new Exception("Key name must be 100 characters or less");
|
||||
}
|
||||
|
||||
// Validate expires_in_days if provided
|
||||
if ($expiresInDays !== null && $expiresInDays !== '') {
|
||||
$expiresInDays = (int)$expiresInDays;
|
||||
if ($expiresInDays < 1 || $expiresInDays > 3650) {
|
||||
throw new Exception("Expiration must be between 1 and 3650 days");
|
||||
}
|
||||
} else {
|
||||
$expiresInDays = null;
|
||||
}
|
||||
|
||||
// Create database connection
|
||||
$conn = new mysqli(
|
||||
$GLOBALS['config']['DB_HOST'],
|
||||
$GLOBALS['config']['DB_USER'],
|
||||
$GLOBALS['config']['DB_PASS'],
|
||||
$GLOBALS['config']['DB_NAME']
|
||||
);
|
||||
|
||||
if ($conn->connect_error) {
|
||||
throw new Exception("Database connection failed");
|
||||
}
|
||||
|
||||
// Generate API key
|
||||
$apiKeyModel = new ApiKeyModel($conn);
|
||||
$result = $apiKeyModel->createKey($keyName, $_SESSION['user']['user_id'], $expiresInDays);
|
||||
|
||||
if (!$result['success']) {
|
||||
throw new Exception($result['error'] ?? "Failed to generate API key");
|
||||
}
|
||||
|
||||
// Log the action
|
||||
$auditLog = new AuditLogModel($conn);
|
||||
$auditLog->log(
|
||||
$_SESSION['user']['user_id'],
|
||||
'create',
|
||||
'api_key',
|
||||
$result['key_id'],
|
||||
['key_name' => $keyName, 'expires_in_days' => $expiresInDays]
|
||||
);
|
||||
|
||||
$conn->close();
|
||||
|
||||
// Clear output buffer
|
||||
ob_end_clean();
|
||||
|
||||
// Return success with the plaintext key (shown only once)
|
||||
header('Content-Type: application/json');
|
||||
echo json_encode([
|
||||
'success' => true,
|
||||
'api_key' => $result['api_key'],
|
||||
'key_prefix' => $result['key_prefix'],
|
||||
'key_id' => $result['key_id'],
|
||||
'expires_at' => $result['expires_at']
|
||||
]);
|
||||
|
||||
} catch (Exception $e) {
|
||||
ob_end_clean();
|
||||
header('Content-Type: application/json');
|
||||
http_response_code(isset($conn) ? 400 : 500);
|
||||
echo json_encode([
|
||||
'success' => false,
|
||||
'error' => $e->getMessage()
|
||||
]);
|
||||
}
|
||||
Reference in New Issue
Block a user