jared
2e450dc01d
P1-A: Fix CSP - add fonts.googleapis.com to style-src, fonts.gstatic.com to font-src
P1-B: CSRF token rotation - add rotateToken() to CsrfMiddleware; bootstrap.php rotates
after successful validation and stores in $GLOBALS['_new_csrf_token']; add
apiRespond() helper to append token to responses; lt.api interceptor in
layout_footer.php auto-updates window.CSRF_TOKEN from responses
P1-C: Styled 403/404 error views with TDS layout instead of raw text; index.php now
uses requireAdmin() helper eliminating 7 duplicated guard blocks (P3-D)
P2-A: Remove duplicate JS-generated keyboard help modal from keyboard-shortcuts.js;
'?' key now routes to static #lt-keys-help modal in footer
P2-B: Asset versioning driven by config ASSET_VERSION key; base.css and base.js get
?v= cache-busting in layout_header.php
P2-C: Add data-theme="dark" to <html> tag to prevent FOUC on light-mode users
P2-E: Escape status value in dashboard.js hover preview class attribute via lt.escHtml()
P2-F: Replace bespoke showLoadingOverlay() with lt-spinner / lt-loading-text from
base.css; add .lt-loading-overlay wrapper CSS to dashboard.css
P2-G: Add keyboard-shortcuts.js to all 7 admin views so J/K nav and ? help work
P3-A: APP_NAME, APP_SUBTITLE, APP_VERSION driven from config.php; layout header/footer
use config values instead of hardcoded strings
P3-G: Replace custom initTableSorting() with lt.sortTable.init() which manages aria-sort
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
198 lines
9.0 KiB
PHP
198 lines
9.0 KiB
PHP
<?php
|
|
require_once __DIR__ . '/../../middleware/SecurityHeadersMiddleware.php';
|
|
require_once __DIR__ . '/../../middleware/CsrfMiddleware.php';
|
|
$nonce = SecurityHeadersMiddleware::getNonce();
|
|
$pageTitle = 'API Keys';
|
|
$activeNav = 'admin-api-keys';
|
|
$pageStyles = ['/assets/css/dashboard.css?v=20260327'];
|
|
$pageScripts = ['/assets/js/keyboard-shortcuts.js'];
|
|
include __DIR__ . '/../../views/layout_header.php';
|
|
?>
|
|
|
|
<div class="lt-page-header">
|
|
<div class="lt-flex lt-flex-gap-sm lt-flex-align-center">
|
|
<a href="/" class="lt-btn lt-btn-ghost lt-btn-sm">← Dashboard</a>
|
|
<span class="lt-text-muted lt-text-xs">/</span>
|
|
<span class="lt-text-muted lt-text-xs">Admin: API Keys</span>
|
|
</div>
|
|
</div>
|
|
|
|
<!-- Generate new key -->
|
|
<div class="lt-frame lt-mb-md">
|
|
<span class="lt-frame-bl">╚</span><span class="lt-frame-br">╝</span>
|
|
<div class="lt-section-header">Generate New API Key</div>
|
|
<div class="lt-section-body">
|
|
<form id="generateKeyForm" class="lt-flex lt-flex-wrap lt-flex-gap-sm lt-flex-align-end">
|
|
<div class="lt-form-group" style="flex:2;margin:0">
|
|
<label class="lt-label" for="keyName">Key Name *</label>
|
|
<input type="text" id="keyName" required class="lt-input" placeholder="e.g., CI/CD Pipeline">
|
|
</div>
|
|
<div class="lt-form-group" style="flex:1;margin:0">
|
|
<label class="lt-label" for="expiresIn">Expires In</label>
|
|
<select id="expiresIn" class="lt-select">
|
|
<option value="">Never</option>
|
|
<option value="30">30 days</option>
|
|
<option value="90">90 days</option>
|
|
<option value="180">180 days</option>
|
|
<option value="365">1 year</option>
|
|
</select>
|
|
</div>
|
|
<button type="submit" class="lt-btn lt-btn-primary" style="margin-bottom:0">GENERATE KEY</button>
|
|
</form>
|
|
|
|
<!-- New key display (hidden by default) -->
|
|
<div id="newKeyDisplay" class="lt-frame-inner lt-mt-sm is-hidden">
|
|
<div class="lt-subsection-header lt-text-amber">⚠ Copy this key now — you won't see it again!</div>
|
|
<div class="lt-flex lt-flex-gap-sm lt-mt-sm">
|
|
<input type="text" id="newKeyValue" readonly class="lt-input" style="flex:1;font-family:monospace">
|
|
<button type="button" class="lt-btn lt-btn-sm" data-action="copy-api-key">COPY</button>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<!-- Existing keys -->
|
|
<div class="lt-frame lt-mb-md">
|
|
<span class="lt-frame-bl">╚</span><span class="lt-frame-br">╝</span>
|
|
<div class="lt-section-header">Existing API Keys</div>
|
|
<div class="lt-section-body">
|
|
<div class="lt-table-wrap">
|
|
<table class="lt-table lt-table-responsive" aria-label="API keys">
|
|
<thead>
|
|
<tr>
|
|
<th scope="col">Name</th>
|
|
<th scope="col">Key Prefix</th>
|
|
<th scope="col">Created By</th>
|
|
<th scope="col">Created</th>
|
|
<th scope="col">Expires</th>
|
|
<th scope="col">Last Used</th>
|
|
<th scope="col">Status</th>
|
|
<th scope="col">Actions</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<?php if (empty($apiKeys)): ?>
|
|
<tr><td colspan="8" class="lt-empty">No API keys found. Generate one above.</td></tr>
|
|
<?php else: foreach ($apiKeys as $key): ?>
|
|
<?php $expired = $key['expires_at'] && strtotime($key['expires_at']) < time(); ?>
|
|
<tr id="key-row-<?= (int)$key['api_key_id'] ?>">
|
|
<td data-label="Name"><strong><?= htmlspecialchars($key['key_name']) ?></strong></td>
|
|
<td data-label="Prefix" class="lt-text-xs"><code><?= htmlspecialchars($key['key_prefix']) ?>…</code></td>
|
|
<td data-label="Created By" class="lt-text-xs"><?= htmlspecialchars($key['display_name'] ?? $key['username'] ?? 'Unknown') ?></td>
|
|
<td data-label="Created" class="lt-text-xs lt-text-muted"><?= date('Y-m-d H:i', strtotime($key['created_at'])) ?></td>
|
|
<td data-label="Expires" class="lt-text-xs <?= $expired ? 'lt-text-danger' : 'lt-text-cyan' ?>">
|
|
<?= $key['expires_at'] ? date('Y-m-d', strtotime($key['expires_at'])) . ($expired ? ' (Expired)' : '') : 'Never' ?>
|
|
</td>
|
|
<td data-label="Last Used" class="lt-text-xs lt-text-muted">
|
|
<?= $key['last_used'] ? date('Y-m-d H:i', strtotime($key['last_used'])) : 'Never' ?>
|
|
</td>
|
|
<td data-label="Status">
|
|
<?php if ($key['is_active']): ?>
|
|
<span class="lt-status lt-status-open">Active</span>
|
|
<?php else: ?>
|
|
<span class="lt-status lt-status-closed">Revoked</span>
|
|
<?php endif ?>
|
|
</td>
|
|
<td data-label="Actions">
|
|
<?php if ($key['is_active']): ?>
|
|
<button type="button" class="lt-btn lt-btn-sm lt-btn-danger"
|
|
data-action="revoke-key" data-id="<?= (int)$key['api_key_id'] ?>">REVOKE</button>
|
|
<?php else: ?>
|
|
<span class="lt-text-muted lt-text-xs">—</span>
|
|
<?php endif ?>
|
|
</td>
|
|
</tr>
|
|
<?php endforeach; endif ?>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<!-- API usage -->
|
|
<div class="lt-frame">
|
|
<span class="lt-frame-bl">╚</span><span class="lt-frame-br">╝</span>
|
|
<div class="lt-section-header">API Usage</div>
|
|
<div class="lt-section-body">
|
|
<p class="lt-text-sm lt-text-muted">Include the API key in your requests using the Authorization header:</p>
|
|
<div class="lt-code-block">
|
|
<div class="lt-code-header">
|
|
<span class="lt-code-lang">HTTP HEADER</span>
|
|
<button type="button" class="lt-code-copy lt-btn-sm"
|
|
data-copy="Authorization: Bearer YOUR_API_KEY"
|
|
data-copy-toast>COPY</button>
|
|
</div>
|
|
<pre><code>Authorization: Bearer YOUR_API_KEY</code></pre>
|
|
</div>
|
|
<p class="lt-text-xs lt-text-muted" style="margin-top:0.5rem">
|
|
Example — create a ticket via cURL:<br>
|
|
</p>
|
|
<div class="lt-code-block">
|
|
<div class="lt-code-header"><span class="lt-code-lang">CURL</span></div>
|
|
<pre><code>curl -X POST https://your-instance/api/create_ticket.php \
|
|
-H "Authorization: Bearer YOUR_API_KEY" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"title":"My ticket","category":"General","type":"Issue","priority":3}'</code></pre>
|
|
</div>
|
|
<p class="lt-text-xs lt-text-muted" style="margin-top:0.5rem">API keys provide programmatic access to create and manage tickets. Keep keys secure and rotate them regularly.</p>
|
|
</div>
|
|
</div>
|
|
|
|
<script nonce="<?= $nonce ?>">
|
|
document.addEventListener('click', function (e) {
|
|
var target = e.target.closest('[data-action]');
|
|
if (!target) return;
|
|
switch (target.getAttribute('data-action')) {
|
|
case 'copy-api-key': copyApiKey(); break;
|
|
case 'revoke-key': revokeKey(target.getAttribute('data-id')); break;
|
|
case 'copy-header-example':
|
|
navigator.clipboard.writeText('Authorization: Bearer YOUR_API_KEY')
|
|
.then(function() { lt.toast.success('Copied!'); })
|
|
.catch(function() { lt.toast.error('Copy failed'); });
|
|
break;
|
|
}
|
|
});
|
|
|
|
document.getElementById('generateKeyForm').addEventListener('submit', function (e) {
|
|
e.preventDefault();
|
|
var keyName = document.getElementById('keyName').value.trim();
|
|
var expiresIn = document.getElementById('expiresIn').value;
|
|
if (!keyName) { lt.toast.error('Please enter a key name'); return; }
|
|
lt.api.post('/api/generate_api_key.php', { key_name: keyName, expires_in_days: expiresIn || null })
|
|
.then(function (data) {
|
|
if (data.success) {
|
|
document.getElementById('newKeyValue').value = data.api_key;
|
|
document.getElementById('newKeyDisplay').classList.remove('is-hidden');
|
|
document.getElementById('keyName').value = '';
|
|
lt.toast.success('API key generated!');
|
|
setTimeout(function () { location.reload(); }, 5000);
|
|
} else {
|
|
lt.toast.error(data.error || 'Failed to generate API key');
|
|
}
|
|
}).catch(function (err) { lt.toast.error('Error: ' + err.message); });
|
|
});
|
|
|
|
function copyApiKey() {
|
|
var val = document.getElementById('newKeyValue').value;
|
|
lt.copy(val).then(function () {
|
|
lt.toast.success('Copied to clipboard!');
|
|
}).catch(function () {
|
|
lt.toast.error('Copy failed — select the key manually');
|
|
});
|
|
}
|
|
|
|
function revokeKey(keyId) {
|
|
showConfirmModal('Revoke API Key', 'Revoke this API key? This cannot be undone.', 'error', function () {
|
|
lt.api.post('/api/revoke_api_key.php', { key_id: keyId })
|
|
.then(function (data) {
|
|
if (data.success) { lt.toast.success('API key revoked'); location.reload(); }
|
|
else lt.toast.error(data.error || 'Failed to revoke');
|
|
}).catch(function (err) { lt.toast.error('Error: ' + err.message); });
|
|
});
|
|
}
|
|
|
|
if (window.lt) lt.keys.initDefaults();
|
|
</script>
|
|
|
|
<?php include __DIR__ . '/../../views/layout_footer.php'; ?>
|