From 34ea14d34e1403034ea6560a0d10f4f773b16fb6 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Wed, 13 Feb 2019 22:07:15 -0700
Subject: [PATCH] Add API key manager

---
 action.php            | 24 +++++++++++++++++++
 app.php               |  2 +-
 langs/en/actions.json |  3 ++-
 langs/en/apikeys.json | 10 ++++++++
 langs/en/titles.json  |  3 ++-
 langs/messages.php    | 16 +++++++++++++
 pages.php             | 17 +++++++++++++
 pages/addapikey.php   | 24 +++++++++++++++++++
 pages/apikeys.php     | 55 +++++++++++++++++++++++++++++++++++++++++++
 settings.template.php |  2 ++
 static/js/apikeys.js  | 30 +++++++++++++++++++++++
 11 files changed, 183 insertions(+), 3 deletions(-)
 create mode 100644 langs/en/apikeys.json
 create mode 100644 pages/addapikey.php
 create mode 100644 pages/apikeys.php
 create mode 100644 static/js/apikeys.js

diff --git a/action.php b/action.php
index 489b287..4192397 100644
--- a/action.php
+++ b/action.php
@@ -241,6 +241,30 @@ switch ($VARS['action']) {
         require_once __DIR__ . "/lib/reports.php";
         generateReport($VARS['type'], $VARS['format']);
         break;
+    case "revokeapikey":
+        if (empty($VARS['key'])) {
+            returnToSender("invalid_parameters");
+        }
+        if ($VARS['key'] == $SETTINGS['accounthub']['key']) {
+            returnToSender("cannot_revoke_key_in_use");
+        }
+        $database->delete("apikeys", ['key' => $VARS['key'], "LIMIT" => 1]);
+        returnToSender("api_key_revoked");
+        break;
+    case "addapikey":
+        if (empty($VARS['key']) || empty($VARS['type'])) {
+            returnToSender("invalid_parameters");
+        }
+        $keytypes = ["NONE", "AUTH", "READ", "FULL"];
+        if (!in_array($VARS['type'], $keytypes)) {
+            returnToSender("invalid_parameters");
+        }
+        if ($database->has("apikeys", ["key" => $VARS['key']])) {
+            returnToSender("key_already_exists");
+        }
+        $database->insert("apikeys", ["key" => $VARS['key'], "notes" => $VARS['notes'], "type" => $VARS['type']]);
+        returnToSender("api_key_added");
+        break;
     case "signout":
         session_destroy();
         header('Location: index.php?logout=1');
diff --git a/app.php b/app.php
index ec29f6b..d17bb25 100644
--- a/app.php
+++ b/app.php
@@ -115,7 +115,7 @@ END;
 
         <?php
         // Adjust as needed
-        $navbar_breakpoint = "lg";
+        $navbar_breakpoint = "xl";
 
         // For mobile app
         echo "<script nonce=\"$SECURE_NONCE\">var navbar_breakpoint = \"$navbar_breakpoint\";</script>"
diff --git a/langs/en/actions.json b/langs/en/actions.json
index c03ccd4..cdc51d4 100644
--- a/langs/en/actions.json
+++ b/langs/en/actions.json
@@ -1,5 +1,6 @@
 {
     "Edit": "Edit",
     "cancel": "Cancel",
-    "Choose a user": "Choose a user"
+    "Choose a user": "Choose a user",
+    "Add Key": "Add Key"
 }
diff --git a/langs/en/apikeys.json b/langs/en/apikeys.json
new file mode 100644
index 0000000..4267f72
--- /dev/null
+++ b/langs/en/apikeys.json
@@ -0,0 +1,10 @@
+{
+    "Key": "Key",
+    "Type": "Type",
+    "Notes": "Notes",
+    "Revoke": "Revoke",
+    "Cannot revoke that API key, you would lose access to ManagePanel.": "Cannot revoke that API key, you would lose access to ManagePanel.",
+    "API key revoked.": "API key revoked.",
+    "That API key already exists.": "That API key already exists.",
+    "API key added.": "API key added."
+}
diff --git a/langs/en/titles.json b/langs/en/titles.json
index 08213b3..84a7acd 100644
--- a/langs/en/titles.json
+++ b/langs/en/titles.json
@@ -5,5 +5,6 @@
     "Security": "Security",
     "Security Log": "Security Log",
     "Managers": "Managers",
-    "Permissions": "Permissions"
+    "Permissions": "Permissions",
+    "API Keys": "API Keys"
 }
diff --git a/langs/messages.php b/langs/messages.php
index f4dab9e..8f3e4dd 100644
--- a/langs/messages.php
+++ b/langs/messages.php
@@ -93,4 +93,20 @@ define("MESSAGES", [
         "string" => "group already exists",
         "type" => "danger"
     ],
+    "cannot_revoke_key_in_use" => [
+        "string" => "Cannot revoke that API key, you would lose access to ManagePanel.",
+        "type" => "danger"
+    ],
+    "api_key_revoked" => [
+        "string" => "API key revoked.",
+        "type" => "success"
+    ],
+    "key_already_exists" => [
+        "string" => "That API key already exists.",
+        "type" => "warning"
+    ],
+    "api_key_added" => [
+        "string" => "API key added.",
+        "type" => "success"
+    ],
 ]);
diff --git a/pages.php b/pages.php
index d04a158..e2eab04 100644
--- a/pages.php
+++ b/pages.php
@@ -96,6 +96,23 @@ define("PAGES", [
             "static/js/export.js"
         ]
     ],
+    "apikeys" => [
+        "title" => "API Keys",
+        "navbar" => true,
+        "icon" => "fas fa-server",
+        "styles" => [
+            "static/css/datatables.min.css",
+            "static/css/tables.css"
+        ],
+        "scripts" => [
+            "static/js/datatables.min.js",
+            "static/js/apikeys.js"
+        ],
+    ],
+    "addapikey" => [
+        "title" => "Add Key",
+        "navbar" => false
+    ],
     "404" => [
         "title" => "404 error"
     ]
diff --git a/pages/addapikey.php b/pages/addapikey.php
new file mode 100644
index 0000000..0ca40b2
--- /dev/null
+++ b/pages/addapikey.php
@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+$key = hash("SHA1", random_bytes(100));
+
+$form = new FormBuilder($Strings->get("Add Key", false), "fas fa-plus");
+
+$form->addInput("key", $key, "text", true, "key", null, $Strings->get("Key", false), "fas fa-key", 12, 20);
+
+$form->addInput("type", "", "select", true, "type", ["NONE" => "NONE", "AUTH" => "AUTH", "READ" => "READ", "FULL" => "FULL"], $Strings->get("Type", false), "fas fa-list", 6);
+
+$form->addInput("notes", "", "textarea", false, "notes", null, $Strings->get("Notes", false), "fas fa-sticky-note", 6);
+
+$form->addButton($Strings->get("Add Key", false), "fas fa-save", null, "submit", null, null, "", "btn btn-success");
+
+$form->addHiddenInput("action", "addapikey");
+$form->addHiddenInput("source", "apikeys");
+
+$form->generate();
diff --git a/pages/apikeys.php b/pages/apikeys.php
new file mode 100644
index 0000000..0884bf7
--- /dev/null
+++ b/pages/apikeys.php
@@ -0,0 +1,55 @@
+<?php
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+require_once __DIR__ . '/../required.php';
+
+redirectifnotloggedin();
+?>
+<div class="btn-group mgn-btm-10px">
+    <a href="app.php?page=addapikey" class="btn btn-primary"><i class="fas fa-plus"></i> <?php $Strings->get("Add Key"); ?></a>
+</div>
+<table id="apikeytable" class="table table-bordered table-hover table-sm">
+    <thead>
+        <tr>
+            <th data-priority="0"></th>
+            <th data-priority="1"><?php $Strings->get('actions'); ?></th>
+            <th data-priority="1"><i class="fas fa-fw fa-key d-none d-md-inline"></i> <?php $Strings->get('Key'); ?></th>
+            <th data-priority="1"><i class="fas fa-fw fa-list d-none d-md-inline"></i> <?php $Strings->get('Type'); ?></th>
+            <th data-priority="2"><i class="fas fa-fw fa-sticky-note d-none d-md-inline"></i> <?php $Strings->get('Notes'); ?></th>
+        </tr>
+    </thead>
+    <tbody>
+        <?php
+        $keys = $database->select("apikeys", ["key", "notes", "type"]);
+        foreach ($keys as $key) {
+            if ($SETTINGS['hide_api_key_in_use'] && $key['key'] == $SETTINGS['accounthub']['key']) {
+                continue;
+            }
+        ?>
+        <tr>
+            <td></td>
+            <td><form action="action.php" method="POST">
+                    <input type="hidden" name="action" value="revokeapikey" />
+                    <input type="hidden" name="source" value="apikeys" />
+                    <input type="hidden" name="key" value="<?php echo $key['key']; ?>" />
+                    <button type="submit" class="btn btn-danger btn-sm"><i class="fas fa-times"></i> <?php $Strings->get("Revoke"); ?></button>
+                </form></td>
+            <td><?php echo $key['key']; ?></td>
+            <td><?php echo $key['type']; ?></td>
+            <td><?php echo htmlentities($key['notes']); ?></td>
+        </tr>
+        <?php
+        }
+        ?>
+    </tbody>
+    <tfoot>
+        <tr>
+            <th data-priority="0"></th>
+            <th data-priority="1"><?php $Strings->get('actions'); ?></th>
+            <th data-priority="1"><i class="fas fa-fw fa-key d-none d-md-inline"></i> <?php $Strings->get('Key'); ?></th>
+            <th data-priority="1"><i class="fas fa-fw fa-list d-none d-md-inline"></i> <?php $Strings->get('Type'); ?></th>
+            <th data-priority="2"><i class="fas fa-fw fa-sticky-note d-none d-md-inline"></i> <?php $Strings->get('Notes'); ?></th>
+    </tfoot>
+</table>
\ No newline at end of file
diff --git a/settings.template.php b/settings.template.php
index d7b2d66..04e535c 100644
--- a/settings.template.php
+++ b/settings.template.php
@@ -50,6 +50,8 @@ $SETTINGS = [
     "permissions" => [
         "ADMIN"
     ],
+    // Set to true to hide the API key in use by ManagePanel from the editor.
+    "hide_api_key_in_use" => false,
     // For supported values, see http://php.net/manual/en/timezones.php
     "timezone" => "America/Denver",
     // Language to use for localization. See langs folder to add a language.
diff --git a/static/js/apikeys.js b/static/js/apikeys.js
new file mode 100644
index 0000000..d94f414
--- /dev/null
+++ b/static/js/apikeys.js
@@ -0,0 +1,30 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+$('#apikeytable').DataTable({
+    responsive: {
+        details: {
+            display: $.fn.dataTable.Responsive.display.modal({
+                header: function (row) {
+                    var data = row.data();
+                    return "<i class=\"fas fa-list fa-fw\"></i> " + data[1];
+                }
+            }),
+            renderer: $.fn.dataTable.Responsive.renderer.tableAll({
+                tableClass: 'table'
+            }),
+            type: "column"
+        }
+    },
+    columnDefs: [
+        {
+            targets: 0,
+            className: 'control',
+            orderable: false
+        }
+    ],
+    order: [
+        [1, 'desc']
+    ],
+});
\ No newline at end of file