diff --git a/projects/msp-tools/quote-wizard/frontend/.env.production b/projects/msp-tools/quote-wizard/frontend/.env.production index a5e0890..d25809d 100644 --- a/projects/msp-tools/quote-wizard/frontend/.env.production +++ b/projects/msp-tools/quote-wizard/frontend/.env.production @@ -1 +1 @@ -VITE_API_URL=/msp-api +VITE_API_URL=/quote/api diff --git a/projects/msp-tools/quote-wizard/php-api/api/routes/admin.php b/projects/msp-tools/quote-wizard/php-api/api/routes/admin.php index b87bb06..ae02d57 100644 --- a/projects/msp-tools/quote-wizard/php-api/api/routes/admin.php +++ b/projects/msp-tools/quote-wizard/php-api/api/routes/admin.php @@ -25,26 +25,23 @@ require_once __DIR__ . '/../services/syncro_service.php'; */ function check_admin_auth(): void { - $header = $_SERVER['HTTP_AUTHORIZATION'] - ?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] - ?? ''; + // suPHP strips the Authorization header, so accept X-Api-Key as primary + $token = $_SERVER['HTTP_X_API_KEY'] ?? ''; - // Apache CGI/suPHP may strip Authorization header; check env var fallback - if (empty($header) && !empty(getenv('HTTP_AUTHORIZATION'))) { - $header = getenv('HTTP_AUTHORIZATION'); + // Fallback: try Authorization: Bearer {key} (works with PHP-FPM) + if (empty($token)) { + $header = $_SERVER['HTTP_AUTHORIZATION'] + ?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] + ?? ''; + if (!empty($header) && strpos($header, 'Bearer ') === 0) { + $token = substr($header, 7); + } } - if (empty($header)) { - error_response('Authorization header required', 401); + if (empty($token)) { + error_response('API key required. Send X-Api-Key header.', 401); } - // Extract bearer token - if (strpos($header, 'Bearer ') !== 0) { - error_response('Invalid authorization format. Expected: Bearer {api_key}', 401); - } - - $token = substr($header, 7); - if (ADMIN_API_KEY === 'CHANGE_ME_PLACEHOLDER') { app_log('WARNING', '[WARNING] Admin API key is not configured (still placeholder)'); error_response('Admin API key not configured on server', 500);