From 068888202c4f7d8e5a8caa7aeb5075a3b66c0271 Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Thu, 12 Mar 2026 21:31:40 -0700
Subject: [PATCH] Quote wizard: fix API URL and suPHP auth header handling

- Change production API URL from /msp-api to /quote/api
- Switch admin auth to X-Api-Key header as primary (suPHP strips Authorization)
- Keep Bearer token as fallback for PHP-FPM environments

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../quote-wizard/frontend/.env.production     |  2 +-
 .../quote-wizard/php-api/api/routes/admin.php | 27 +++++++++----------
 2 files changed, 13 insertions(+), 16 deletions(-)

diff --git a/projects/msp-tools/quote-wizard/frontend/.env.production b/projects/msp-tools/quote-wizard/frontend/.env.production
index a5e0890..d25809d 100644
--- a/projects/msp-tools/quote-wizard/frontend/.env.production
+++ b/projects/msp-tools/quote-wizard/frontend/.env.production
@@ -1 +1 @@
-VITE_API_URL=/msp-api
+VITE_API_URL=/quote/api
diff --git a/projects/msp-tools/quote-wizard/php-api/api/routes/admin.php b/projects/msp-tools/quote-wizard/php-api/api/routes/admin.php
index b87bb06..ae02d57 100644
--- a/projects/msp-tools/quote-wizard/php-api/api/routes/admin.php
+++ b/projects/msp-tools/quote-wizard/php-api/api/routes/admin.php
@@ -25,26 +25,23 @@ require_once __DIR__ . '/../services/syncro_service.php';
  */
 function check_admin_auth(): void
 {
-    $header = $_SERVER['HTTP_AUTHORIZATION']
-        ?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION']
-        ?? '';
+    // suPHP strips the Authorization header, so accept X-Api-Key as primary
+    $token = $_SERVER['HTTP_X_API_KEY'] ?? '';
 
-    // Apache CGI/suPHP may strip Authorization header; check env var fallback
-    if (empty($header) && !empty(getenv('HTTP_AUTHORIZATION'))) {
-        $header = getenv('HTTP_AUTHORIZATION');
+    // Fallback: try Authorization: Bearer {key} (works with PHP-FPM)
+    if (empty($token)) {
+        $header = $_SERVER['HTTP_AUTHORIZATION']
+            ?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION']
+            ?? '';
+        if (!empty($header) && strpos($header, 'Bearer ') === 0) {
+            $token = substr($header, 7);
+        }
     }
 
-    if (empty($header)) {
-        error_response('Authorization header required', 401);
+    if (empty($token)) {
+        error_response('API key required. Send X-Api-Key header.', 401);
     }
 
-    // Extract bearer token
-    if (strpos($header, 'Bearer ') !== 0) {
-        error_response('Invalid authorization format. Expected: Bearer {api_key}', 401);
-    }
-
-    $token = substr($header, 7);
-
     if (ADMIN_API_KEY === 'CHANGE_ME_PLACEHOLDER') {
         app_log('WARNING', '[WARNING] Admin API key is not configured (still placeholder)');
         error_response('Admin API key not configured on server', 500);