Quote wizard: fix API URL and suPHP auth header handling
- Change production API URL from /msp-api to /quote/api - Switch admin auth to X-Api-Key header as primary (suPHP strips Authorization) - Keep Bearer token as fallback for PHP-FPM environments Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1 +1 @@
|
|||||||
VITE_API_URL=/msp-api
|
VITE_API_URL=/quote/api
|
||||||
|
|||||||
@@ -25,26 +25,23 @@ require_once __DIR__ . '/../services/syncro_service.php';
|
|||||||
*/
|
*/
|
||||||
function check_admin_auth(): void
|
function check_admin_auth(): void
|
||||||
{
|
{
|
||||||
$header = $_SERVER['HTTP_AUTHORIZATION']
|
// suPHP strips the Authorization header, so accept X-Api-Key as primary
|
||||||
?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION']
|
$token = $_SERVER['HTTP_X_API_KEY'] ?? '';
|
||||||
?? '';
|
|
||||||
|
|
||||||
// Apache CGI/suPHP may strip Authorization header; check env var fallback
|
// Fallback: try Authorization: Bearer {key} (works with PHP-FPM)
|
||||||
if (empty($header) && !empty(getenv('HTTP_AUTHORIZATION'))) {
|
if (empty($token)) {
|
||||||
$header = getenv('HTTP_AUTHORIZATION');
|
$header = $_SERVER['HTTP_AUTHORIZATION']
|
||||||
|
?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION']
|
||||||
|
?? '';
|
||||||
|
if (!empty($header) && strpos($header, 'Bearer ') === 0) {
|
||||||
|
$token = substr($header, 7);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (empty($header)) {
|
if (empty($token)) {
|
||||||
error_response('Authorization header required', 401);
|
error_response('API key required. Send X-Api-Key header.', 401);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Extract bearer token
|
|
||||||
if (strpos($header, 'Bearer ') !== 0) {
|
|
||||||
error_response('Invalid authorization format. Expected: Bearer {api_key}', 401);
|
|
||||||
}
|
|
||||||
|
|
||||||
$token = substr($header, 7);
|
|
||||||
|
|
||||||
if (ADMIN_API_KEY === 'CHANGE_ME_PLACEHOLDER') {
|
if (ADMIN_API_KEY === 'CHANGE_ME_PLACEHOLDER') {
|
||||||
app_log('WARNING', '[WARNING] Admin API key is not configured (still placeholder)');
|
app_log('WARNING', '[WARNING] Admin API key is not configured (still placeholder)');
|
||||||
error_response('Admin API key not configured on server', 500);
|
error_response('Admin API key not configured on server', 500);
|
||||||
|
|||||||
Reference in New Issue
Block a user