From 41df4c4b9fb4710ac68dbaf2a457938c17334a57 Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Thu, 15 Jan 2026 11:37:17 +0000
Subject: [PATCH] API Keys - Revoke then Delete

---
 admin/api_keys.php      | 15 +++++++++++----
 admin/post/api_keys.php | 21 +++++++++++++++++++++
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/admin/api_keys.php b/admin/api_keys.php
index c1ef53d6..eb21404c 100644
--- a/admin/api_keys.php
+++ b/admin/api_keys.php
@@ -49,7 +49,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                             <div class="dropdown-menu">
                                 <button class="dropdown-item text-danger text-bold"
                                         type="submit" form="bulkActions" name="bulk_delete_api_keys">
-                                    <i class="fas fa-fw fa-trash mr-2"></i>Revoke
+                                    <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                 </button>
                             </div>
                         </div>
@@ -139,9 +139,16 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                         <i class="fas fa-ellipsis-h"></i>
                                     </button>
                                     <div class="dropdown-menu">
-                                        <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_api_key=<?php echo $api_key_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
-                                            <i class="fas fa-fw fa-times mr-2"></i>Revoke
-                                        </a>
+                                        <?php if ($api_key_expire > date("Y-m-d H:i:s")) { ?>
+                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?revoke_api_key=<?php echo $api_key_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
+                                                <i class="fas fa-fw fa-times mr-2"></i>Revoke
+                                            </a>
+                                        <?php } ?>
+                                        <?php if ($api_key_expire < date("Y-m-d H:i:s")) { ?>
+                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_api_key=<?php echo $api_key_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
+                                                <i class="fas fa-fw fa-times mr-2"></i>Delete
+                                            </a>
+                                        <?php } ?>
                                     </div>
                                 </div>
                             </td>
diff --git a/admin/post/api_keys.php b/admin/post/api_keys.php
index 5d383fa5..6b500166 100644
--- a/admin/post/api_keys.php
+++ b/admin/post/api_keys.php
@@ -31,6 +31,27 @@ if (isset($_POST['add_api_key'])) {
 
 }
 
+if (isset($_GET['revoke_api_key'])) {
+
+    validateCSRFToken($_GET['csrf_token']);
+
+    $api_key_id = intval($_GET['revoke_api_key']);
+
+    // Get API Key Name
+    $row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT api_key_name, api_key_client_id FROM api_keys WHERE api_key_id = $api_key_id"));
+    $api_key_name = sanitizeInput($row['api_key_name']);
+    $client_id = intval($row['api_key_client_id']);
+
+    mysqli_query($mysqli,"UPDATE api_keys SET api_key_expire = NOW() WHERE api_key_id = $api_key_id");
+
+    logAction("API Key", "Revoke", "$session_name revoked API key $name", $client_id);
+
+    flash_alert("API Key <strong>$name</strong> revoked", 'error');
+
+    redirect();
+
+}
+
 if (isset($_GET['delete_api_key'])) {
 
     validateCSRFToken($_GET['csrf_token']);