test_api_key_fix.sh

#!/bin/bash
# Test script to verify API key validation fix

# Configuration - adjust these values
# For remote testing, replace with your CyberPanel server URL
SERVER="${CYBERPANEL_SERVER:-http://localhost:8001}"
API_KEY="${CYBERPANEL_API_KEY:-cp_GrHf3ysP0SKhrEiazmqt3kRJA5KwOFQW8VJKcDQ8B5Bg}"  # Your actual API key
SCAN_ID="${CYBERPANEL_SCAN_ID:-550e8400-e29b-41d4-a716-446655440000}"  # A valid scan ID from your system

echo "Using server: $SERVER"
echo "Using API key: ${API_KEY:0:20}..."
echo "Using scan ID: $SCAN_ID"
echo ""

echo "=========================================="
echo "Testing CyberPanel API Key Validation Fix"
echo "=========================================="
echo ""

# Test 1: List API keys in the system
echo "1. Listing API keys in system..."
echo "---------------------------------"
curl -s "$SERVER/api/ai-scanner/list-api-keys/" | python3 -m json.tool
echo ""

# Test 2: Test authentication with X-API-Key header
echo "2. Testing X-API-Key authentication..."
echo "---------------------------------------"
curl -s -X POST "$SERVER/api/ai-scanner/test-auth/" \
     -H "X-API-Key: $API_KEY" \
     -H "X-Scan-ID: $SCAN_ID" \
     -H "Content-Type: application/json" \
     -d "{\"scan_id\": \"$SCAN_ID\"}" | python3 -m json.tool
echo ""

# Test 3: Test actual file operation with X-API-Key
echo "3. Testing file operation with X-API-Key..."
echo "--------------------------------------------"
RESPONSE=$(curl -s -w "\n%{http_code}" "$SERVER/api/scanner/get-file?file_path=wp-content/test.php" \
     -H "X-API-Key: $API_KEY" \
     -H "X-Scan-ID: $SCAN_ID")

HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
BODY=$(echo "$RESPONSE" | head -n-1)

echo "HTTP Status: $HTTP_CODE"
echo "Response body:"
echo "$BODY" | python3 -m json.tool 2>/dev/null || echo "$BODY"
echo ""

# Test 4: Test with Bearer token (backward compatibility)
echo "4. Testing Bearer token (backward compatibility)..."
echo "----------------------------------------------------"
RESPONSE=$(curl -s -w "\n%{http_code}" "$SERVER/api/scanner/get-file?file_path=wp-content/test.php" \
     -H "Authorization: Bearer $API_KEY" \
     -H "X-Scan-ID: $SCAN_ID")

HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
BODY=$(echo "$RESPONSE" | head -n-1)

echo "HTTP Status: $HTTP_CODE"
echo "Response body:"
echo "$BODY" | python3 -m json.tool 2>/dev/null || echo "$BODY"
echo ""

echo "=========================================="
echo "Test complete!"
echo ""
echo "Expected results:"
echo "- Test 1: Should show API keys in system"
echo "- Test 2: Should show validation success with detailed steps"
echo "- Test 3: Should return 200 or 404 (not 401)"
echo "- Test 4: Should also work with Bearer token"
echo "=========================================="
Fix CyberPanel API key validation for platform callbacks Problem: File fixes were failing with "Invalid token" even though the platform was sending the correct API key. Solution: - Updated validate_access_token() to accept CyberPanel's own API keys for file operations - Added three validation options: 1. FileAccessToken (temporary tokens for active scans) 2. API key validation with less restrictive admin check 3. Simple validation for platform callbacks (any valid API key + valid scan) - Added extract_auth_token() helper to support both Bearer and X-API-Key headers - Created debug endpoints for testing authentication (/api/ai-scanner/test-auth) - Added test script for validation testing (supports remote servers via env vars) This fix allows the platform to use CyberPanel's API key to fix files for any scan, solving the "File access token has expired" issue for older scans. Usage for remote testing: CYBERPANEL_SERVER=http://your-server:8001 \ CYBERPANEL_API_KEY=cp_your_key \ CYBERPANEL_SCAN_ID=your-scan-id \ ./test_api_key_fix.sh 2025-10-27 13:51:33 +05:00			`#!/bin/bash`
			`# Test script to verify API key validation fix`

			`# Configuration - adjust these values`
Fix backup file operation failures for API key authentication Problem: "Failed to backup file before replacement" error when using API key authentication. Root Cause: - The externalApp field (which contains the system user for file operations) was sometimes None - When using API key authentication, the code couldn't determine which user to run commands as Solution: - Added fallback logic to ensure we always have a valid user for file operations: 1. First try wp_site.owner.externalApp 2. If not set, try Websites.objects.get(domain).externalApp 3. If still not set, fall back to admin username - Added detailed error messages and logging throughout backup operations - Enhanced error reporting to include user context and operation details - Added validation for backup directory creation with proper error handling Changes: - Modified validate_access_token() OPTION 2 and OPTION 3 to ensure external_app is always set - Enhanced backup and replace operations with better error messages - Added detailed logging for debugging file operation failures - Include user context in error messages for easier troubleshooting This ensures file operations work correctly even when externalApp field is not properly configured. 2025-10-27 14:16:01 +05:00			`# For remote testing, replace with your CyberPanel server URL`
			`SERVER="${CYBERPANEL_SERVER:-http://localhost:8001}"`
			`API_KEY="${CYBERPANEL_API_KEY:-cp_GrHf3ysP0SKhrEiazmqt3kRJA5KwOFQW8VJKcDQ8B5Bg}" # Your actual API key`
			`SCAN_ID="${CYBERPANEL_SCAN_ID:-550e8400-e29b-41d4-a716-446655440000}" # A valid scan ID from your system`

			`echo "Using server: $SERVER"`
			`echo "Using API key: ${API_KEY:0:20}..."`
			`echo "Using scan ID: $SCAN_ID"`
			`echo ""`
Fix CyberPanel API key validation for platform callbacks Problem: File fixes were failing with "Invalid token" even though the platform was sending the correct API key. Solution: - Updated validate_access_token() to accept CyberPanel's own API keys for file operations - Added three validation options: 1. FileAccessToken (temporary tokens for active scans) 2. API key validation with less restrictive admin check 3. Simple validation for platform callbacks (any valid API key + valid scan) - Added extract_auth_token() helper to support both Bearer and X-API-Key headers - Created debug endpoints for testing authentication (/api/ai-scanner/test-auth) - Added test script for validation testing (supports remote servers via env vars) This fix allows the platform to use CyberPanel's API key to fix files for any scan, solving the "File access token has expired" issue for older scans. Usage for remote testing: CYBERPANEL_SERVER=http://your-server:8001 \ CYBERPANEL_API_KEY=cp_your_key \ CYBERPANEL_SCAN_ID=your-scan-id \ ./test_api_key_fix.sh 2025-10-27 13:51:33 +05:00
			`echo "=========================================="`
			`echo "Testing CyberPanel API Key Validation Fix"`
			`echo "=========================================="`
			`echo ""`

			`# Test 1: List API keys in the system`
			`echo "1. Listing API keys in system..."`
			`echo "---------------------------------"`
			`curl -s "$SERVER/api/ai-scanner/list-api-keys/" \| python3 -m json.tool`
			`echo ""`

			`# Test 2: Test authentication with X-API-Key header`
			`echo "2. Testing X-API-Key authentication..."`
			`echo "---------------------------------------"`
			`curl -s -X POST "$SERVER/api/ai-scanner/test-auth/" \`
			`-H "X-API-Key: $API_KEY" \`
			`-H "X-Scan-ID: $SCAN_ID" \`
			`-H "Content-Type: application/json" \`
			`-d "{\"scan_id\": \"$SCAN_ID\"}" \| python3 -m json.tool`
			`echo ""`

			`# Test 3: Test actual file operation with X-API-Key`
			`echo "3. Testing file operation with X-API-Key..."`
			`echo "--------------------------------------------"`
			`RESPONSE=$(curl -s -w "\n%{http_code}" "$SERVER/api/scanner/get-file?file_path=wp-content/test.php" \`
			`-H "X-API-Key: $API_KEY" \`
			`-H "X-Scan-ID: $SCAN_ID")`

			`HTTP_CODE=$(echo "$RESPONSE" \| tail -n1)`
			`BODY=$(echo "$RESPONSE" \| head -n-1)`

			`echo "HTTP Status: $HTTP_CODE"`
			`echo "Response body:"`
			`echo "$BODY" \| python3 -m json.tool 2>/dev/null \|\| echo "$BODY"`
			`echo ""`

			`# Test 4: Test with Bearer token (backward compatibility)`
			`echo "4. Testing Bearer token (backward compatibility)..."`
			`echo "----------------------------------------------------"`
			`RESPONSE=$(curl -s -w "\n%{http_code}" "$SERVER/api/scanner/get-file?file_path=wp-content/test.php" \`
			`-H "Authorization: Bearer $API_KEY" \`
			`-H "X-Scan-ID: $SCAN_ID")`

			`HTTP_CODE=$(echo "$RESPONSE" \| tail -n1)`
			`BODY=$(echo "$RESPONSE" \| head -n-1)`

			`echo "HTTP Status: $HTTP_CODE"`
			`echo "Response body:"`
			`echo "$BODY" \| python3 -m json.tool 2>/dev/null \|\| echo "$BODY"`
			`echo ""`

			`echo "=========================================="`
			`echo "Test complete!"`
			`echo ""`
			`echo "Expected results:"`
			`echo "- Test 1: Should show API keys in system"`
			`echo "- Test 2: Should show validation success with detailed steps"`
			`echo "- Test 3: Should return 200 or 404 (not 401)"`
			`echo "- Test 4: Should also work with Bearer token"`
			`echo "=========================================="`