Api improvements

[Zastinian]

API Security, Consistency, and Performance Improvements

Overview

This PR enhances the Laravel-based ControlPanel system with secure, permission-aware APIs, consistent response structures, robust error handling, and performance optimizations.

Changes Made

1. Authentication & Security

• Rate Limiting: Implemented 60 requests per minute on all API routes
• Token Scopes/Permissions: Added permissions JSON field to application_apis table
• Token Validity Controls: Added is_active and expires_at fields
• No Privilege Escalation: Token permissions cannot exceed creator's permissions
• Token Visibility: Tokens only shown once at creation, with regeneration flow
• Regeneration: Validates user has all required permissions before regenerating token

2. Response Consistency

• Standardized all JSON responses to include: success, data, error, meta
• Added pagination metadata to all list responses: current_page, total, last_page, per_page, from, to
• Created ApiResponseService for consistent response handling
• Created ApiResponseResource for resource-based responses

3. Error Handling

• Standardized error responses with code and message fields
• Implemented consistent error codes:
  • MISSING_AUTHORIZATION_HEADER
  • INVALID_TOKEN
  • TOKEN_INACTIVE
  • TOKEN_EXPIRED
  • INSUFFICIENT_PERMISSIONS
  • PERMISSION_ESCALATION
  • RATE_LIMIT_EXCEEDED
  • VALIDATION_ERROR
  • RESOURCE_NOT_FOUND
  • RESOURCE_ALREADY_SUSPENDED
  • RESOURCE_NOT_SUSPENDED
  • PTERODACTYL_ERROR
  • INTERNAL_ERROR
  • REGENERATION_DENIED

4. Endpoint Fixes

• ServerController: Fixed store method to return 201 status code instead of 401
• UserController: Removed unused $data variable in destroy method
• Sorting: Added allowedSorts to all controllers

5. Performance Optimizations

• Implemented allowedSorts in all controllers
• Limited per_page to maximum of 100
• Added field selection support via Spatie QueryBuilder

6. Query & Update Improvements

• Made validation rules more flexible (partial updates supported)
• Removed unnecessary required fields in update requests
• Support PATCH-like behavior for updates

7. Permissions & Token Behavior

• Enforced permission checks on all API endpoints
• Tokens only expose permissions the user has
• When roles/permissions change, affected tokens are revalidated
• Created ApiPermissionCheck middleware

8. Frontend Updates

• Updated API creation form to support permissions and expiration
• Updated API edit form to show active status, permissions, and regenerate button
• Added token display on creation/regeneration (shown only once)
• Updated index view to show active/inactive status

Database Changes

• Migration: 2026_05_02_000001_add_security_fields_to_application_apis_table.php
  • Added: is_active (boolean, default true)
  • Added: expires_at (timestamp, nullable)
  • Added: permissions (json, nullable)
  • Added: created_by (foreign key to users, nullable)

Files Modified

Backend

• app/Models/ApplicationApi.php - Added token validation, permission checks
• app/Http/Middleware/ApiAuthToken.php - Enhanced with token validity checks
• app/Http/Middleware/ApiPermissionCheck.php - New middleware for permission checks
• app/Http/Kernel.php - Added middleware, rate limiting
• app/Services/ApiResponseService.php - New service for consistent responses
• app/Exceptions/ApiErrorCode.php - New error codes definition
• app/Http/Resources/ApiResponseResource.php - New resource wrapper
• app/Http/Controllers/Api/UserController.php - Updated all methods
• app/Http/Controllers/Api/ServerController.php - Updated all methods
• app/Http/Controllers/Api/VoucherController.php - Updated all methods
• app/Http/Controllers/Api/RoleController.php - Updated all methods
• app/Http/Controllers/Api/ProductController.php - Updated all methods
• app/Http/Controllers/Api/NotificationController.php - Updated all methods
• app/Http/Controllers/Admin/ApplicationApiController.php - Added regeneration, permissions
• app/Http/Requests/Api/Users/UpdateUserRequest.php - Made fields optional
• app/Http/Requests/Api/Servers/UpdateServerRequest.php - Made user_id optional

Frontend

• themes/default/views/admin/api/create.blade.php - Added permissions, expiration
• themes/default/views/admin/api/edit.blade.php - Added regenerate, status toggle
• themes/default/views/admin/api/index.blade.php - Shows active/inactive status

Routes

• routes/api.php - Added rate limiting middleware
• routes/web.php - Added regenerate route

Breaking Changes

• All API responses now follow new structure (success, data, error, meta)
• Frontend code consuming APIs must be updated to handle new response format
• Tokens without permissions now have null instead of [] for full access

Migration Required

php artisan migrate

[github-actions]

All contributors have signed the CLA! ✅

Thank you for taking the time to complete this step. We'll now proceed with reviewing your pull request. We appreciate your contribution to Ctrlpanel! 🙌
_{Posted by the CLA Assistant Lite bot.}

[Zastinian]

I have read and agree to the CLA.

[Copilot]

Pull request overview

This PR strengthens and standardizes the ControlPanel’s Laravel APIs by introducing token validity/permissions enforcement, consistent JSON response envelopes, and broad controller updates (plus admin UI for managing API tokens).

Changes:

• Added API token security fields (active/expiry/permissions/creator) and middleware for token validation + permission checks.
• Standardized API responses via ApiResponseService + ApiErrorCode, and updated multiple API controllers to use the new format with pagination metadata.
• Updated admin UI/routes to manage token status/permissions and support token regeneration.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
themes/default/views/admin/api/index.blade.php	Adds token “Status” column to the admin API token list.
themes/default/views/admin/api/create.blade.php	Adds expiry + permissions selection and intended “show token once” UI.
themes/default/views/admin/api/edit.blade.php	Adds active toggle, expiry, permissions selection, and regenerate-token UI.
routes/web.php	Adds admin route to regenerate API tokens.
routes/api.php	Adds explicit throttling middleware to API routes group.
database/migrations/2026_05_02_000001_add_security_fields_to_application_apis_table.php	Adds is_active, expires_at, permissions, created_by to application_apis.
app/Models/ApplicationApi.php	Adds casts, creator relation, validity + permission helpers.
app/Http/Middleware/ApiAuthToken.php	Enforces token presence/validity and standardizes auth error responses.
app/Http/Middleware/ApiPermissionCheck.php	New middleware for per-endpoint permission checks.
app/Http/Kernel.php	Updates API throttling and registers new permission middleware.
app/Services/ApiResponseService.php	New centralized response wrapper for success/error/pagination.
app/Exceptions/ApiErrorCode.php	Adds enumerated API error codes for consistency.
app/Http/Resources/ApiResponseResource.php	Adds a resource wrapper for success/data/error/meta.
app/Http/Requests/Api/Users/UpdateUserRequest.php	Makes user update fields optional to support partial updates.
app/Http/Requests/Api/Servers/UpdateServerRequest.php	Makes user_id optional for partial updates.
app/Http/Controllers/Api/UserController.php	Uses standardized responses + pagination meta; improves pterodactyl error handling shape.
app/Http/Controllers/Api/ServerController.php	Uses standardized responses + pagination meta; updates error handling/status codes.
app/Http/Controllers/Api/VoucherController.php	Uses standardized responses + pagination meta and enables allowed sorts.
app/Http/Controllers/Api/RoleController.php	Uses standardized responses + pagination meta and enables allowed sorts.
app/Http/Controllers/Api/ProductController.php	Uses standardized responses + pagination meta and enables allowed sorts.
app/Http/Controllers/Api/NotificationController.php	Uses standardized responses + pagination meta; standardizes send/delete responses.
app/Http/Controllers/Admin/ApplicationApiController.php	Adds permission/expiry handling, regeneration flow, and datatable status rendering.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Zastinian]

Resolved all Copilot review comments

[MrWeez]

It's a good foundation, but it needs to be improved to maintain compatibility with the current API, as well as adapted so that Scribe can correctly generate OpenAPI specification. Due to the amount of work, this will be delayed until the 1.4 or 2.0 release