Add authenticated custom item insertion with SQLite backend

[Copilot]

Implements secure custom movie/TV item creation accessible only to authenticated users via API key. Items are stored in SQLite and can be retrieved publicly.

Backend

• Database: SQLite with auto-initializing custom_items table (id, title, comment, media_type, created_at, created_by)
• Auth middleware: API key validation from Authorization: Bearer <key> or X-API-Key header, fallback to $_SERVER for non-Apache environments
• REST endpoint (/api/rest/item.php): POST (authenticated) creates items, GET (public) retrieves all
• Item service: Prepared statements for SQL injection prevention, input validation (title required, media_type enum)
• Config: Added CUSTOM_API_KEY and DB_PATH constants

// POST /api/rest/item.php
{
  "title": "The Shawshank Redemption",
  "comment": "Optional comment",
  "media_type": "movie"
}
// Returns 201 with created item or 401/400 on auth/validation failure

Frontend

• ItemService: HTTP client with API key injection, typed responses
• Dashboard form: Material Design UI with title (required), comment (optional), media_type dropdown
• Validation: Real-time form validation, success/error messages with 5s auto-dismiss
• Environment: Added customApiKey configuration

Security

• API key authentication on write operations
• Prepared statements throughout
• Input validation client and server-side
• Environment-specific configs excluded from git (.gitignore)
• CodeQL scan: 0 vulnerabilities

Screenshots

Custom Item Form

Form with Data

Configuration

Create environment-specific configs from templates:

# Backend
cp api/config/config.default.php api/config/config.dev.php
# Set CUSTOM_API_KEY

# Frontend
cp frontend/src/environments/environment.ts frontend/src/environments/environment.dev.ts
# Set customApiKey to match backend

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• download.cypress.io
  • Triggering command: /usr/local/bin/node node dist/index.js --exec install (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Objective

Create a secure solution to insert new data from the frontend to the backend, allowing only the authenticated user (inpercima) to add new entries.

Current Architecture

The application currently:

• Uses Angular frontend with PHP backend
• Fetches data from TMDb API v4 (read-only)
• Has a ListService that makes GET requests to ./api/rest/list
• Uses api/service/list.service.php to fetch from https://api.themoviedb.org/4/list/$listId
• Stores TMDb API key in api/config/config.{env}.php

Requirements

1. Backend Implementation

Database Setup

• Create SQLite database setup script (api/database/setup.sql or similar)
• Create a custom_items table with fields:
  • id (PRIMARY KEY, AUTO_INCREMENT)
  • title (VARCHAR)
  • comment (TEXT)
  • media_type (VARCHAR - 'movie' or 'tv')
  • created_at (TIMESTAMP)
  • created_by (VARCHAR)

Security Layer

• Create authentication middleware (api/middleware/auth.middleware.php)
• Implement API key validation mechanism
• Add new config option CUSTOM_API_KEY in api/config/config.default.php
• Secure the endpoint so only requests with valid API key can add entries

New Endpoint

• Create api/rest/item.php for POST requests
• Create api/service/item.service.php with methods:
  • addItem($title, $comment, $mediaType) - inserts new item into database
  • getAllCustomItems() - retrieves all custom items
• Validate incoming data (required fields, data types)
• Return appropriate HTTP status codes (201 for created, 401 for unauthorized, 400 for bad request)
• Set proper CORS headers (already handled in CoreService)

Enhanced List Service

• Update api/service/list.service.php to merge TMDb items with custom items
• Or create separate endpoint for custom items

2. Frontend Implementation

Service Layer

• Update frontend/src/app/features/dashboard/list.service.ts:
  • Add method addItem(item: Item): Observable<any> for POST requests
  • Include API key in request headers
• Consider creating separate ItemService for better separation of concerns

UI Component

• Create new component or extend dashboard.component.html:
  • Add form with fields: title, comment, media_type
  • Add submit button to save custom items
  • Show success/error messages
• Add Material Design form controls (consistent with existing UI)
• Include form validation

Configuration

• Update frontend/src/environments/environment.ts:
  • Add customApiKey configuration option (should be copied to .dev.ts and .prod.ts)

3. Security Best Practices

• API key should NOT be committed to version control
• Add config.dev.php, config.prod.php, environment.dev.ts, environment.prod.ts to .gitignore (if not already)
• Include instructions in README for setting up the API key
• Validate and sanitize all inputs on backend
• Use prepared statements for database queries to prevent SQL injection

4. Documentation

• Update api/README.md:
  • Document the new CUSTOM_API_KEY configuration
  • Explain how to set it up
  • Document the new endpoint and its usage
• Update frontend/README.md if needed
• Add comments to new code files

Technical Constraints

• Maintain compatibility with existing functionality
• Follow the existing code style (PSR for PHP, Angular style guide for TypeScript)
• Use existing dependency injection patterns
• Reuse CoreService for common operations
• Keep the current project structure

Expected Deliverables

1. Database schema and setup script
2. Authentication middleware
3. New backend endpoint with service layer
4. Frontend service methods
5. UI form component for adding items
6. Updated configuration files (default templates)
7. Updated documentation

Testing Considerations

• Endpoint should reject requests without valid API key
• Endpoint should validate required fields
• Successfully added items should be stored in database
• Frontend form should handle validation errors
• Integration with existing list display (if applicable)

Notes

• The solution should be production-ready
• Focus on simplicity and security
• User "inpercima" should be the only one able to add entries via API key authentication

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.