v0.3.0 add site management signature security export and logs

新增
app/Controllers/LogController.php
resources/views/dashboard/logs.php
resources/views/dashboard/site-edit.php
database/upgrade-v0.3.0.sql
examples/php-signed-forwarder.php
重点更新
public/index.php
app/Controllers/InquiryController.php
app/Controllers/SiteController.php
app/Controllers/Api/InquiryApiController.php
app/Services/InquiryReceiveService.php
app/Models/Site.php
app/Models/Inquiry.php
app/Models/InquiryLog.php
resources/views/dashboard/sites.php
resources/views/dashboard/inquiries.php
resources/views/dashboard/inquiry-detail.php
README.md
CHANGELOG.md
VERSION.txt

Author: coowinit

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## v0.3.0
+
+- Added site create and edit functions
+- Added API token rotation
+- Added signature secret rotation
+- Added optional HMAC signature verification per site
+- Added system logs page
+- Added CSV export from inquiry list
+- Added blocked IP delete action
+- Updated dashboard with v0.3.0 summary and recent logs
+- Added database upgrade script for v0.3.0
+- Added signed PHP forwarder example
+
 ## v0.2.0
 
 - Added unified receive API endpoint

README.md

@@ -1,19 +1,17 @@
 # Inquiry Management System
 
-Version: **v0.2.0**
+Version: **v0.3.0**
 
 A pure PHP + MySQL inquiry management system for collecting inquiry forms from multiple websites into one centralized backend.
 
-## v0.2.0 Highlights
+## v0.3.0 Highlights
 
-- Unified receive API is ready: `/api/v1/inquiries/submit`
-- `site_key + api_token` validation
-- Required field validation for `name`, `email`, `content`
-- Stores both `extra_data` and `raw_payload`
-- Basic anti-spam checks
-- Blocked IP validation
-- Inquiry filters and quick status actions in the backend
-- GitHub Actions ZIP packaging workflow included
+- Site management now supports create, edit, and key rotation
+- Optional HMAC request signature verification per site
+- Inquiry CSV export is available from the inquiry list page
+- System log page is now available
+- Blocked IP entries can be removed in the backend
+- Health endpoint now returns the application version automatically
 
 ## Environment
 
@@ -31,6 +29,19 @@ A pure PHP + MySQL inquiry management system for collecting inquiry forms from m
 4. Point your web root to `public/`
 5. Open the project in your browser
 
+## Upgrading from v0.2.0
+
+If you already have a v0.2.0 database, run:
+
+- `database/upgrade-v0.3.0.sql`
+
+This adds:
+
+- `signature_secret`
+- `require_signature`
+
+to the `inquiry_sites` table.
+
 ## Default Admin Account
 
 - Username: `admin`
@@ -41,7 +52,10 @@ A pure PHP + MySQL inquiry management system for collecting inquiry forms from m
 - `/login`
 - `/dashboard`
 - `/inquiries`
+- `/inquiries/export`
 - `/sites`
+- `/sites/edit?id=1`
+- `/logs`
 - `/tools/blacklist-ips`
 - `/profile`
 
@@ -91,9 +105,23 @@ Supported payload types:
 
 Unknown fields will also be merged into `extra_data` automatically.
 
+## Signed Request Mode
+
+For sites with **Require HMAC signature** enabled:
+
+- Header: `X-Timestamp` = unix timestamp in seconds
+- Header: `X-Signature` = `hash_hmac('sha256', X-Timestamp + "\n" + raw_body, signature_secret)`
+
+Recommended usage:
+
+1. Your website backend builds the final request body
+2. Your website backend signs the raw body with the site's signature secret
+3. Your website backend sends the request to the central inquiry system
+
 ## Example Files
 
 - `examples/php-forwarder.php`
+- `examples/php-signed-forwarder.php`
 - `examples/javascript-fetch-example.js`
 
 ## GitHub Actions
@@ -105,8 +133,8 @@ Workflow file:
 It creates a ZIP package automatically when you push a tag like:
 
 ```bash
-git tag v0.2.0
-git push origin v0.2.0
+git tag v0.3.0
+git push origin v0.3.0
 ```
 
 ## Notes

VERSION.txt

@@ -1 +1 @@
-v0.2.0
+v0.3.0

app/Controllers/Api/InquiryApiController.php

@@ -44,6 +44,9 @@ public function submit(): void
             'user_agent_summary' => substr((string) ($_SERVER['HTTP_USER_AGENT'] ?? ''), 0, 255),
             'accept_language' => $_SERVER['HTTP_ACCEPT_LANGUAGE'] ?? '',
             'api_token' => $payload['api_token'] ?? '',
+            'raw_body' => request_raw_body(),
+            'signature' => request_header('X-Signature'),
+            'timestamp' => request_header('X-Timestamp'),
         ]);
 
         json_response($result['body'], $result['status_code']);
@@ -55,7 +58,7 @@ public function health(): void
         json_response([
             'success' => true,
             'message' => 'Inquiry receive API is ready.',
-            'version' => (string) config('app.api.version', 'v1'),
+            'version' => app_version(),
             'timestamp' => date('c'),
         ]);
     }
@@ -73,7 +76,7 @@ private function sendCorsHeaders(): void
         }
 
         header('Access-Control-Allow-Methods: POST, OPTIONS, GET');
-        header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Site-Token');
+        header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Site-Token, X-Signature, X-Timestamp');
         header('Access-Control-Max-Age: 86400');
     }
 }

app/Controllers/DashboardController.php

@@ -7,6 +7,7 @@
 use App\Core\Auth;
 use App\Core\Controller;
 use App\Models\Inquiry;
+use App\Models\InquiryLog;
 use App\Models\Site;
 
 final class DashboardController extends Controller
@@ -15,13 +16,15 @@ public function index(): void
     {
         $inquiryModel = new Inquiry();
         $siteModel = new Site();
+        $logModel = new InquiryLog();
 
         $this->view('dashboard/index', [
             'pageTitle' => 'Dashboard',
             'user' => Auth::user(),
             'stats' => $inquiryModel->stats(),
             'latestInquiries' => $inquiryModel->latest(6),
-            'sites' => $siteModel->all(),
+            'sites' => $siteModel->allWithStats(),
+            'recentLogs' => $logModel->paginate(1, 6)['data'],
             'apiEndpoint' => base_url('api/v1/inquiries/submit'),
         ]);
     }

app/Controllers/InquiryController.php

@@ -19,17 +19,7 @@ public function index(): void
         $user = Auth::user();
         $perPage = max(10, min(100, (int) ($user['page_size'] ?? 20)));
 
-        $filters = [
-            'status' => trim((string) ($_GET['status'] ?? '')),
-            'site_id' => (int) ($_GET['site_id'] ?? 0),
-            'keyword' => trim((string) ($_GET['keyword'] ?? '')),
-            'date_from' => trim((string) ($_GET['date_from'] ?? '')),
-            'date_to' => trim((string) ($_GET['date_to'] ?? '')),
-        ];
-
-        if ($filters['site_id'] === 0) {
-            $filters['site_id'] = null;
-        }
+        $filters = $this->collectFilters();
 
         $inquiryModel = new Inquiry();
         $siteModel = new Site();
@@ -48,6 +38,7 @@ public function show(): void
     {
         $id = (int) ($_GET['id'] ?? 0);
         $inquiryModel = new Inquiry();
+        $logModel = new InquiryLog();
         $inquiry = $inquiryModel->find($id);
 
         if (!$inquiry) {
@@ -58,7 +49,7 @@ public function show(): void
 
         if ($inquiry['status'] === 'unread') {
             $inquiryModel->updateStatus($id, 'read');
-            (new InquiryLog())->create($id, Auth::id(), 'viewed', 'Marked as read from detail page');
+            $logModel->create($id, Auth::id(), 'viewed', 'Marked as read from detail page');
             $inquiry = $inquiryModel->find($id);
         }
 
@@ -78,6 +69,7 @@ public function show(): void
             'inquiry' => $inquiry,
             'extraData' => $extraData,
             'rawPayload' => $rawPayload,
+            'logs' => $logModel->latestForInquiry($id, 8),
             'csrfToken' => Csrf::token(),
         ]);
     }
@@ -111,4 +103,40 @@ public function updateStatus(): void
         $back = trim((string) ($_POST['back'] ?? 'inquiries'));
         redirect($back);
     }
+
+    public function exportCsv(): void
+    {
+        $filters = $this->collectFilters();
+        $rows = (new Inquiry())->exportRows($filters, 5000);
+
+        (new InquiryLog())->create(null, Auth::id(), 'inquiries_exported', 'Exported ' . count($rows) . ' rows as CSV');
+
+        send_csv_download(
+            'inquiries-' . date('Ymd-His') . '.csv',
+            [
+                'id', 'site_name', 'form_key', 'status', 'name', 'email', 'title', 'content',
+                'country', 'phone', 'address', 'from_company', 'source_url', 'referer_url',
+                'ip', 'browser', 'device_type', 'language', 'admin_note', 'submitted_at',
+                'created_at', 'updated_at', 'extra_data',
+            ],
+            $rows
+        );
+    }
+
+    private function collectFilters(): array
+    {
+        $filters = [
+            'status' => trim((string) ($_GET['status'] ?? '')),
+            'site_id' => (int) ($_GET['site_id'] ?? 0),
+            'keyword' => trim((string) ($_GET['keyword'] ?? '')),
+            'date_from' => trim((string) ($_GET['date_from'] ?? '')),
+            'date_to' => trim((string) ($_GET['date_to'] ?? '')),
+        ];
+
+        if ($filters['site_id'] === 0) {
+            $filters['site_id'] = null;
+        }
+
+        return $filters;
+    }
 }

app/Controllers/LogController.php

@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controllers;
+
+use App\Core\Auth;
+use App\Core\Controller;
+use App\Models\InquiryLog;
+
+final class LogController extends Controller
+{
+    public function index(): void
+    {
+        $page = max(1, (int) ($_GET['page'] ?? 1));
+        $user = Auth::user();
+        $perPage = max(20, min(100, (int) ($user['page_size'] ?? 20)));
+        $pagination = (new InquiryLog())->paginate($page, $perPage);
+
+        $this->view('dashboard/logs', [
+            'pageTitle' => 'System Logs',
+            'pagination' => $pagination,
+        ]);
+    }
+}