api/auth.php

<?php
require_once 'config.php';
require_once __DIR__ . '/error_config.php';
start_secure_session();
set_json_headers();

$method = $_SERVER['REQUEST_METHOD'];
$action = $_GET['action'] ?? '';

// =====================================================
// 로그인
// =====================================================
if ($method === 'POST' && $action === 'login') {
    $input = get_json_input();
    $password = $input['password'] ?? '';
    
    if (empty($password)) {
        json_response(['error' => '비밀번호를 입력하세요'], 400);
    }
    
    // 무차별 대입 방지 - 간단한 딜레이
    usleep(500000); // 0.5초
    
    if (ADMIN_PASSWORD_HASH === '') {
        json_response(['error' => 'Admin password is not configured'], 500);
    }

    if (password_verify($password, ADMIN_PASSWORD_HASH)) {
        // 세션 고정 공격 방지
        session_regenerate_id(true);
        $_SESSION['authenticated'] = true;
        $_SESSION['login_time'] = time();
        json_response(['success' => true, 'message' => '로그인 성공', 'csrf_token' => ensure_csrf_token()]);
    } else {
        json_response(['error' => '비밀번호가 일치하지 않습니다'], 401);
    }
}

// =====================================================
// 로그아웃
// =====================================================
if ($method === 'POST' && $action === 'logout') {
    require_auth();
    require_csrf();
    session_destroy();
    json_response(['success' => true]);
}

// =====================================================
// 인증 상태 확인
// =====================================================
if ($method === 'GET' && $action === 'check') {
    $authenticated = isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true;
    
    // 타임아웃 체크
    if ($authenticated && isset($_SESSION['login_time'])) {
        if ((time() - $_SESSION['login_time']) > SESSION_LIFETIME) {
            session_destroy();
            $authenticated = false;
        }
    }
    
    $response = ['authenticated' => $authenticated];
    if ($authenticated) {
        $response['csrf_token'] = ensure_csrf_token();
    }
    json_response($response);
}

json_response(['error' => 'Invalid action'], 400);
Initial profile site commit 2026-05-31 21:05:59 +09:00			`<?php`
			`require_once 'config.php';`
			`require_once __DIR__ . '/error_config.php';`
Harden admin security controls 2026-05-31 22:23:51 +09:00			`start_secure_session();`
Initial profile site commit 2026-05-31 21:05:59 +09:00			`set_json_headers();`

			`$method = $_SERVER['REQUEST_METHOD'];`
			`$action = $_GET['action'] ?? '';`

			`// =====================================================`
			`// 로그인`
			`// =====================================================`
			`if ($method === 'POST' && $action === 'login') {`
			`$input = get_json_input();`
			`$password = $input['password'] ?? '';`

			`if (empty($password)) {`
			`json_response(['error' => '비밀번호를 입력하세요'], 400);`
			`}`

			`// 무차별 대입 방지 - 간단한 딜레이`
			`usleep(500000); // 0.5초`

Harden admin security controls 2026-05-31 22:23:51 +09:00			`if (ADMIN_PASSWORD_HASH === '') {`
			`json_response(['error' => 'Admin password is not configured'], 500);`
			`}`

Initial profile site commit 2026-05-31 21:05:59 +09:00			`if (password_verify($password, ADMIN_PASSWORD_HASH)) {`
			`// 세션 고정 공격 방지`
			`session_regenerate_id(true);`
			`$_SESSION['authenticated'] = true;`
			`$_SESSION['login_time'] = time();`
Harden admin security controls 2026-05-31 22:23:51 +09:00			`json_response(['success' => true, 'message' => '로그인 성공', 'csrf_token' => ensure_csrf_token()]);`
Initial profile site commit 2026-05-31 21:05:59 +09:00			`} else {`
			`json_response(['error' => '비밀번호가 일치하지 않습니다'], 401);`
			`}`
			`}`

			`// =====================================================`
			`// 로그아웃`
			`// =====================================================`
			`if ($method === 'POST' && $action === 'logout') {`
Harden admin security controls 2026-05-31 22:23:51 +09:00			`require_auth();`
			`require_csrf();`
Initial profile site commit 2026-05-31 21:05:59 +09:00			`session_destroy();`
			`json_response(['success' => true]);`
			`}`

			`// =====================================================`
			`// 인증 상태 확인`
			`// =====================================================`
			`if ($method === 'GET' && $action === 'check') {`
			`$authenticated = isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true;`

			`// 타임아웃 체크`
			`if ($authenticated && isset($_SESSION['login_time'])) {`
			`if ((time() - $_SESSION['login_time']) > SESSION_LIFETIME) {`
			`session_destroy();`
			`$authenticated = false;`
			`}`
			`}`

Harden admin security controls 2026-05-31 22:23:51 +09:00			`$response = ['authenticated' => $authenticated];`
			`if ($authenticated) {`
			`$response['csrf_token'] = ensure_csrf_token();`
			`}`
			`json_response($response);`
Initial profile site commit 2026-05-31 21:05:59 +09:00			`}`

			`json_response(['error' => 'Invalid action'], 400);`