Harden admin security controls

api/auth.php

@@ -1,7 +1,7 @@
 <?php
 require_once 'config.php';
 require_once __DIR__ . '/error_config.php';
-session_start();
+start_secure_session();
 set_json_headers();
 
 $method = $_SERVER['REQUEST_METHOD'];
@@ -21,12 +21,16 @@ if ($method === 'POST' && $action === 'login') {
     // 무차별 대입 방지 - 간단한 딜레이
     usleep(500000); // 0.5초
     
+    if (ADMIN_PASSWORD_HASH === '') {
+        json_response(['error' => 'Admin password is not configured'], 500);
+    }
+
     if (password_verify($password, ADMIN_PASSWORD_HASH)) {
         // 세션 고정 공격 방지
         session_regenerate_id(true);
         $_SESSION['authenticated'] = true;
         $_SESSION['login_time'] = time();
-        json_response(['success' => true, 'message' => '로그인 성공']);
+        json_response(['success' => true, 'message' => '로그인 성공', 'csrf_token' => ensure_csrf_token()]);
     } else {
         json_response(['error' => '비밀번호가 일치하지 않습니다'], 401);
     }
@@ -36,6 +40,8 @@ if ($method === 'POST' && $action === 'login') {
 // 로그아웃
 // =====================================================
 if ($method === 'POST' && $action === 'logout') {
+    require_auth();
+    require_csrf();
     session_destroy();
     json_response(['success' => true]);
 }
@@ -54,7 +60,11 @@ if ($method === 'GET' && $action === 'check') {
         }
     }
     
-    json_response(['authenticated' => $authenticated]);
+    $response = ['authenticated' => $authenticated];
+    if ($authenticated) {
+        $response['csrf_token'] = ensure_csrf_token();
+    }
+    json_response($response);
 }
 
 json_response(['error' => 'Invalid action'], 400);