Harden admin security controls

api/config.php

@@ -1,39 +1,57 @@
 <?php
 // =====================================================
-// 설정 파일
+// Runtime configuration
 // =====================================================
-// ⚠️ 중요: 처음 사용 시 아래 ADMIN_PASSWORD_HASH를 변경하세요
-// 비밀번호 해시 생성 방법:
-//   브라우저에서 generate_password.php 접속 후 원하는 비번 입력
-//   또는 터미널에서: php -r "echo password_hash('your_password', PASSWORD_DEFAULT);"
+// ADMIN_PASSWORD_HASH is loaded from api/config.local.php or the environment.
+// Do not commit real password hashes or other secrets to the repository.
 // =====================================================
 
-// 기본 비밀번호: "admin1234" (반드시 변경하세요!)
-define('ADMIN_PASSWORD_HASH', '$2y$10$Wj/5fxQX90AlvyVPBfE0te2aUbysSBlE/Umm7EluG880rqcRUlHGm');
+$localConfig = __DIR__ . '/config.local.php';
+if (is_file($localConfig)) {
+    require_once $localConfig;
+}
 
-// 데이터 파일 경로
+if (!defined('ADMIN_PASSWORD_HASH')) {
+    $adminPasswordHash = getenv('ADMIN_PASSWORD_HASH');
+    define('ADMIN_PASSWORD_HASH', is_string($adminPasswordHash) ? trim($adminPasswordHash) : '');
+}
+
+// Data paths
 define('DATA_DIR', __DIR__ . '/../data');
 define('UPLOADS_DIR', __DIR__ . '/../uploads');
 define('PROJECTS_FILE', DATA_DIR . '/projects.json');
 define('PROFILE_FILE', DATA_DIR . '/profile.json');
 
-// 세션 설정
-define('SESSION_LIFETIME', 3600 * 4); // 4시간
+// Session settings
+define('SESSION_LIFETIME', 3600 * 4);
+
+function start_secure_session() {
+    if (session_status() !== PHP_SESSION_NONE) {
+        return;
+    }
+
+    session_set_cookie_params([
+        'lifetime' => 0,
+        'path' => '/',
+        'secure' => !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off',
+        'httponly' => true,
+        'samesite' => 'Lax',
+    ]);
+    session_start();
+}
 
-// CORS 및 JSON 헤더
 function set_json_headers() {
     header('Content-Type: application/json; charset=utf-8');
     header('X-Content-Type-Options: nosniff');
 }
 
-// JSON 파일을 락 걸고 읽기
 function read_json_safe($filepath) {
     if (!file_exists($filepath)) {
         return null;
     }
     $fp = fopen($filepath, 'r');
     if (!$fp) return null;
-    
+
     if (flock($fp, LOCK_SH)) {
         $content = stream_get_contents($fp);
         flock($fp, LOCK_UN);
@@ -44,41 +62,33 @@ function read_json_safe($filepath) {
     return null;
 }
 
-// JSON 파일을 락 걸고 쓰기
+// Write JSON atomically so a crash during write does not leave a 0-byte file.
 function write_json_safe($filepath, $data) {
     $json = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
     if ($json === false) return false;
-    
-    $fp = fopen($filepath, 'c+');
-    if (!$fp) return false;
-    
-    if (flock($fp, LOCK_EX)) {
-        ftruncate($fp, 0);
-        rewind($fp);
-        fwrite($fp, $json);
-        fflush($fp);
-        flock($fp, LOCK_UN);
-        fclose($fp);
-        return true;
+
+    $tmp = $filepath . '.tmp.' . uniqid('', true);
+    if (file_put_contents($tmp, $json, LOCK_EX) === false) {
+        @unlink($tmp);
+        return false;
     }
-    fclose($fp);
-    return false;
+    if (!rename($tmp, $filepath)) {
+        @unlink($tmp);
+        return false;
+    }
+    return true;
 }
 
-// 인증 체크
 function require_auth() {
-    if (session_status() === PHP_SESSION_NONE) {
-        session_start();
-    }
-    
+    start_secure_session();
+
     if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
         http_response_code(401);
         echo json_encode(['error' => 'Unauthorized']);
         exit;
     }
-    
-    // 세션 타임아웃 체크
-    if (isset($_SESSION['login_time']) && 
+
+    if (isset($_SESSION['login_time']) &&
         (time() - $_SESSION['login_time']) > SESSION_LIFETIME) {
         session_destroy();
         http_response_code(401);
@@ -87,13 +97,67 @@ function require_auth() {
     }
 }
 
-// JSON 입력 받기
+function ensure_csrf_token() {
+    start_secure_session();
+    if (empty($_SESSION['csrf_token']) || !is_string($_SESSION['csrf_token'])) {
+        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+    }
+    return $_SESSION['csrf_token'];
+}
+
+function require_csrf() {
+    start_secure_session();
+    $sessionToken = $_SESSION['csrf_token'] ?? '';
+    $requestToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+
+    if (!is_string($sessionToken) || $sessionToken === '' ||
+        !is_string($requestToken) || !hash_equals($sessionToken, $requestToken)) {
+        json_response(['error' => 'Invalid CSRF token'], 403);
+    }
+}
+
 function get_json_input() {
     $input = file_get_contents('php://input');
     return json_decode($input, true);
 }
 
-// 응답 헬퍼
+function is_safe_public_url($url) {
+    if (!is_string($url)) return false;
+    $url = trim($url);
+    if ($url === '') return true;
+
+    if (preg_match('#^uploads/[A-Za-z0-9가-힣._~!$&\'()*+,;=:@%/-]+$#u', $url)) {
+        return !str_contains($url, '..') && !preg_match('#(^|/)\.#', $url);
+    }
+
+    $parts = parse_url($url);
+    if ($parts === false || empty($parts['scheme'])) return false;
+    return in_array(strtolower($parts['scheme']), ['http', 'https'], true);
+}
+
+function clean_public_url($url) {
+    $url = is_string($url) ? trim($url) : '';
+    return is_safe_public_url($url) ? $url : '';
+}
+
+function clean_public_urls($urls) {
+    if (!is_array($urls)) return [];
+    $clean = [];
+    foreach ($urls as $url) {
+        $url = clean_public_url($url);
+        if ($url !== '') $clean[] = $url;
+    }
+    return array_values(array_unique($clean));
+}
+
+function clean_css_color($value, $fallback = '#00f2ff') {
+    $value = is_string($value) ? trim($value) : '';
+    if (preg_match('/^#[0-9a-fA-F]{6}$/', $value) || preg_match('/^#[0-9a-fA-F]{3}$/', $value)) {
+        return $value;
+    }
+    return $fallback;
+}
+
 function json_response($data, $status = 200) {
     http_response_code($status);
     echo json_encode($data, JSON_UNESCAPED_UNICODE);