71 lines
2.2 KiB
PHP
71 lines
2.2 KiB
PHP
<?php
|
|
require_once 'config.php';
|
|
require_once __DIR__ . '/error_config.php';
|
|
start_secure_session();
|
|
set_json_headers();
|
|
|
|
$method = $_SERVER['REQUEST_METHOD'];
|
|
$action = $_GET['action'] ?? '';
|
|
|
|
// =====================================================
|
|
// 로그인
|
|
// =====================================================
|
|
if ($method === 'POST' && $action === 'login') {
|
|
$input = get_json_input();
|
|
$password = $input['password'] ?? '';
|
|
|
|
if (empty($password)) {
|
|
json_response(['error' => '비밀번호를 입력하세요'], 400);
|
|
}
|
|
|
|
// 무차별 대입 방지 - 간단한 딜레이
|
|
usleep(500000); // 0.5초
|
|
|
|
if (ADMIN_PASSWORD_HASH === '') {
|
|
json_response(['error' => 'Admin password is not configured'], 500);
|
|
}
|
|
|
|
if (password_verify($password, ADMIN_PASSWORD_HASH)) {
|
|
// 세션 고정 공격 방지
|
|
session_regenerate_id(true);
|
|
$_SESSION['authenticated'] = true;
|
|
$_SESSION['login_time'] = time();
|
|
json_response(['success' => true, 'message' => '로그인 성공', 'csrf_token' => ensure_csrf_token()]);
|
|
} else {
|
|
json_response(['error' => '비밀번호가 일치하지 않습니다'], 401);
|
|
}
|
|
}
|
|
|
|
// =====================================================
|
|
// 로그아웃
|
|
// =====================================================
|
|
if ($method === 'POST' && $action === 'logout') {
|
|
require_auth();
|
|
require_csrf();
|
|
session_destroy();
|
|
json_response(['success' => true]);
|
|
}
|
|
|
|
// =====================================================
|
|
// 인증 상태 확인
|
|
// =====================================================
|
|
if ($method === 'GET' && $action === 'check') {
|
|
$authenticated = isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true;
|
|
|
|
// 타임아웃 체크
|
|
if ($authenticated && isset($_SESSION['login_time'])) {
|
|
if ((time() - $_SESSION['login_time']) > SESSION_LIFETIME) {
|
|
session_destroy();
|
|
$authenticated = false;
|
|
}
|
|
}
|
|
|
|
$response = ['authenticated' => $authenticated];
|
|
if ($authenticated) {
|
|
$response['csrf_token'] = ensure_csrf_token();
|
|
}
|
|
json_response($response);
|
|
}
|
|
|
|
json_response(['error' => 'Invalid action'], 400);
|