2c3a8a0584
API / Security: - Add api/_helpers.php: shared send_security_headers(), verify_origin(), get_hmac_secret(), check_rate_limit(), read_json_locked(), write_json_locked() - shorten.php: remove Access-Control-Allow-Origin:*, restrict to same-origin, rate-limit 20 req/h per IP, atomic JSON read+lock, HMAC secret from file - verify.php: rate-limit GET (30/min) and POST (10/h) per IP, atomic lock, prevent overwriting existing proofs, origin check on POST - node.php: fix rate limit from 1000 to 60 req/min, add security headers, origin check - check-short.php: add security headers, re-derive signature server-side - s.php: use file-based HMAC secret via get_hmac_secret(), hash_equals() for timing-safe comparison Service Worker: - sw.js: navigation requests (mode=navigate) never served from cache; network-first with offline fallback to prevent stale invoice state Documentation (honest claims): - README: tagline "No backend" -> "No tracking"; new Architecture table listing exactly what server sees for each feature; Security Model section - index.html: meta description and footer updated from "No Backend" to "Minimal Backend" - i18n.js footer: already updated in previous commit
55 lines
1.4 KiB
PHP
55 lines
1.4 KiB
PHP
<?php
|
|
<?php
|
|
require_once __DIR__ . '/_helpers.php';
|
|
|
|
/**
|
|
* Short URL Integrity Verification API
|
|
* GET: Return the hash and HMAC signature for client-side verification.
|
|
*
|
|
* Security: Allows client-side detection of server-side tampering.
|
|
* The HMAC secret is stored in data/secret.key (auto-generated on first run).
|
|
*/
|
|
|
|
header('Content-Type: application/json');
|
|
send_security_headers();
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
|
|
http_response_code(405);
|
|
echo json_encode(['error' => 'Method not allowed']);
|
|
exit;
|
|
}
|
|
|
|
$code = $_GET['code'] ?? '';
|
|
if (empty($code) || !preg_match('/^[a-z0-9]{4,10}$/', $code)) {
|
|
http_response_code(400);
|
|
echo json_encode(['error' => 'Invalid code']);
|
|
exit;
|
|
}
|
|
|
|
$dbFile = __DIR__ . '/../data/urls.json';
|
|
if (!file_exists($dbFile)) {
|
|
http_response_code(404);
|
|
echo json_encode(['error' => 'Invoice not found']);
|
|
exit;
|
|
}
|
|
|
|
$urls = json_decode(file_get_contents($dbFile), true) ?: [];
|
|
if (!isset($urls[$code])) {
|
|
http_response_code(404);
|
|
echo json_encode(['error' => 'Invoice not found']);
|
|
exit;
|
|
}
|
|
|
|
$data = $urls[$code];
|
|
$hash = is_array($data) ? $data['h'] : $data;
|
|
$signature = is_array($data) ? $data['s'] : null;
|
|
|
|
// Re-derive expected signature so client can verify
|
|
$expected = $signature ? hash_hmac('sha256', $hash, get_hmac_secret()) : null;
|
|
|
|
echo json_encode([
|
|
'code' => $code,
|
|
'hash' => $hash,
|
|
'signature' => $expected
|
|
]);
|