From fbf5802c6965a4b4739b1eea9cd15c4f576c13f2 Mon Sep 17 00:00:00 2001
From: scheianu <scheianuionut@gmail.com>
Date: Sun, 15 Mar 2026 16:12:18 +0200
Subject: [PATCH] Fix board registration blocked by HMAC auth

- /register endpoint no longer requires verifyAPIRequest() - it is
  the bootstrap handshake and api_secret cannot be set before it runs
- Add api_secret field to the Add Board form (hardware boards only)
  with a cryptographic Generate button, same as the Edit form
- Save api_secret from the add-board POST so the driver can sign
  requests immediately after registration
---
 app/routes/boards.py          |  3 +++
 app/templates/boards/add.html | 21 +++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/app/routes/boards.py b/app/routes/boards.py
index 0259fe7..71c5e99 100644
--- a/app/routes/boards.py
+++ b/app/routes/boards.py
@@ -75,6 +75,8 @@ def add_board():
             num_relays = 0
             num_inputs = 0
 
+        api_secret = request.form.get("api_secret", "").strip() or None
+
         board = Board(
             name=name,
             board_type=board_type,
@@ -82,6 +84,7 @@ def add_board():
             port=port,
             num_relays=num_relays,
             num_inputs=num_inputs,
+            api_secret=api_secret,
         )
         db.session.add(board)
         db.session.commit()
diff --git a/app/templates/boards/add.html b/app/templates/boards/add.html
index caa1385..fb020e5 100644
--- a/app/templates/boards/add.html
+++ b/app/templates/boards/add.html
@@ -149,6 +149,18 @@
       </div>
     </div>
 
+    <div id="f-secret-section" class="d-none mb-4">
+      <label class="form-label fw-semibold">API Secret <span class="text-secondary fw-normal small">(HMAC-SHA256 shared secret)</span></label>
+      <div class="input-group">
+        <input type="text" name="api_secret" id="f-api-secret" class="form-control font-monospace"
+               placeholder="Leave empty to disable API authentication">
+        <button class="btn btn-outline-secondary" type="button" onclick="genSecret()">
+          <i class="bi bi-shuffle me-1"></i>Generate
+        </button>
+      </div>
+      <div class="form-text">Must match <code>API_SECRET</code> in the board's <code>secrets.h</code>. You can also set this later in the board's Edit page.</div>
+    </div>
+
     <div class="d-flex gap-2">
       <button type="submit" class="btn btn-primary px-4">
         <i class="bi bi-check-lg me-1"></i>Add Board
@@ -317,10 +329,12 @@
       gwAlert.className = "alert py-3 d-flex gap-3 align-items-start " + meta.alertCls;
       gwIcon.innerHTML  = meta.alertIcon;
       gwText.innerHTML  = meta.alertBody;
+      document.getElementById("f-secret-section").classList.add("d-none");
     } else {
       hwSec.classList.remove("d-none");
       fHost.required = true;
       gwSec.classList.add("d-none");
+      document.getElementById("f-secret-section").classList.remove("d-none");
     }
 
     // Step indicator
@@ -336,6 +350,13 @@
 
     fName.focus();
   }
+
+  window.genSecret = function () {
+    const buf = new Uint8Array(32);
+    crypto.getRandomValues(buf);
+    document.getElementById('f-api-secret').value =
+      Array.from(buf).map(b => b.toString(16).padStart(2, '0')).join('');
+  };
 }());
 </script>
 {% endblock %}