scheianu
039a60848d
Security: - Add verifyAPIRequest(): accepts valid Digest Auth (browser) OR valid HMAC-SHA256 signature (driver) — fixes browser UI being blocked by auth - All 11 API endpoints require verifyAPIRequest() - /register exempt (bootstrap handshake, secret not yet exchanged) - Credentials moved to secrets.h (gitignored); secrets.h.example added NTP: - Sync time on boot for HMAC replay-prevention timestamp window (±60s) - server.collectHeaders() registers X-Request-Time / X-Request-Sig NFC: - Full NFC access control: auth UID, relay trigger, absent timeout - Live UID display, copy-to-auth button, save/clear settings from UI - Access state: idle / granted / denied with colour feedback
137 B
137 B