scheianu
039a60848d
Security: - Add verifyAPIRequest(): accepts valid Digest Auth (browser) OR valid HMAC-SHA256 signature (driver) — fixes browser UI being blocked by auth - All 11 API endpoints require verifyAPIRequest() - /register exempt (bootstrap handshake, secret not yet exchanged) - Credentials moved to secrets.h (gitignored); secrets.h.example added NTP: - Sync time on boot for HMAC replay-prevention timestamp window (±60s) - server.collectHeaders() registers X-Request-Time / X-Request-Sig NFC: - Full NFC access control: auth UID, relay trigger, absent timeout - Live UID display, copy-to-auth button, save/clear settings from UI - Access state: idle / granted / denied with colour feedback
16 lines
905 B
Plaintext
16 lines
905 B
Plaintext
// ── Board secrets (EXAMPLE — copy to secrets.h and fill in your values) ───────
|
|
// DO NOT commit secrets.h to version control.
|
|
//
|
|
// API_SECRET — shared secret for HMAC-SHA256 API request authentication.
|
|
// Generate a strong random value with:
|
|
// python3 -c "import secrets; print(secrets.token_hex(32))"
|
|
// Then paste the same value into the board's Edit page in the Location
|
|
// Management server.
|
|
//
|
|
// WEB_USER / WEB_PASSWORD — credentials for the browser control panel.
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
#define API_SECRET "REPLACE_WITH_OUTPUT_OF_python3_-c_import_secrets_token_hex_32"
|
|
#define WEB_USER "your_username"
|
|
#define WEB_PASSWORD "your_password"
|