From 9295115742151a9f3d53ac7b400d9e74e336007d Mon Sep 17 00:00:00 2001
From: Chris <christian@haschek.at>
Date: Tue, 21 Apr 2026 12:17:34 +0200
Subject: [PATCH] fix: use hash_equals for API key comparison and update config
 documentation

- Replace direct API key comparison with hash_equals() to prevent timing oracle attacks
- Update CLAUDE.md to document all config options (URL, API_KEY, BLOCK_PRIVATE_IPS)
- Add placeholder defines to src/config.inc.php for local dev (not committed due to .gitignore)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 CLAUDE.md     | 2 +-
 web/index.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 158c454..55a4143 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -41,7 +41,7 @@ php -S localhost:8080 -t web/
 | `web/index.php` | API + template router |
 | `src/http2pic.class.php` | Legacy wkhtmltoimage renderer |
 | `src/helpers.php` | Template render, logging, IP helper |
-| `src/config.inc.php` | Runtime config (URL) |
+| `src/config.inc.php` | Runtime config (URL, API_KEY, BLOCK_PRIVATE_IPS) |
 | `docker/Caddyfile` | Reverse proxy, PHP-FPM, file server |
 | `docker/start.sh` | Boots PHP-FPM, ChromeDriver, writes config |
 | `docker-compose.yml` | Production compose |
diff --git a/web/index.php b/web/index.php
index 42e8e33..fca2268 100755
--- a/web/index.php
+++ b/web/index.php
@@ -26,7 +26,7 @@ switch ($url[0]) {
     case 'api':
         if (defined('API_KEY') && API_KEY !== '') {
             $provided = $_SERVER['HTTP_X_API_KEY'] ?? $_REQUEST['key'] ?? '';
-            if ($provided !== API_KEY) {
+            if (!hash_equals(API_KEY, $provided)) {
                 header('HTTP/1.0 401 Unauthorized');
                 echo 'Invalid or missing API key';
                 exit;