function checkCsrfToken()
{
if (!constant_time_compare(CSRF_TOKEN, $_POST['csrf_token'])) {
jsonError('Invalid CSRF token');
}
}
function is_valid_signature($query_array, $secret_key)
{
if (!array_key_exists('val', $query_array) || !array_key_exists('sig', $query_array) || !array_key_exists('exp', $query_array) || !array_key_exists('nonce', $query_array)) {
return false;
}
$data = base64_decode($query_array['val']);
$nonce = base64_decode($query_array['nonce']);
$mac = hash_hmac('md5', $data . '|' . $query_array['exp'] . '|' . $nonce, $secret_key);
$sig = $query_array['sig'];
//binary and to avoid branch timing issues
return (bool) (constant_time_compare($mac, $sig) & time() < (int) $query_array['exp']);
}
