# TODO

- [x] Fix `account.php`: replace `!==` CSRF token check with `hash_equals` (constant-time comparison)
- [x] Fix `ShareLink::setPassword()`: also encrypt and store plain-text password, matching `create()` behavior
- [x] Audit: confirm all remaining credential comparison sites use constant-time `hash_equals` or `password_verify`
- [x] Fix `.gitignore`: anchor `vendor/` to root (`/vendor/`) so `app/public/assets/js/vendor/` (htmx, OverType, FilePond) is tracked