🚀 مُصادَق: تحديث برمجي جديد 2026-05-03 13:19

app/Middleware/CsrfMiddleware.php

@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Middleware;
+
+use App\Core\{Request, Response};
+
+final class CsrfMiddleware
+{
+    public function handle(Request $request, callable $next): mixed
+    {
+        // Skip CSRF check for safe methods
+        if (in_array($request->getMethod(), ['GET', 'HEAD', 'OPTIONS'])) {
+            return $next($request);
+        }
+
+        // For APIs, we often use a custom header or check origin
+        // If we use sessions for tokens:
+        if (session_status() === PHP_SESSION_NONE) {
+            session_start();
+        }
+
+        $token = $request->getHeader('X-CSRF-TOKEN') ?: ($request->getBody()['_csrf'] ?? null);
+        $sessionToken = $_SESSION['csrf_token'] ?? null;
+
+        if (!$token || !$sessionToken || !hash_equals($sessionToken, $token)) {
+            // For now, if we are purely API with Bearer token, we might skip this.
+            // But if the request has a session or cookie, it's mandatory.
+            
+            // If the Authorization header is present, we might assume it's an API call
+            // that is naturally protected against CSRF if not using cookies for Auth.
+            if ($request->getHeader('Authorization')) {
+                return $next($request);
+            }
+
+            Response::error('رمز الحماية (CSRF) غير صالح أو مفقود', 'CSRF_INVALID', 403);
+            return null;
+        }
+
+        return $next($request);
+    }
+}

app/Middleware/RoleMiddleware.php

@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Middleware;
+
+use App\Core\{Request, Response};
+
+final class RoleMiddleware
+{
+    /**
+     * Handle the request.
+     * 
+     * @param Request $request
+     * @param callable $next
+     * @param string ...$roles
+     * @return mixed
+     */
+    public function handle(Request $request, callable $next, string ...$roles): mixed
+    {
+        $user = $request->user ?? null;
+
+        if (!$user) {
+            Response::error('يجب تسجيل الدخول للوصول إلى هذا المورد', 'UNAUTHORIZED', 401);
+            return null;
+        }
+
+        // Check if user role is in the allowed roles
+        // $user->role is an object property since we cast it in AuthMiddleware
+        if (!in_array($user->role, $roles)) {
+            Response::error('غير مسموح لك بالقيام بهذا الإجراء', 'FORBIDDEN', 403);
+            return null;
+        }
+
+        return $next($request);
+    }
+}

app/Middleware/TenantMiddleware.php

@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Middleware;
+
+use App\Core\{Request, Response, Database};
+
+final class TenantMiddleware
+{
+    public function handle(Request $request, callable $next): mixed
+    {
+        $tenantId = $request->tenantId ?? null;
+
+        if (!$tenantId) {
+            Response::error('المستأجر غير معروف', 'TENANT_NOT_FOUND', 400);
+            return null;
+        }
+
+        // Check if tenant exists and is active
+        try {
+            $db = Database::getInstance();
+            $stmt = $db->prepare("SELECT status FROM tenants WHERE id = ? AND deleted_at IS NULL");
+            $stmt->execute([$tenantId]);
+            $tenant = $stmt->fetch();
+
+            if (!$tenant) {
+                Response::error('المستأجر غير موجود', 'TENANT_NOT_FOUND', 404);
+                return null;
+            }
+
+            if ($tenant['status'] === 'suspended') {
+                Response::error('تم إيقاف حساب المستأجر', 'TENANT_SUSPENDED', 403);
+                return null;
+            }
+        } catch (\Exception $e) {
+            Response::error('خطأ في الاتصال بقاعدة البيانات', 'DATABASE_ERROR', 500);
+            return null;
+        }
+
+        return $next($request);
+    }
+}