🚀 مُصادَق: تحديث برمجي جديد 2026-05-03 13:19

2026-05-03 13:19:45 +03:00
parent cf68007ef1
commit 2de6a0adfd
32 changed files with 1133 additions and 102 deletions
--- a/app/Middleware/CsrfMiddleware.php
+++ b/app/Middleware/CsrfMiddleware.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Middleware;
+
+use App\Core\{Request, Response};
+
+final class CsrfMiddleware
+{
+    public function handle(Request $request, callable $next): mixed
+    {
+        // Skip CSRF check for safe methods
+        if (in_array($request->getMethod(), ['GET', 'HEAD', 'OPTIONS'])) {
+            return $next($request);
+        }
+
+        // For APIs, we often use a custom header or check origin
+        // If we use sessions for tokens:
+        if (session_status() === PHP_SESSION_NONE) {
+            session_start();
+        }
+
+        $token = $request->getHeader('X-CSRF-TOKEN') ?: ($request->getBody()['_csrf'] ?? null);
+        $sessionToken = $_SESSION['csrf_token'] ?? null;
+
+        if (!$token || !$sessionToken || !hash_equals($sessionToken, $token)) {
+            // For now, if we are purely API with Bearer token, we might skip this.
+            // But if the request has a session or cookie, it's mandatory.
+            
+            // If the Authorization header is present, we might assume it's an API call
+            // that is naturally protected against CSRF if not using cookies for Auth.
+            if ($request->getHeader('Authorization')) {
+                return $next($request);
+            }
+
+            Response::error('رمز الحماية (CSRF) غير صالح أو مفقود', 'CSRF_INVALID', 403);
+            return null;
+        }
+
+        return $next($request);
+    }
+}