🚀 مُصادَق: تحديث برمجي جديد 2026-05-03 15:51
This commit is contained in:
Hamza-Ayed
@@ -15,14 +15,30 @@ final class AuthMiddleware
|
||||
public function handle(Request $request, callable $next): mixed
|
||||
{
|
||||
$authHeader = $request->getHeader('Authorization');
|
||||
$token = null;
|
||||
|
||||
if (!$authHeader || !str_starts_with($authHeader, 'Bearer ')) {
|
||||
if ($authHeader && str_starts_with($authHeader, 'Bearer ')) {
|
||||
$token = substr($authHeader, 7);
|
||||
} elseif (isset($_COOKIE['access_token'])) {
|
||||
$token = $_COOKIE['access_token'];
|
||||
|
||||
// CSRF Check for browser sessions using cookies
|
||||
if (in_array($request->getMethod(), ['POST', 'PUT', 'DELETE', 'PATCH'])) {
|
||||
$csrfHeader = $request->getHeader('X-CSRF-TOKEN');
|
||||
$csrfCookie = $_COOKIE['csrf_token'] ?? null;
|
||||
|
||||
if (!$csrfHeader || !$csrfCookie || !hash_equals($csrfCookie, $csrfHeader)) {
|
||||
Response::error('انتهت صلاحية الجلسة أو فشل التحقق الأمني (CSRF)', 'CSRF_FAILED', 403);
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!$token) {
|
||||
Response::error('يجب تسجيل الدخول للوصول إلى هذا المورد', 'UNAUTHORIZED', 401);
|
||||
return null;
|
||||
}
|
||||
|
||||
$token = substr($authHeader, 7);
|
||||
|
||||
try {
|
||||
$decoded = $this->jwtService->verifyToken($token);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user