Complete Phase 1: MVC, DB migrations, Auth, RBAC, Security, and Views

app/Middleware/CsrfProtection.php

@@ -0,0 +1,39 @@
+<?php
+
+namespace App\Middleware;
+
+use App\Core\Request;
+use App\Core\Response;
+use App\Core\Session;
+use Exception;
+
+class CsrfProtection implements MiddlewareInterface
+{
+    private Session $session;
+
+    public function __construct(Session $session)
+    {
+        $this->session = $session;
+    }
+
+    /**
+     * Handle CSRF token validation.
+     */
+    public function handle(Request $request, Response $response, callable $next): void
+    {
+        // Skip validation for read-only requests
+        if (in_array($request->getMethod(), ['GET', 'HEAD', 'OPTIONS'])) {
+            $next();
+            return;
+        }
+
+        // Retrieve token from request parameters or custom header
+        $token = $request->input('_csrf') ?? $request->getHeader('X-CSRF-Token');
+
+        if (!$this->session->validateCsrfToken($token)) {
+            throw new Exception("CSRF token validation failed. Request untrusted.", 403);
+        }
+
+        $next();
+    }
+}