<?php

namespace App\Middleware;

use App\Core\Request;
use App\Core\Response;
use App\Core\Session;
use Exception;

class CsrfProtection implements MiddlewareInterface
{
    private Session $session;

    public function __construct(Session $session)
    {
        $this->session = $session;
    }

    /**
     * Handle CSRF token validation.
     */
    public function handle(Request $request, Response $response, callable $next): void
    {
        // Skip validation for read-only requests
        if (in_array($request->getMethod(), ['GET', 'HEAD', 'OPTIONS'])) {
            $next();
            return;
        }

        // Retrieve token from request parameters or custom header
        $token = $request->input('_csrf') ?? $request->getHeader('X-CSRF-Token');

        if (!$this->session->validateCsrfToken($token)) {
            throw new Exception("CSRF token validation failed. Request untrusted.", 403);
        }

        $next();
    }
}