40 lines
957 B
PHP
40 lines
957 B
PHP
<?php
|
|
|
|
namespace App\Middleware;
|
|
|
|
use App\Core\Request;
|
|
use App\Core\Response;
|
|
use App\Core\Session;
|
|
use Exception;
|
|
|
|
class CsrfProtection implements MiddlewareInterface
|
|
{
|
|
private Session $session;
|
|
|
|
public function __construct(Session $session)
|
|
{
|
|
$this->session = $session;
|
|
}
|
|
|
|
/**
|
|
* Handle CSRF token validation.
|
|
*/
|
|
public function handle(Request $request, Response $response, callable $next): void
|
|
{
|
|
// Skip validation for read-only requests
|
|
if (in_array($request->getMethod(), ['GET', 'HEAD', 'OPTIONS'])) {
|
|
$next();
|
|
return;
|
|
}
|
|
|
|
// Retrieve token from request parameters or custom header
|
|
$token = $request->input('_csrf') ?? $request->getHeader('X-CSRF-Token');
|
|
|
|
if (!$this->session->validateCsrfToken($token)) {
|
|
throw new Exception("CSRF token validation failed. Request untrusted.", 403);
|
|
}
|
|
|
|
$next();
|
|
}
|
|
}
|