0b42271bfe
- Add comprehensive error handling system with custom error pages - Implement professional enterprise-style design with Tailwind CSS - Create modular HMVC architecture with clean separation of concerns - Add security features: CSRF protection, XSS filtering, Argon2ID hashing - Include CLI tools for development workflow - Add error reporting dashboard with system monitoring - Implement responsive design with consistent slate color scheme - Replace all emoji icons with professional SVG icons - Add comprehensive test suite with PHPUnit - Include database migrations and seeders - Add proper exception handling with fallback pages - Implement template engine with custom syntax support - Add helper functions and facades for clean code - Include proper logging and debugging capabilities
51 lines
1.2 KiB
PHP
51 lines
1.2 KiB
PHP
<?php
|
|
|
|
namespace App\Core\Middleware;
|
|
|
|
/**
|
|
* CSRF Middleware
|
|
* Cross-Site Request Forgery protection
|
|
*/
|
|
class CsrfMiddleware
|
|
{
|
|
public function handle(string $method, string $uri, callable $next): void
|
|
{
|
|
// Skip CSRF check for GET requests
|
|
if ($method === 'GET') {
|
|
$next();
|
|
return;
|
|
}
|
|
|
|
// Skip CSRF check for API routes (if Accept header is application/json)
|
|
if (isset($_SERVER['HTTP_ACCEPT']) && str_contains($_SERVER['HTTP_ACCEPT'], 'application/json')) {
|
|
$next();
|
|
return;
|
|
}
|
|
|
|
// Check CSRF token
|
|
$token = $_POST['_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
|
|
|
|
if (!$token || !$this->verifyToken($token)) {
|
|
http_response_code(419);
|
|
echo "<h1>419 - Page Expired</h1>";
|
|
echo "<p>CSRF token mismatch. Please refresh the page and try again.</p>";
|
|
return;
|
|
}
|
|
|
|
// Continue to next middleware
|
|
$next();
|
|
}
|
|
|
|
/**
|
|
* Verify CSRF token
|
|
*/
|
|
private function verifyToken(string $token): bool
|
|
{
|
|
if (!isset($_SESSION['csrf_token'])) {
|
|
return false;
|
|
}
|
|
|
|
return hash_equals($_SESSION['csrf_token'], $token);
|
|
}
|
|
}
|