middleware/CsrfMiddleware.php

<?php

/**
 * CSRF Protection Middleware
 * Generates and validates CSRF tokens for all state-changing operations
 */
class CsrfMiddleware
{
    private static string $tokenName = 'csrf_token';
    private static string $tokenTime = 'csrf_token_time';
    private static int $tokenLifetime = 3600; // 1 hour

    /**
     * Generate a new CSRF token
     */
    public static function generateToken(): string
    {
        $_SESSION[self::$tokenName] = bin2hex(random_bytes(32));
        $_SESSION[self::$tokenTime] = time();
        return $_SESSION[self::$tokenName];
    }

    /**
     * Get current CSRF token, regenerate if expired
     */
    public static function getToken(): string
    {
        if (!isset($_SESSION[self::$tokenName]) || self::isTokenExpired()) {
            return self::generateToken();
        }
        return $_SESSION[self::$tokenName];
    }

    /**
     * Validate CSRF token (constant-time comparison)
     */
    public static function validateToken(string $token): bool
    {
        if (!isset($_SESSION[self::$tokenName])) {
            return false;
        }

        if (self::isTokenExpired()) {
            self::generateToken(); // Auto-regenerate expired token
            return false;
        }

        // Constant-time comparison to prevent timing attacks
        return hash_equals($_SESSION[self::$tokenName], $token);
    }

    /**
     * Rotate the CSRF token after a successful validated POST.
     * Call this after validateToken() returns true, then include
     * the new token in the JSON response as 'csrf_token' so the
     * client can update window.CSRF_TOKEN for subsequent requests.
     *
     * @return string The new token
     */
    public static function rotateToken(): string
    {
        return self::generateToken();
    }

    /**
     * Check if token is expired
     */
    private static function isTokenExpired(): bool
    {
        return !isset($_SESSION[self::$tokenTime]) ||
               (time() - $_SESSION[self::$tokenTime]) > self::$tokenLifetime;
    }
}
feat: Add CSRF middleware and performance index migrations 2026-01-09 11:45:23 -05:00			`<?php`
style: auto-fix 1340 phpcs PSR-12 violations via phpcbf; exclude MissingNamespace and SideEffects 2026-04-13 20:56:10 -04:00
feat: Add CSRF middleware and performance index migrations 2026-01-09 11:45:23 -05:00			`/**`
			`* CSRF Protection Middleware`
			`* Generates and validates CSRF tokens for all state-changing operations`
			`*/`
style: auto-fix 1340 phpcs PSR-12 violations via phpcbf; exclude MissingNamespace and SideEffects 2026-04-13 20:56:10 -04:00			`class CsrfMiddleware`
			`{`
Add PHP 7.4+ type hints to helpers, models, and middleware 2026-01-29 11:04:36 -05:00			`private static string $tokenName = 'csrf_token';`
			`private static string $tokenTime = 'csrf_token_time';`
			`private static int $tokenLifetime = 3600; // 1 hour`
feat: Add CSRF middleware and performance index migrations 2026-01-09 11:45:23 -05:00
			`/**`
			`* Generate a new CSRF token`
			`*/`
style: auto-fix 1340 phpcs PSR-12 violations via phpcbf; exclude MissingNamespace and SideEffects 2026-04-13 20:56:10 -04:00			`public static function generateToken(): string`
			`{`
feat: Add CSRF middleware and performance index migrations 2026-01-09 11:45:23 -05:00			`$_SESSION[self::$tokenName] = bin2hex(random_bytes(32));`
			`$_SESSION[self::$tokenTime] = time();`
			`return $_SESSION[self::$tokenName];`
			`}`

			`/**`
			`* Get current CSRF token, regenerate if expired`
			`*/`
style: auto-fix 1340 phpcs PSR-12 violations via phpcbf; exclude MissingNamespace and SideEffects 2026-04-13 20:56:10 -04:00			`public static function getToken(): string`
			`{`
feat: Add CSRF middleware and performance index migrations 2026-01-09 11:45:23 -05:00			`if (!isset($_SESSION[self::$tokenName]) \|\| self::isTokenExpired()) {`
			`return self::generateToken();`
			`}`
			`return $_SESSION[self::$tokenName];`
			`}`

			`/**`
			`* Validate CSRF token (constant-time comparison)`
			`*/`
style: auto-fix 1340 phpcs PSR-12 violations via phpcbf; exclude MissingNamespace and SideEffects 2026-04-13 20:56:10 -04:00			`public static function validateToken(string $token): bool`
			`{`
feat: Add CSRF middleware and performance index migrations 2026-01-09 11:45:23 -05:00			`if (!isset($_SESSION[self::$tokenName])) {`
			`return false;`
			`}`

			`if (self::isTokenExpired()) {`
			`self::generateToken(); // Auto-regenerate expired token`
			`return false;`
			`}`

			`// Constant-time comparison to prevent timing attacks`
			`return hash_equals($_SESSION[self::$tokenName], $token);`
			`}`

Apply web_template gap analysis improvements (P1-P3) 2026-03-29 17:02:40 -04:00			`/**`
			`* Rotate the CSRF token after a successful validated POST.`
			`* Call this after validateToken() returns true, then include`
			`* the new token in the JSON response as 'csrf_token' so the`
			`* client can update window.CSRF_TOKEN for subsequent requests.`
			`*`
			`* @return string The new token`
			`*/`
style: auto-fix 1340 phpcs PSR-12 violations via phpcbf; exclude MissingNamespace and SideEffects 2026-04-13 20:56:10 -04:00			`public static function rotateToken(): string`
			`{`
Apply web_template gap analysis improvements (P1-P3) 2026-03-29 17:02:40 -04:00			`return self::generateToken();`
			`}`

feat: Add CSRF middleware and performance index migrations 2026-01-09 11:45:23 -05:00			`/**`
			`* Check if token is expired`
			`*/`
style: auto-fix 1340 phpcs PSR-12 violations via phpcbf; exclude MissingNamespace and SideEffects 2026-04-13 20:56:10 -04:00			`private static function isTokenExpired(): bool`
			`{`
feat: Add CSRF middleware and performance index migrations 2026-01-09 11:45:23 -05:00			`return !isset($_SESSION[self::$tokenTime]) \|\|`
			`(time() - $_SESSION[self::$tokenTime]) > self::$tokenLifetime;`
			`}`
			`}`