middleware/CsrfMiddleware.php

<?php
/**
 * CSRF Protection Middleware
 * Generates and validates CSRF tokens for all state-changing operations
 */
class CsrfMiddleware {
    private static string $tokenName = 'csrf_token';
    private static string $tokenTime = 'csrf_token_time';
    private static int $tokenLifetime = 3600; // 1 hour

    /**
     * Generate a new CSRF token
     */
    public static function generateToken(): string {
        $_SESSION[self::$tokenName] = bin2hex(random_bytes(32));
        $_SESSION[self::$tokenTime] = time();
        return $_SESSION[self::$tokenName];
    }

    /**
     * Get current CSRF token, regenerate if expired
     */
    public static function getToken(): string {
        if (!isset($_SESSION[self::$tokenName]) || self::isTokenExpired()) {
            return self::generateToken();
        }
        return $_SESSION[self::$tokenName];
    }

    /**
     * Validate CSRF token (constant-time comparison)
     */
    public static function validateToken(string $token): bool {
        if (!isset($_SESSION[self::$tokenName])) {
            return false;
        }

        if (self::isTokenExpired()) {
            self::generateToken(); // Auto-regenerate expired token
            return false;
        }

        // Constant-time comparison to prevent timing attacks
        return hash_equals($_SESSION[self::$tokenName], $token);
    }

    /**
     * Check if token is expired
     */
    private static function isTokenExpired(): bool {
        return !isset($_SESSION[self::$tokenTime]) ||
               (time() - $_SESSION[self::$tokenTime]) > self::$tokenLifetime;
    }
}
feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-09 11:45:23 -05:00			`<?php`
			`/**`
			`* CSRF Protection Middleware`
			`* Generates and validates CSRF tokens for all state-changing operations`
			`*/`
			`class CsrfMiddleware {`
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 11:04:36 -05:00			`private static string $tokenName = 'csrf_token';`
			`private static string $tokenTime = 'csrf_token_time';`
			`private static int $tokenLifetime = 3600; // 1 hour`
feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-09 11:45:23 -05:00
			`/**`
			`* Generate a new CSRF token`
			`*/`
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 11:04:36 -05:00			`public static function generateToken(): string {`
feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-09 11:45:23 -05:00			`$_SESSION[self::$tokenName] = bin2hex(random_bytes(32));`
			`$_SESSION[self::$tokenTime] = time();`
			`return $_SESSION[self::$tokenName];`
			`}`

			`/**`
			`* Get current CSRF token, regenerate if expired`
			`*/`
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 11:04:36 -05:00			`public static function getToken(): string {`
feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-09 11:45:23 -05:00			`if (!isset($_SESSION[self::$tokenName]) \|\| self::isTokenExpired()) {`
			`return self::generateToken();`
			`}`
			`return $_SESSION[self::$tokenName];`
			`}`

			`/**`
			`* Validate CSRF token (constant-time comparison)`
			`*/`
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 11:04:36 -05:00			`public static function validateToken(string $token): bool {`
feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-09 11:45:23 -05:00			`if (!isset($_SESSION[self::$tokenName])) {`
			`return false;`
			`}`

			`if (self::isTokenExpired()) {`
			`self::generateToken(); // Auto-regenerate expired token`
			`return false;`
			`}`

			`// Constant-time comparison to prevent timing attacks`
			`return hash_equals($_SESSION[self::$tokenName], $token);`
			`}`

			`/**`
			`* Check if token is expired`
			`*/`
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 11:04:36 -05:00			`private static function isTokenExpired(): bool {`
feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-09 11:45:23 -05:00			`return !isset($_SESSION[self::$tokenTime]) \|\|`
			`(time() - $_SESSION[self::$tokenTime]) > self::$tokenLifetime;`
			`}`
			`}`