LotusGuild/tinker_tickets
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e8b2f670b9f3393d367c2ec3887add25cae209af
tinker_tickets/middleware/CsrfMiddleware.php

55 lines
1.6 KiB
PHP
Raw Normal View History

feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-09 11:45:23 -05:00
<?php
/**
* CSRF Protection Middleware
* Generates and validates CSRF tokens for all state-changing operations
*/
class CsrfMiddleware {
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 11:04:36 -05:00
private static string $tokenName = 'csrf_token';
private static string $tokenTime = 'csrf_token_time';
private static int $tokenLifetime = 3600; // 1 hour
feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-09 11:45:23 -05:00
/**
* Generate a new CSRF token
*/
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 11:04:36 -05:00
public static function generateToken(): string {
feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-09 11:45:23 -05:00
$_SESSION[self::$tokenName] = bin2hex(random_bytes(32));
$_SESSION[self::$tokenTime] = time();
return $_SESSION[self::$tokenName];
}
/**
* Get current CSRF token, regenerate if expired
*/
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 11:04:36 -05:00
public static function getToken(): string {
feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-09 11:45:23 -05:00
if (!isset($_SESSION[self::$tokenName]) || self::isTokenExpired()) {
return self::generateToken();
}
return $_SESSION[self::$tokenName];
}
/**
* Validate CSRF token (constant-time comparison)
*/
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 11:04:36 -05:00
public static function validateToken(string $token): bool {
feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-09 11:45:23 -05:00
if (!isset($_SESSION[self::$tokenName])) {
return false;
}
if (self::isTokenExpired()) {
self::generateToken(); // Auto-regenerate expired token
return false;
}
// Constant-time comparison to prevent timing attacks
return hash_equals($_SESSION[self::$tokenName], $token);
}
/**
* Check if token is expired
*/
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 11:04:36 -05:00
private static function isTokenExpired(): bool {
feat: Add CSRF middleware and performance index migrations - Create CsrfMiddleware.php with token generation and validation - Add database indexes for ticket_comments and audit_log - Includes rollback script for safe deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-09 11:45:23 -05:00
return !isset($_SESSION[self::$tokenTime]) ||
(time() - $_SESSION[self::$tokenTime]) > self::$tokenLifetime;
}
}
Reference in New Issue Copy Permalink