From f46b1c31b5878f8bfddd73e8919c73f8d3f51d6c Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Fri, 9 Jan 2026 12:33:23 -0500
Subject: [PATCH] feat: Add CSRF protection to assign and filter APIs

- Add CSRF validation to assign_ticket.php
- Add CSRF validation to saved_filters.php
- Supports POST, PUT, and DELETE methods

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 api/assign_ticket.php | 11 +++++++++++
 api/saved_filters.php | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/api/assign_ticket.php b/api/assign_ticket.php
index febc5f1..78ae531 100644
--- a/api/assign_ticket.php
+++ b/api/assign_ticket.php
@@ -12,6 +12,17 @@ if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
     exit;
 }
 
+// CSRF Protection
+require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+    if (!CsrfMiddleware::validateToken($csrfToken)) {
+        http_response_code(403);
+        echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
+        exit;
+    }
+}
+
 $userId = $_SESSION['user']['user_id'];
 
 // Get request data
diff --git a/api/saved_filters.php b/api/saved_filters.php
index de194f8..04450e6 100644
--- a/api/saved_filters.php
+++ b/api/saved_filters.php
@@ -17,6 +17,17 @@ if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
     exit;
 }
 
+// CSRF Protection
+require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
+if ($_SERVER['REQUEST_METHOD'] === 'POST' || $_SERVER['REQUEST_METHOD'] === 'PUT' || $_SERVER['REQUEST_METHOD'] === 'DELETE') {
+    $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+    if (!CsrfMiddleware::validateToken($csrfToken)) {
+        http_response_code(403);
+        echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
+        exit;
+    }
+}
+
 $userId = $_SESSION['user']['user_id'];
 
 // Create database connection