From fa9d9dfe0f119b4ba458042257bac149e7f6b2c9 Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Fri, 9 Jan 2026 12:32:34 -0500
Subject: [PATCH] feat: Add CSRF protection to critical API endpoints

- Add CSRF validation to update_ticket.php
- Add CSRF validation to add_comment.php
- Add CSRF validation to bulk_operation.php
- All POST/PUT requests now require valid CSRF token

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 api/add_comment.php    | 12 ++++++++++++
 api/bulk_operation.php | 11 +++++++++++
 api/update_ticket.php  | 13 +++++++++++++
 3 files changed, 36 insertions(+)

diff --git a/api/add_comment.php b/api/add_comment.php
index bca3664..343fc52 100644
--- a/api/add_comment.php
+++ b/api/add_comment.php
@@ -30,6 +30,18 @@ try {
         throw new Exception("Authentication required");
     }
 
+    // CSRF Protection
+    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
+    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+        if (!CsrfMiddleware::validateToken($csrfToken)) {
+            http_response_code(403);
+            header('Content-Type: application/json');
+            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
+            exit;
+        }
+    }
+
     $currentUser = $_SESSION['user'];
     $userId = $currentUser['user_id'];
 
diff --git a/api/bulk_operation.php b/api/bulk_operation.php
index 29857c8..8d06ce5 100644
--- a/api/bulk_operation.php
+++ b/api/bulk_operation.php
@@ -13,6 +13,17 @@ if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
     exit;
 }
 
+// CSRF Protection
+require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+    if (!CsrfMiddleware::validateToken($csrfToken)) {
+        http_response_code(403);
+        echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
+        exit;
+    }
+}
+
 // Check admin status - bulk operations are admin-only
 $isAdmin = $_SESSION['user']['is_admin'] ?? false;
 if (!$isAdmin) {
diff --git a/api/update_ticket.php b/api/update_ticket.php
index 97d86bb..f369ba4 100644
--- a/api/update_ticket.php
+++ b/api/update_ticket.php
@@ -59,6 +59,19 @@ try {
     if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
         throw new Exception("Authentication required");
     }
+
+    // CSRF Protection
+    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
+    if ($_SERVER['REQUEST_METHOD'] === 'POST' || $_SERVER['REQUEST_METHOD'] === 'PUT') {
+        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+        if (!CsrfMiddleware::validateToken($csrfToken)) {
+            http_response_code(403);
+            header('Content-Type: application/json');
+            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
+            exit;
+        }
+    }
+
     $currentUser = $_SESSION['user'];
     $userId = $currentUser['user_id'];
     $isAdmin = $currentUser['is_admin'] ?? false;