Jared Vititoe
37be81b3e2
Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
55 lines
1.6 KiB
PHP
55 lines
1.6 KiB
PHP
<?php
|
|
/**
|
|
* CSRF Protection Middleware
|
|
* Generates and validates CSRF tokens for all state-changing operations
|
|
*/
|
|
class CsrfMiddleware {
|
|
private static string $tokenName = 'csrf_token';
|
|
private static string $tokenTime = 'csrf_token_time';
|
|
private static int $tokenLifetime = 3600; // 1 hour
|
|
|
|
/**
|
|
* Generate a new CSRF token
|
|
*/
|
|
public static function generateToken(): string {
|
|
$_SESSION[self::$tokenName] = bin2hex(random_bytes(32));
|
|
$_SESSION[self::$tokenTime] = time();
|
|
return $_SESSION[self::$tokenName];
|
|
}
|
|
|
|
/**
|
|
* Get current CSRF token, regenerate if expired
|
|
*/
|
|
public static function getToken(): string {
|
|
if (!isset($_SESSION[self::$tokenName]) || self::isTokenExpired()) {
|
|
return self::generateToken();
|
|
}
|
|
return $_SESSION[self::$tokenName];
|
|
}
|
|
|
|
/**
|
|
* Validate CSRF token (constant-time comparison)
|
|
*/
|
|
public static function validateToken(string $token): bool {
|
|
if (!isset($_SESSION[self::$tokenName])) {
|
|
return false;
|
|
}
|
|
|
|
if (self::isTokenExpired()) {
|
|
self::generateToken(); // Auto-regenerate expired token
|
|
return false;
|
|
}
|
|
|
|
// Constant-time comparison to prevent timing attacks
|
|
return hash_equals($_SESSION[self::$tokenName], $token);
|
|
}
|
|
|
|
/**
|
|
* Check if token is expired
|
|
*/
|
|
private static function isTokenExpired(): bool {
|
|
return !isset($_SESSION[self::$tokenTime]) ||
|
|
(time() - $_SESSION[self::$tokenTime]) > self::$tokenLifetime;
|
|
}
|
|
}
|