tinker_tickets/middleware/CsrfMiddleware.php

<?php
/**
 * CSRF Protection Middleware
 * Generates and validates CSRF tokens for all state-changing operations
 */
class CsrfMiddleware {
    private static string $tokenName = 'csrf_token';
    private static string $tokenTime = 'csrf_token_time';
    private static int $tokenLifetime = 3600; // 1 hour

    /**
     * Generate a new CSRF token
     */
    public static function generateToken(): string {
        $_SESSION[self::$tokenName] = bin2hex(random_bytes(32));
        $_SESSION[self::$tokenTime] = time();
        return $_SESSION[self::$tokenName];
    }

    /**
     * Get current CSRF token, regenerate if expired
     */
    public static function getToken(): string {
        if (!isset($_SESSION[self::$tokenName]) || self::isTokenExpired()) {
            return self::generateToken();
        }
        return $_SESSION[self::$tokenName];
    }

    /**
     * Validate CSRF token (constant-time comparison)
     */
    public static function validateToken(string $token): bool {
        if (!isset($_SESSION[self::$tokenName])) {
            return false;
        }

        if (self::isTokenExpired()) {
            self::generateToken(); // Auto-regenerate expired token
            return false;
        }

        // Constant-time comparison to prevent timing attacks
        return hash_equals($_SESSION[self::$tokenName], $token);
    }

    /**
     * Rotate the CSRF token after a successful validated POST.
     * Call this after validateToken() returns true, then include
     * the new token in the JSON response as 'csrf_token' so the
     * client can update window.CSRF_TOKEN for subsequent requests.
     *
     * @return string The new token
     */
    public static function rotateToken(): string {
        return self::generateToken();
    }

    /**
     * Check if token is expired
     */
    private static function isTokenExpired(): bool {
        return !isset($_SESSION[self::$tokenTime]) ||
               (time() - $_SESSION[self::$tokenTime]) > self::$tokenLifetime;
    }
}