<?php

namespace App\Middleware;

use App\Core\Request;
use App\Core\Response;
use App\Core\Session;

class CsrfMiddleware
{
    public function handle(Request $request, Response $response): void
    {
        $session = new Session();
        
        // Skip CSRF check for GET requests
        if ($request->getMethod() === 'GET') {
            return;
        }

        // Get CSRF token from request
        $token = $request->post('csrf_token') ?: $request->getHeader('X-CSRF-TOKEN');
        
        if (!$token) {
            $session->flash('error', 'CSRF-Token fehlt.');
            $response->redirect('/dashboard')->send();
        }

        // Validate CSRF token
        if (!$session->validateCsrfToken($token)) {
            $session->flash('error', 'Ungültiger CSRF-Token.');
            $response->redirect('/dashboard')->send();
        }
    }
}