35 lines
870 B
PHP
35 lines
870 B
PHP
<?php
|
|
|
|
namespace App\Middleware;
|
|
|
|
use App\Core\Request;
|
|
use App\Core\Response;
|
|
use App\Core\Session;
|
|
|
|
class CsrfMiddleware
|
|
{
|
|
public function handle(Request $request, Response $response): void
|
|
{
|
|
$session = new Session();
|
|
|
|
// Skip CSRF check for GET requests
|
|
if ($request->getMethod() === 'GET') {
|
|
return;
|
|
}
|
|
|
|
// Get CSRF token from request
|
|
$token = $request->post('csrf_token') ?: $request->getHeader('X-CSRF-TOKEN');
|
|
|
|
if (!$token) {
|
|
$session->flash('error', 'CSRF-Token fehlt.');
|
|
$response->redirect('/dashboard')->send();
|
|
}
|
|
|
|
// Validate CSRF token
|
|
if (!$session->validateCsrfToken($token)) {
|
|
$session->flash('error', 'Ungültiger CSRF-Token.');
|
|
$response->redirect('/dashboard')->send();
|
|
}
|
|
}
|
|
}
|