jilo-web/app/includes/csrf_middleware.php

<?php

require_once __DIR__ . '/../helpers/security.php';

function applyCsrfMiddleware() {
    $security = SecurityHelper::getInstance();

    // Skip CSRF check for GET requests
    if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        return true;
    }

    // Skip CSRF check for initial login attempt
    if ($_SERVER['REQUEST_METHOD'] === 'POST' && 
        isset($_GET['page']) && $_GET['page'] === 'login' && 
        !isset($_SESSION['username'])) {
        return true;
    }

    // Check CSRF token for all other POST requests
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $token = $_POST['csrf_token'] ?? '';
        if (!$security->verifyCsrfToken($token)) {
            // Log CSRF attempt
            error_log("CSRF attempt detected from IP: " . $_SERVER['REMOTE_ADDR']);
//FIXME log class not loaded
//            $logObject->insertLog(0, "CSRF attempt detected from IP: " . $_SERVER['REMOTE_ADDR'], 'system');

            // Return error message
            http_response_code(403);
            die('Invalid CSRF token. Please try again.');
        }
    }

    return true;
}
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00			`<?php`

Reorganizes helper include files 2025-02-17 14:50:57 +00:00			`require_once __DIR__ . '/../helpers/security.php';`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00
Adds tests for middleware 2025-02-19 13:31:01 +00:00			`function applyCsrfMiddleware() {`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00			`$security = SecurityHelper::getInstance();`

			`// Skip CSRF check for GET requests`
			`if ($_SERVER['REQUEST_METHOD'] === 'GET') {`
			`return true;`
			`}`

			`// Skip CSRF check for initial login attempt`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST' &&`
			`isset($_GET['page']) && $_GET['page'] === 'login' &&`
			`!isset($_SESSION['username'])) {`
			`return true;`
			`}`

			`// Check CSRF token for all other POST requests`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
			`$token = $_POST['csrf_token'] ?? '';`
			`if (!$security->verifyCsrfToken($token)) {`
			`// Log CSRF attempt`
			`error_log("CSRF attempt detected from IP: " . $_SERVER['REMOTE_ADDR']);`
Temporary fix for CSRF logging 2025-02-22 22:04:26 +00:00			`//FIXME log class not loaded`
			`// $logObject->insertLog(0, "CSRF attempt detected from IP: " . $_SERVER['REMOTE_ADDR'], 'system');`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00
			`// Return error message`
			`http_response_code(403);`
			`die('Invalid CSRF token. Please try again.');`
			`}`
			`}`

			`return true;`
			`}`