jilo-web/app/includes/csrf_middleware.php

<?php

require_once __DIR__ . '/../helpers/security.php';

function applyCsrfMiddleware() {
    global $logObject, $user_IP;
    $security = SecurityHelper::getInstance();

    // Skip CSRF check for GET requests
    if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        return true;
    }

    // Skip CSRF check for initial login, registration, and 2FA verification attempts
    if ($_SERVER['REQUEST_METHOD'] === 'POST' &&
        isset($_GET['page']) && isset($_GET['action']) &&
        $_GET['page'] === 'login' && $_GET['action'] === 'verify' &&
        isset($_SESSION['2fa_pending_user_id'])) {
        return true;
    }

    // Skip CSRF check for initial login and registration attempts
    if ($_SERVER['REQUEST_METHOD'] === 'POST' &&
        isset($_GET['page']) &&
        in_array($_GET['page'], ['login', 'register']) &&
        !isset($_SESSION['username'])) {
        return true;
    }

    // Check CSRF token for all other POST requests
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        // Check for token in POST data or headers
        $token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!$security->verifyCsrfToken($token)) {
            // Log CSRF attempt
            $ipAddress = $user_IP;
            $logMessage = sprintf(
                "CSRF attempt detected - IP: %s, Page: %s, User: %s",
                $ipAddress,
                $_GET['page'] ?? 'unknown',
                $_SESSION['username'] ?? 'anonymous'
            );
            $logObject->log('error', $logMessage, ['user_id' => null, 'scope' => 'system']);

            // Return error message
            http_response_code(403);
            die('Invalid CSRF token. Please try again.');
        }
    }

    return true;
}
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00			`<?php`

Reorganizes helper include files 2025-02-17 14:50:57 +00:00			`require_once __DIR__ . '/../helpers/security.php';`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00
Adds tests for middleware 2025-02-19 13:31:01 +00:00			`function applyCsrfMiddleware() {`
Makes the old code work with the new Log plugin 2025-04-25 07:13:12 +00:00			`global $logObject, $user_IP;`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00			`$security = SecurityHelper::getInstance();`

			`// Skip CSRF check for GET requests`
			`if ($_SERVER['REQUEST_METHOD'] === 'GET') {`
			`return true;`
			`}`

Fixes CSRF issue after login with 2fa code 2025-04-12 13:28:33 +00:00			`// Skip CSRF check for initial login, registration, and 2FA verification attempts`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST' &&`
			`isset($_GET['page']) && isset($_GET['action']) &&`
			`$_GET['page'] === 'login' && $_GET['action'] === 'verify' &&`
			`isset($_SESSION['2fa_pending_user_id'])) {`
			`return true;`
			`}`

Fixes CSRF 2025-02-23 15:48:02 +00:00			`// Skip CSRF check for initial login and registration attempts`
Fixes CSRF issue after login with 2fa code 2025-04-12 13:28:33 +00:00			`if ($_SERVER['REQUEST_METHOD'] === 'POST' &&`
			`isset($_GET['page']) &&`
			`in_array($_GET['page'], ['login', 'register']) &&`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00			`!isset($_SESSION['username'])) {`
			`return true;`
			`}`

			`// Check CSRF token for all other POST requests`
			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
Fixes config file editing 2025-04-11 13:55:08 +00:00			`// Check for token in POST data or headers`
			`$token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00			`if (!$security->verifyCsrfToken($token)) {`
			`// Log CSRF attempt`
Makes the old code work with the new Log plugin 2025-04-25 07:13:12 +00:00			`$ipAddress = $user_IP;`
Adds proper logging to CSRF middleware 2025-02-23 11:51:36 +00:00			`$logMessage = sprintf(`
			`"CSRF attempt detected - IP: %s, Page: %s, User: %s",`
Gets the client IP from a central place 2025-02-23 15:58:26 +00:00			`$ipAddress,`
Adds proper logging to CSRF middleware 2025-02-23 11:51:36 +00:00			`$_GET['page'] ?? 'unknown',`
			`$_SESSION['username'] ?? 'anonymous'`
			`);`
Updates log calls to new syntax 2025-04-27 16:00:58 +00:00			`$logObject->log('error', $logMessage, ['user_id' => null, 'scope' => 'system']);`
Implements security helper and CSRF middleware 2025-01-30 16:47:13 +00:00
			`// Return error message`
			`http_response_code(403);`
			`die('Invalid CSRF token. Please try again.');`
			`}`
			`}`

			`return true;`
			`}`