From 5246c47ee65e54588a9fe922c148ffe6c236eb1b Mon Sep 17 00:00:00 2001
From: Yasen Pramatarov <yasen@lindeas.com>
Date: Wed, 16 Apr 2025 13:11:51 +0300
Subject: [PATCH] Makes csrf_token a global constant and moves it to includes

---
 app/{templates => includes}/csrf_token.php | 0
 app/templates/config.php                   | 2 +-
 app/templates/form-login.php               | 2 +-
 app/templates/form-password-forgot.php     | 2 +-
 app/templates/form-password-reset.php      | 2 +-
 app/templates/form-register.php            | 2 +-
 app/templates/profile-edit.php             | 4 ++--
 app/templates/security.php                 | 8 ++++----
 public_html/index.php                      | 5 +++++
 9 files changed, 16 insertions(+), 11 deletions(-)
 rename app/{templates => includes}/csrf_token.php (100%)

diff --git a/app/templates/csrf_token.php b/app/includes/csrf_token.php
similarity index 100%
rename from app/templates/csrf_token.php
rename to app/includes/csrf_token.php
diff --git a/app/templates/config.php b/app/templates/config.php
index d2c5151..eda1801 100644
--- a/app/templates/config.php
+++ b/app/templates/config.php
@@ -37,7 +37,7 @@
         <div class="card-body p-4">
             <form id="configForm">
 <?php
-include 'csrf_token.php';
+include CSRF_TOKEN_INCLUDE;
 
 function renderConfigItem($key, $value, $path = '') {
     $fullPath = $path ? $path . '[' . $key . ']' : $key;
diff --git a/app/templates/form-login.php b/app/templates/form-login.php
index c1055b5..a15ed40 100644
--- a/app/templates/form-login.php
+++ b/app/templates/form-login.php
@@ -4,7 +4,7 @@
             <div class="card-body">
                 <p class="card-text"><strong>Welcome to <?= htmlspecialchars($config['site_name']); ?>!</strong><br />Please enter login credentials:</p>
                 <form method="POST" action="<?= htmlspecialchars($app_root) ?>?page=login">
-<?php include 'csrf_token.php'; ?>
+<?php include CSRF_TOKEN_INCLUDE; ?>
                     <div class="form-group mb-3">
                         <input type="text" class="form-control w-50 mx-auto" name="username" placeholder="Username" 
                             pattern="[A-Za-z0-9_\-]{3,20}" title="3-20 characters, letters, numbers, - and _"
diff --git a/app/templates/form-password-forgot.php b/app/templates/form-password-forgot.php
index 2174ce7..45ea0ed 100644
--- a/app/templates/form-password-forgot.php
+++ b/app/templates/form-password-forgot.php
@@ -8,7 +8,7 @@
                             <p>Enter your email address and we will send you<br />
                                 instructions to reset your password.</p>
                             <form method="post" action="?page=login&action=forgot">
-<?php include 'csrf_token.php'; ?>
+<?php include CSRF_TOKEN_INCLUDE; ?>
                                 <div class="form-group">
                                     <label for="email">email address:</label>
                                     <input type="email"
diff --git a/app/templates/form-password-reset.php b/app/templates/form-password-reset.php
index a0c325e..2b25faf 100644
--- a/app/templates/form-password-reset.php
+++ b/app/templates/form-password-reset.php
@@ -6,7 +6,7 @@
                         <div class="card-body">
                             <h3 class="card-title mb-4">Set new password</h3>
                             <form method="post" action="?page=login&action=reset&token=<?= htmlspecialchars(urlencode($token)) ?>">
-<?php include 'csrf_token.php'; ?>
+<?php include CSRF_TOKEN_INCLUDE; ?>
                                 <div class="form-group">
                                     <label for="new_password">new password:</label>
                                     <input type="password"
diff --git a/app/templates/form-register.php b/app/templates/form-register.php
index 6f1f059..fbd382c 100644
--- a/app/templates/form-register.php
+++ b/app/templates/form-register.php
@@ -4,7 +4,7 @@
             <div class="card-body">
                 <p class="card-text">Enter credentials for registration:</p>
                 <form method="POST" action="<?= htmlspecialchars($app_root) ?>?page=register">
-<?php include 'csrf_token.php'; ?>
+<?php include CSRF_TOKEN_INCLUDE; ?>
                     <div class="form-group mb-3">
                         <input type="text" class="form-control w-50 mx-auto" name="username" placeholder="Username"
                             pattern="[A-Za-z0-9_\-]{3,20}" title="3-20 characters, letters, numbers, - and _"
diff --git a/app/templates/profile-edit.php b/app/templates/profile-edit.php
index 82fade0..45ab00f 100644
--- a/app/templates/profile-edit.php
+++ b/app/templates/profile-edit.php
@@ -6,7 +6,7 @@
                     <div class="card-body">
 
                         <form method="POST" action="<?= htmlspecialchars($app_root) ?>?page=profile" enctype="multipart/form-data">
-<?php include 'csrf_token.php'; ?>
+<?php include CSRF_TOKEN_INCLUDE; ?>
                             <div class="row">
                                 <p class="border rounded bg-light mb-4"><small>edit the profile fields</small></p>
                                 <div class="col-md-4 avatar-container">
@@ -133,7 +133,7 @@
                                                     <div class="modal-footer">
                                                         <button type="button" class="btn btn-secondary" data-dismiss="modal">Cancel</button>
                                                         <form id="remove-avatar-form" data-action="remove-avatar" method="POST" action="<?= htmlspecialchars($app_root) ?>?page=profile&action=remove&item=avatar">
-<?php include 'csrf_token.php'; ?>
+<?php include CSRF_TOKEN_INCLUDE; ?>
                                                             <button type="button" class="btn btn-danger" id="confirm-delete">Delete Avatar</button>
                                                         </form>
                                                     </div>
diff --git a/app/templates/security.php b/app/templates/security.php
index bd5ad0a..ba3f0e0 100644
--- a/app/templates/security.php
+++ b/app/templates/security.php
@@ -35,7 +35,7 @@
                                 </div>
                                 <div class="card-body">
                                     <form method="POST" class="mb-4">
-<?php include 'csrf_token.php'; ?>
+<?php include CSRF_TOKEN_INCLUDE; ?>
                                         <input type="hidden" name="action" value="add_whitelist">
                                         <div class="row g-3">
                                             <div class="col-md-4">
@@ -77,7 +77,7 @@
                                                 <td><?= htmlspecialchars($ip['created_at']) ?></td>
                                                 <td>
                                                     <form method="POST" style="display: inline;">
-<?php include 'csrf_token.php'; ?>
+<?php include CSRF_TOKEN_INCLUDE; ?>
                                                         <input type="hidden" name="action" value="remove_whitelist">
                                                         <input type="hidden" name="ip_address" value="<?= htmlspecialchars($ip['ip_address']) ?>">
                                                         <button type="submit" class="btn btn-sm btn-danger" onclick="return confirm('Are you sure you want to remove this IP from whitelist?')">Remove</button>
@@ -104,7 +104,7 @@
                                 </div>
                                 <div class="card-body">
                                     <form method="POST" class="mb-4">
-<?php include 'csrf_token.php'; ?>
+<?php include CSRF_TOKEN_INCLUDE; ?>
                                         <input type="hidden" name="action" value="add_blacklist">
                                         <div class="row g-3">
                                             <div class="col-md-3">
@@ -151,7 +151,7 @@
                                                 <td><?= $ip['expiry_time'] ? htmlspecialchars($ip['expiry_time']) : 'Never' ?></td>
                                                 <td>
                                                     <form method="POST" style="display: inline;">
-<?php include 'csrf_token.php'; ?>
+<?php include CSRF_TOKEN_INCLUDE; ?>
                                                         <input type="hidden" name="action" value="remove_blacklist">
                                                         <input type="hidden" name="ip_address" value="<?= htmlspecialchars($ip['ip_address']) ?>">
                                                         <button type="submit" class="btn btn-sm btn-danger" onclick="return confirm('Are you sure you want to remove this IP from blacklist?')">Remove</button>
diff --git a/public_html/index.php b/public_html/index.php
index 0c5ce77..a94a258 100644
--- a/public_html/index.php
+++ b/public_html/index.php
@@ -11,6 +11,11 @@
  * Version: 0.4
  */
 
+// Define CSRF token include path globally
+if (!defined('CSRF_TOKEN_INCLUDE')) {
+    define('CSRF_TOKEN_INCLUDE', dirname(__DIR__) . '/app/includes/csrf_token.php');
+}
+
 // we start output buffering and
 // flush it later only when there is no redirect
 ob_start();