From 921f310ac101e69852cfbef9248a3646253d401d Mon Sep 17 00:00:00 2001
From: Yasen Pramatarov <yasen@lindeas.com>
Date: Mon, 24 Feb 2025 22:05:20 +0200
Subject: [PATCH] Adds CSRF toek to registration

---
 app/pages/register.php | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/app/pages/register.php b/app/pages/register.php
index d9ac38d..c905272 100644
--- a/app/pages/register.php
+++ b/app/pages/register.php
@@ -21,8 +21,18 @@ if ($config['registration_enabled'] == true) {
             checkRateLimit($dbWeb, 'register');
 
             require_once '../app/classes/validator.php';
+            require_once '../app/helpers/security.php';
+            $security = SecurityHelper::getInstance();
 
-            $validator = new Validator($_POST);
+            // Sanitize input
+            $formData = $security->sanitizeArray($_POST, ['username', 'password', 'confirm_password', 'csrf_token']);
+
+            // Validate CSRF token
+            if (!$security->verifyCsrfToken($formData['csrf_token'] ?? '')) {
+                throw new Exception(Feedback::get('ERROR', 'CSRF_INVALID')['message']);
+            }
+
+            $validator = new Validator($formData);
             $rules = [
                 'username' => [
                     'required' => true,
@@ -40,10 +50,10 @@ if ($config['registration_enabled'] == true) {
                 ]
             ];
 
-            $username = $_POST['username'] ?? 'unknown';
+            $username = $formData['username'] ?? 'unknown';
 
             if ($validator->validate($rules)) {
-                $password = $_POST['password'];
+                $password = $formData['password'];
 
                 // registering
                 $result = $userObject->register($username, $password);