From d28d69d3501568bcbe582f7a7e87102f15f74a37 Mon Sep 17 00:00:00 2001
From: Yasen Pramatarov <yasen@lindeas.com>
Date: Sat, 12 Apr 2025 16:28:33 +0300
Subject: [PATCH] Fixes CSRF issue after login with 2fa code

---
 app/includes/csrf_middleware.php | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/includes/csrf_middleware.php b/app/includes/csrf_middleware.php
index e69b745..5642670 100644
--- a/app/includes/csrf_middleware.php
+++ b/app/includes/csrf_middleware.php
@@ -12,10 +12,18 @@ function applyCsrfMiddleware() {
         return true;
     }
 
+    // Skip CSRF check for initial login, registration, and 2FA verification attempts
+    if ($_SERVER['REQUEST_METHOD'] === 'POST' &&
+        isset($_GET['page']) && isset($_GET['action']) &&
+        $_GET['page'] === 'login' && $_GET['action'] === 'verify' &&
+        isset($_SESSION['2fa_pending_user_id'])) {
+        return true;
+    }
+
     // Skip CSRF check for initial login and registration attempts
-    if ($_SERVER['REQUEST_METHOD'] === 'POST' && 
-        isset($_GET['page']) && 
-        in_array($_GET['page'], ['login', 'register']) && 
+    if ($_SERVER['REQUEST_METHOD'] === 'POST' &&
+        isset($_GET['page']) &&
+        in_array($_GET['page'], ['login', 'register']) &&
         !isset($_SESSION['username'])) {
         return true;
     }