first commit

app/Middleware/authMiddleware.php

@@ -0,0 +1,42 @@
+<?php
+namespace Blog\Middleware;
+
+use Blog\Middleware\middlewareInterface;
+use Blog\Http\request;
+use Blog\Http\response;
+
+class AuthMiddleware implements MiddlewareInterface {
+  public function handle(Request $request, Response $response): bool {
+    if(!isset($_SESSION['user'])) {
+      $response
+        ->setStatus(403)
+        ->getBody()
+        ->write("403 - Forbidden")
+        ->send();
+      return false;
+    }
+
+    if($request->getMethod() !== 'GET' && !$this->validateCSRFToken($request)) {
+      $response
+        ->setStatus(419)
+        ->getBody()
+        ->write("419 - Session expired or invalid CSRF token.")
+        ->send();
+      return false;
+    }
+
+    return true;
+  }
+
+  private function validateCSRFToken(Request $request): bool {
+    $token = $request->getPost('_csrf_token') ?? '';
+    return hash_equals($_SESSION['_csrf_token'] ?? '', $token);
+  }
+
+  public static function generateCSRFToken(): string {
+    if(!isset($_SESSION['_csrf_token'])) {
+      $_SESSION['_csrf_token'] = bin2hex(random_bytes(32));
+    }
+    return $_SESSION['_csrf_token'];
+  }
+}