<?php
namespace Blog\Middleware;

use Blog\Middleware\middlewareInterface;
use Blog\Http\request;
use Blog\Http\response;

class AuthMiddleware implements MiddlewareInterface {
  public function handle(Request $request, Response $response): bool {
    if(!isset($_SESSION['user'])) {
      $response
        ->setStatus(403)
        ->getBody()
        ->write("403 - Forbidden")
        ->send();
      return false;
    }

    if($request->getMethod() !== 'GET' && !$this->validateCSRFToken($request)) {
      $response
        ->setStatus(419)
        ->getBody()
        ->write("419 - Session expired or invalid CSRF token.")
        ->send();
      return false;
    }

    return true;
  }

  private function validateCSRFToken(Request $request): bool {
    $token = $request->getPost('_csrf_token') ?? '';
    return hash_equals($_SESSION['_csrf_token'] ?? '', $token);
  }

  public static function generateCSRFToken(): string {
    if(!isset($_SESSION['_csrf_token'])) {
      $_SESSION['_csrf_token'] = bin2hex(random_bytes(32));
    }
    return $_SESSION['_csrf_token'];
  }
}