43 lines
1.1 KiB
PHP
43 lines
1.1 KiB
PHP
<?php
|
|
namespace Blog\Middleware;
|
|
|
|
use Blog\Middleware\middlewareInterface;
|
|
use Blog\Http\request;
|
|
use Blog\Http\response;
|
|
|
|
class AuthMiddleware implements MiddlewareInterface {
|
|
public function handle(Request $request, Response $response): bool {
|
|
if(!isset($_SESSION['user'])) {
|
|
$response
|
|
->setStatus(403)
|
|
->getBody()
|
|
->write("403 - Forbidden")
|
|
->send();
|
|
return false;
|
|
}
|
|
|
|
if($request->getMethod() !== 'GET' && !$this->validateCSRFToken($request)) {
|
|
$response
|
|
->setStatus(419)
|
|
->getBody()
|
|
->write("419 - Session expired or invalid CSRF token.")
|
|
->send();
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
private function validateCSRFToken(Request $request): bool {
|
|
$token = $request->getPost('_csrf_token') ?? '';
|
|
return hash_equals($_SESSION['_csrf_token'] ?? '', $token);
|
|
}
|
|
|
|
public static function generateCSRFToken(): string {
|
|
if(!isset($_SESSION['_csrf_token'])) {
|
|
$_SESSION['_csrf_token'] = bin2hex(random_bytes(32));
|
|
}
|
|
return $_SESSION['_csrf_token'];
|
|
}
|
|
}
|