d4/d16/class_8csrf_8php_source.html

<?php

/*

 * Copyright (c) 2021-2025 Bearsampp

 * License:  GNU General Public License version 3 or later; see LICENSE.txt

 * Author: Bear

 * Website: https://bearsampp.com

 * Github: https://github.com/Bearsampp

 */


class Csrf

{

    const SESSION_KEY = 'bearsampp_csrf_tokens';


    const TOKEN_EXPIRATION = 7200;


    const MAX_TOKENS = 10;


    public static function init()

    {

        // Start session if not already started

        if (session_status() === PHP_SESSION_NONE) {

            session_start();

        }


        // Initialize token storage if not exists

        if (!isset($_SESSION[self::SESSION_KEY])) {

            $_SESSION[self::SESSION_KEY] = [];

        }


        // Clean up expired tokens

        self::cleanupExpiredTokens();

    }


    public static function generateToken()

    {

        self::init();


        try {

            // Generate cryptographically secure random token

            $token = bin2hex(random_bytes(32));

        } catch (Exception $e) {

            Util::logError('Failed to generate CSRF token: ' . $e->getMessage());

            // Fallback to less secure but functional method

            $token = hash('sha256', uniqid('bearsampp_csrf_', true) . microtime(true));

        }


        // Store token with timestamp

        $_SESSION[self::SESSION_KEY][$token] = time();


        // Limit number of stored tokens

        if (count($_SESSION[self::SESSION_KEY]) > self::MAX_TOKENS) {

            // Remove oldest token

            $oldestToken = array_key_first($_SESSION[self::SESSION_KEY]);

            unset($_SESSION[self::SESSION_KEY][$oldestToken]);

        }


        // Log token generation without exposing token material

        Util::logDebug('CSRF token generated successfully');


        return $token;

    }


    public static function getToken()

    {

        self::init();


        // If no tokens exist, generate one

        if (empty($_SESSION[self::SESSION_KEY])) {

            return self::generateToken();

        }


        // Return the most recent token

        $tokens = $_SESSION[self::SESSION_KEY];

        end($tokens);

        $latestToken = key($tokens);


        // Check if latest token is expired

        if (time() - $tokens[$latestToken] > self::TOKEN_EXPIRATION) {

            // Generate new token if expired

            return self::generateToken();

        }


        return $latestToken;

    }


    public static function validateToken($token, $removeAfterValidation = false)

    {

        self::init();


        // Check if token is provided

        if (empty($token) || !is_string($token)) {

            Util::logWarning('CSRF validation failed: No token provided');

            return false;

        }


        // Check if token exists in session

        if (!isset($_SESSION[self::SESSION_KEY][$token])) {

            Util::logWarning('CSRF validation failed: Token not found in session');

            return false;

        }


        // Check if token is expired

        $tokenTimestamp = $_SESSION[self::SESSION_KEY][$token];

        if (time() - $tokenTimestamp > self::TOKEN_EXPIRATION) {

            Util::logWarning('CSRF validation failed: Token expired');

            unset($_SESSION[self::SESSION_KEY][$token]);

            return false;

        }


        // Token is valid

        Util::logDebug('CSRF token validated successfully');


        // Remove token if one-time use is requested

        if ($removeAfterValidation) {

            unset($_SESSION[self::SESSION_KEY][$token]);

        }


        return true;

    }


    public static function validateRequest($removeAfterValidation = false)

    {

        // Check POST first (most common for AJAX)

        if (isset($_POST['csrf_token'])) {

            return self::validateToken($_POST['csrf_token'], $removeAfterValidation);

        }


        // Check GET as fallback

        if (isset($_GET['csrf_token'])) {

            return self::validateToken($_GET['csrf_token'], $removeAfterValidation);

        }


        // Check custom header (for AJAX requests)

        $headers = self::getAllHeaders();


        // Check for X-CSRF-Token header (case-insensitive)

        foreach ($headers as $key => $value) {

            if (strtolower($key) === 'x-csrf-token') {

                return self::validateToken($value, $removeAfterValidation);

            }

        }


        Util::logWarning('CSRF validation failed: No token in request');

        return false;

    }


    private static function getAllHeaders()

    {

        // Use getallheaders() if available (Apache)

        if (function_exists('getallheaders')) {

            $headers = getallheaders();

            if ($headers !== false) {

                return $headers;

            }

        }


        // Fallback for FastCGI/CGI environments

        $headers = [];

        foreach ($_SERVER as $key => $value) {

            // Extract HTTP headers from $_SERVER

            if (substr($key, 0, 5) === 'HTTP_') {

                // Convert HTTP_X_CSRF_TOKEN to X-Csrf-Token

                $headerName = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($key, 5)))));

                $headers[$headerName] = $value;

            }

            // Handle CONTENT_TYPE and CONTENT_LENGTH specially

            elseif (in_array($key, ['CONTENT_TYPE', 'CONTENT_LENGTH'])) {

                $headerName = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', $key))));

                $headers[$headerName] = $value;

            }

        }


        return $headers;

    }


    private static function cleanupExpiredTokens()

    {

        if (!isset($_SESSION[self::SESSION_KEY])) {

            return 0;

        }


        $removed = 0;

        $currentTime = time();


        foreach ($_SESSION[self::SESSION_KEY] as $token => $timestamp) {

            if ($currentTime - $timestamp > self::TOKEN_EXPIRATION) {

                unset($_SESSION[self::SESSION_KEY][$token]);

                $removed++;

            }

        }


        if ($removed > 0) {

            Util::logDebug("Cleaned up $removed expired CSRF tokens");

        }


        return $removed;

    }


    public static function regenerateToken()

    {

        self::init();


        // Clear all existing tokens

        $_SESSION[self::SESSION_KEY] = [];


        // Generate new token

        return self::generateToken();

    }


    public static function getTokenField()

    {

        $token = self::getToken();

        return '<input type="hidden" name="csrf_token" value="' . htmlspecialchars($token, ENT_QUOTES, 'UTF-8') . '">';

    }


    public static function getTokenMeta()

    {

        $token = self::getToken();

        return '<meta name="csrf-token" content="' . htmlspecialchars($token, ENT_QUOTES, 'UTF-8') . '">';

    }


    public static function validateOrDie($removeAfterValidation = false)

    {

        if (!self::validateRequest($removeAfterValidation)) {

            http_response_code(403);

            header('Content-Type: application/json');

            echo json_encode([

                'error' => 'CSRF validation failed',

                'message' => 'Invalid or expired security token. Please refresh the page and try again.'

            ]);

            exit;

        }

    }


    public static function getStats()

    {

        self::init();


        $tokens = $_SESSION[self::SESSION_KEY] ?? [];

        $currentTime = time();

        $expired = 0;

        $valid = 0;


        foreach ($tokens as $timestamp) {

            if ($currentTime - $timestamp > self::TOKEN_EXPIRATION) {

                $expired++;

            } else {

                $valid++;

            }

        }


        return [

            'total' => count($tokens),

            'valid' => $valid,

            'expired' => $expired,

            'max_tokens' => self::MAX_TOKENS,

            'expiration_seconds' => self::TOKEN_EXPIRATION

        ];

    }


}


exit
exit
Definition ajax.apply.moduleconfig.php:63

Csrf
Definition class.csrf.php:35

Csrf\generateToken
static generateToken()
Definition class.csrf.php:80

Csrf\cleanupExpiredTokens
static cleanupExpiredTokens()
Definition class.csrf.php:252

Csrf\MAX_TOKENS
const MAX_TOKENS
Definition class.csrf.php:50

Csrf\TOKEN_EXPIRATION
const TOKEN_EXPIRATION
Definition class.csrf.php:44

Csrf\regenerateToken
static regenerateToken()
Definition class.csrf.php:281

Csrf\getTokenField
static getTokenField()
Definition class.csrf.php:297

Csrf\getStats
static getStats()
Definition class.csrf.php:341

Csrf\getToken
static getToken()
Definition class.csrf.php:114

Csrf\validateOrDie
static validateOrDie($removeAfterValidation=false)
Definition class.csrf.php:322

Csrf\validateRequest
static validateRequest($removeAfterValidation=false)
Definition class.csrf.php:186

Csrf\getAllHeaders
static getAllHeaders()
Definition class.csrf.php:218

Csrf\getTokenMeta
static getTokenMeta()
Definition class.csrf.php:309

Csrf\validateToken
static validateToken($token, $removeAfterValidation=false)
Definition class.csrf.php:144

Csrf\init
static init()
Definition class.csrf.php:58

Csrf\SESSION_KEY
const SESSION_KEY
Definition class.csrf.php:39

Util\logError
static logError($data, $file=null)
Definition class.util.php:1155

Util\logDebug
static logDebug($data, $file=null)
Definition class.util.php:1119

Util\logWarning
static logWarning($data, $file=null)
Definition class.util.php:1143