From 484b89718a405e6395a19af7605d2e7b19144b78 Mon Sep 17 00:00:00 2001 From: billz Date: Wed, 26 Mar 2025 04:00:34 -0700 Subject: [PATCH] Add validateRequest(), token check outside class --- includes/CSRF.php | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/includes/CSRF.php b/includes/CSRF.php index 361c8fbb..6329dfee 100644 --- a/includes/CSRF.php +++ b/includes/CSRF.php @@ -6,7 +6,12 @@ class CSRF { protected static ?CSRFTokenizer $instance = null; - protected static function getInstance(): CSRFTokenizer + /* + * Get the CSRFTokenizer instance (singleton) + * + * @return CSRFTokenizer + */ + public static function instance(): CSRFTokenizer { if (self::$instance === null) { self::$instance = new CSRFTokenizer(); @@ -21,22 +26,41 @@ class CSRF public static function verify(): bool { - return self::instance()->csrfValidateRequest() && self::instance()->CSRFValidate($_POST['csrf_token'] ?? ''); + $token = $_POST['csrf_token']; + return self::instance()->csrfValidateRequest() && + self::instance()->CSRFValidate($_POST['csrf_token'] ?? ''); } public static function metaTag(): string { - return self::getInstance()->CSRFMetaTag(); + return self::instance()->CSRFMetaTag(); } public static function hiddenField(): string { - return self::getInstance()->CSRFTokenFieldTag(); + return self::instance()->CSRFTokenFieldTag(); } public static function handleInvalidToken(): void { self::instance()->handleInvalidCSRFToken(); } + + /** + * Validates a CSRF Request + * + * @return bool + */ + public static function validateRequest(): bool + { + return self::instance()->csrfValidateRequest(); + } +} + +if (\RaspAP\Tokens\CSRF::validateRequest()) { + if (!\RaspAP\Tokens\CSRF::verify()) { + error_log("CSRF verification failed. Token: " . ($_POST['csrf_token'] ?? 'not provided')); + \RaspAP\Tokens\CSRF::handleInvalidToken(); + } }