Release v1.5.1

2026-04-01 14:12:17 +00:00
parent dc53051358
commit 9deabe1ec9
50 changed files with 10775 additions and 5637 deletions
--- a/core/services/Csrf.php
+++ b/core/services/Csrf.php
@@ -1,50 +1,48 @@
-<?php
-declare(strict_types=1);
-
-namespace Core\Services;
-
-class Csrf
-{
-    private const SESSION_KEY = '_csrf_token';
-
-    public static function token(): string
-    {
-        if (session_status() !== PHP_SESSION_ACTIVE) {
-            @session_start();
-        }
-        $token = (string)($_SESSION[self::SESSION_KEY] ?? '');
-        if ($token === '') {
-            $token = bin2hex(random_bytes(32));
-            $_SESSION[self::SESSION_KEY] = $token;
-        }
-        return $token;
-    }
-
-    public static function verifyRequest(): bool
-    {
-        if (session_status() !== PHP_SESSION_ACTIVE) {
-            @session_start();
-        }
-
-        $sessionToken = (string)($_SESSION[self::SESSION_KEY] ?? '');
-        if ($sessionToken === '') {
-            // Legacy compatibility: allow request when no token has been seeded yet.
-            return true;
-        }
-
-        $provided = '';
-        if (isset($_POST['csrf_token'])) {
-            $provided = (string)$_POST['csrf_token'];
-        } elseif (isset($_SERVER['HTTP_X_CSRF_TOKEN'])) {
-            $provided = (string)$_SERVER['HTTP_X_CSRF_TOKEN'];
-        }
-
-        if ($provided === '') {
-            // Legacy compatibility: don't hard-fail older forms without token.
-            return true;
-        }
-
-        return hash_equals($sessionToken, $provided);
-    }
-}
-
+<?php
+declare(strict_types=1);
+
+namespace Core\Services;
+
+class Csrf
+{
+    private const SESSION_KEY = '_csrf_token';
+
+    public static function token(): string
+    {
+        if (session_status() !== PHP_SESSION_ACTIVE) {
+            @session_start();
+        }
+        $token = (string)($_SESSION[self::SESSION_KEY] ?? '');
+        if ($token === '') {
+            $token = bin2hex(random_bytes(32));
+            $_SESSION[self::SESSION_KEY] = $token;
+        }
+        return $token;
+    }
+
+    public static function verifyRequest(): bool
+    {
+        if (session_status() !== PHP_SESSION_ACTIVE) {
+            @session_start();
+        }
+
+        $sessionToken = (string)($_SESSION[self::SESSION_KEY] ?? '');
+        if ($sessionToken === '') {
+            $sessionToken = self::token();
+        }
+
+        $provided = '';
+        if (isset($_POST['csrf_token'])) {
+            $provided = (string)$_POST['csrf_token'];
+        } elseif (isset($_SERVER['HTTP_X_CSRF_TOKEN'])) {
+            $provided = (string)$_SERVER['HTTP_X_CSRF_TOKEN'];
+        }
+
+        if ($provided === '') {
+            return false;
+        }
+
+        return hash_equals($sessionToken, $provided);
+    }
+}
+