From 99a1f2c5ab207c388d9beb932e49f88a4e4a6b68 Mon Sep 17 00:00:00 2001
From: julien <julien.deb@netig.net>
Date: Mon, 9 Mar 2026 17:15:14 +0100
Subject: [PATCH] Added CSRF protection

---
 public/index.php               | 27 ++++++++++++++++++++++--
 src/Services/CsrfExtension.php | 38 ++++++++++++++++++++++++++++++++++
 views/pages/admin.twig         |  4 ++++
 views/pages/post_form.twig     |  4 ++++
 4 files changed, 71 insertions(+), 2 deletions(-)
 create mode 100644 src/Services/CsrfExtension.php

diff --git a/public/index.php b/public/index.php
index 4d7fcea..ec86d01 100644
--- a/public/index.php
+++ b/public/index.php
@@ -8,16 +8,24 @@ use Dotenv\Dotenv;
 use Slim\Factory\AppFactory;
 use Slim\Views\TwigMiddleware;
 use Slim\Views\Twig;
+use Slim\Csrf\Guard;
 use Medoo\Medoo;
 use App\Controllers\PostController;
 use App\Repositories\PostRepository;
 use App\Services\HtmlSanitizer;
 use App\Services\HtmlPurifierFactory;
+use App\Services\CsrfExtension;
 use App\Database\Migrator;
 use App\Bootstrap;
 use App\Routes;
 use App\Config;
 
+// ============================================
+// Démarrer la session PHP
+// ============================================
+
+session_start();
+
 // ============================================
 // Vérifier les répertoires
 // ============================================
@@ -38,16 +46,29 @@ $dotenv->load();
 $env = $_ENV['APP_ENV'] ?? 'production';
 $isDev = strtolower($env) === 'development';
 
+// ============================================
+// Initialisation de l'application Slim
+// ============================================
+
+$app = AppFactory::create();
+$responseFactory = $app->getResponseFactory();
+
 // ============================================
 // Initialisation des services
 // ============================================
 
+// CSRF Guard (middleware)
+$csrf = new Guard($responseFactory);
+
 // Twig
 $twig = Twig::create(
     __DIR__ . '/../views',
     ['cache' => Config::getTwigCache($isDev)]
 );
 
+// Ajouter l'extension CSRF à Twig
+$twig->addExtension(new CsrfExtension($csrf));
+
 // Medoo (SQLite)
 $dbFile = Config::getDatabasePath();
 $db = new Medoo([
@@ -69,13 +90,15 @@ $htmlSanitizer = new HtmlSanitizer($htmlPurifier);
 $postRepository = new PostRepository($db);
 
 // ============================================
-// Slim App
+// Middleware
 // ============================================
 
-$app = AppFactory::create();
 $app->addBodyParsingMiddleware();
 $app->add(TwigMiddleware::create($app, $twig));
 
+// Enregistrer le middleware CSRF pour toutes les routes
+$app->add($csrf);
+
 // ============================================
 // Routes
 // ============================================
diff --git a/src/Services/CsrfExtension.php b/src/Services/CsrfExtension.php
new file mode 100644
index 0000000..cc5d0a9
--- /dev/null
+++ b/src/Services/CsrfExtension.php
@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services;
+
+use Slim\Csrf\Guard;
+use Twig\Extension\AbstractExtension;
+use Twig\Extension\GlobalsInterface;
+
+/**
+ * Extension Twig pour accéder aux tokens CSRF dans les templates.
+ */
+final class CsrfExtension extends AbstractExtension implements GlobalsInterface
+{
+    public function __construct(private Guard $csrf)
+    {
+    }
+
+    public function getGlobals(): array
+    {
+        $csrfNameKey = $this->csrf->getTokenNameKey();
+        $csrfValueKey = $this->csrf->getTokenValueKey();
+        $csrfName = $this->csrf->getTokenName();
+        $csrfValue = $this->csrf->getTokenValue();
+
+        return [
+            'csrf' => [
+                'keys' => [
+                    'name' => $csrfNameKey,
+                    'value' => $csrfValueKey,
+                ],
+                'name' => $csrfName,
+                'value' => $csrfValue,
+            ],
+        ];
+    }
+}
diff --git a/views/pages/admin.twig b/views/pages/admin.twig
index d119006..f73b2cf 100644
--- a/views/pages/admin.twig
+++ b/views/pages/admin.twig
@@ -32,6 +32,10 @@
                 <a href="/admin/edit/{{ post.id }}" class="btn btn-sm btn-secondary">Éditer</a>
 
                 <form method="post" action="/admin/delete/{{ post.id }}" style="display:inline;">
+                    {# Tokens CSRF #}
+                    <input type="hidden" name="{{ csrf.keys.name }}" value="{{ csrf.name }}">
+                    <input type="hidden" name="{{ csrf.keys.value }}" value="{{ csrf.value }}">
+
                     <button type="submit" class="btn btn-sm btn-danger"
                         onclick="return confirm('Supprimer cet article ?')">
                         Supprimer
diff --git a/views/pages/post_form.twig b/views/pages/post_form.twig
index f17f90b..8d9376d 100644
--- a/views/pages/post_form.twig
+++ b/views/pages/post_form.twig
@@ -20,6 +20,10 @@ Créer un article
 
 {# Formulaire identifié pour le script JavaScript #}
 <form id="articleForm" method="post" action="{{ action }}">
+    {# Tokens CSRF #}
+    <input type="hidden" name="{{ csrf.keys.name }}" value="{{ csrf.name }}">
+    <input type="hidden" name="{{ csrf.keys.value }}" value="{{ csrf.value }}">
+
     <p>
         <label for="title">Titre<br>
             <input type="text" id="title" name="title" value="{{ post.title|default('') }}" required maxlength="255">