f3-simple-blog/app/Controllers/AuthController.php

<?php

declare(strict_types=1);

class AuthController extends BaseController
{
    public function beforeRoute(): void
    {
        $this->disableCache();
    }

    public function show(): void
    {
        if ($this->currentUser() !== null) {
            $this->f3->reroute('@dashboard');
            return;
        }

        $this->renderSession('auth/login.html', ['pageTitle' => 'Connexion'], true);
    }

    public function login(): void
    {
        $this->verifyCsrf();

        $username = trim((string) ($this->f3->get('POST.username') ?? ''));
        $password = (string) ($this->f3->get('POST.password') ?? '');

        $user = (new User($this->db))->findByUsername($username);
        if ($user === null || !password_verify($password, $user['password_hash'])) {
            usleep(1_500_000); // 1,5 s — ralentit le brute-force
            $this->flash('error', 'Identifiants invalides.');
            $this->f3->reroute('@login');
            return;
        }

        session_regenerate_id(true);
        $this->f3->set('SESSION.user_id', $user['id']);
        $this->refreshCsrfToken();
        $this->flash('success', 'Connexion réussie.');
        $this->f3->reroute('@dashboard');
    }

    public function logout(): void
    {
        $this->verifyCsrf();
        $this->f3->clear('SESSION.user_id');
        $this->f3->clear('SESSION.csrf_token');
        session_regenerate_id(true);
        $this->flash('success', 'Déconnexion effectuée.');
        $this->f3->reroute('@login');
    }
}