f3-simple-blog/app/Controllers/BaseController.php

<?php

declare(strict_types=1);

abstract class BaseController
{
    protected Base $f3;
    protected DB\SQL $db;

    public function __construct()
    {
        $this->f3 = Base::instance();
        $this->db = $this->f3->get('DB');
    }

    protected function renderPublic(string $view, array $data = []): void
    {
        $user = $this->currentUser();

        $this->f3->mset($data + [
            'view' => $view,
            'currentUser' => $user,
            'flash' => array_key_exists('flash', $data) && is_array($data['flash']) ? $data['flash'] : null,
            'csrfToken' => $user !== null ? $this->csrfToken() : null,
        ]);

        echo Template::instance()->render('layout.html');
    }

    protected function renderSession(string $view, array $data = [], bool $withCsrf = false): void
    {
        $flash = array_key_exists('flash', $data) && is_array($data['flash'])
            ? $data['flash']
            : $this->pullFlash();

        $this->f3->mset($data + [
            'view' => $view,
            'currentUser' => $this->currentUser(),
            'flash' => $flash,
            'csrfToken' => $withCsrf ? $this->csrfToken() : null,
        ]);

        echo Template::instance()->render('layout.html');
    }

    protected function currentUser(): ?array
    {
        $userId = (int) ($this->f3->get('SESSION.user_id') ?? 0);
        return $userId > 0 ? (new User($this->db))->findById($userId) : null;
    }

    protected function requireAuth(): void
    {
        if ($this->currentUser() !== null) {
            return;
        }

        $this->flash('error', 'Connecte-toi pour continuer.');
        $this->f3->reroute('@login');
    }

    protected function disableCache(): void
    {
        $this->f3->expire(0);
    }

    protected function csrfToken(): string
    {
        $token = (string) ($this->f3->get('SESSION.csrf_token') ?? '');
        if ($token === '') {
            $token = bin2hex(random_bytes(32));
            $this->f3->set('SESSION.csrf_token', $token);
        }

        return $token;
    }

    protected function refreshCsrfToken(): string
    {
        $token = bin2hex(random_bytes(32));
        $this->f3->set('SESSION.csrf_token', $token);
        return $token;
    }

    protected function verifyCsrf(): void
    {
        $submitted = (string) ($this->f3->get('POST.csrf_token') ?? '');
        $expected = (string) ($this->f3->get('SESSION.csrf_token') ?? '');

        if ($submitted !== '' && $expected !== '' && hash_equals($expected, $submitted)) {
            return;
        }

        $this->f3->error(400, 'Jeton CSRF invalide.');
    }

    protected function flash(string $type, string $message): void
    {
        $this->f3->set('SESSION.flash', ['type' => $type, 'message' => $message]);
    }

    private function pullFlash(): ?array
    {
        $flash = $this->f3->get('SESSION.flash');
        $this->f3->clear('SESSION.flash');
        return is_array($flash) ? $flash : null;
    }
}