consolidate POST session validation.

public/index.php

@@ -36,6 +36,8 @@ $db = get_db();
 $config = ConfigModel::load();
 $user = UserModel::load();
 
+// Start a session and generate a CSRF Token
+// if there isn't already an active session
 Session::start();
 Session::generateCsrfToken();
 
@@ -47,6 +49,24 @@ if (strpos($path, $config->basePath) === 0) {
 // strip the trailing slash from the resulting route
 $path = trim($path, '/');
 
+// if this is a POST, make sure there's a valid session
+// if not, redirect to /login or die as appropriate
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    if ($path != 'login'){
+        if (!Session::isValid($_POST['csrf_token'])) {
+            // Invalid session - redirect to /login
+            header('Location: ' . $config->basePath . '/login');
+            exit;
+        }
+    } else {
+        if (!Session::isvalidCsrfToken($_POST['csrf_token'])) {
+            // Just die if the token is invalid on login
+            die('Invalid CSRF token');
+            exit;
+        }
+    }
+}
+
 // Set content type
 header('Content-Type: text/html; charset=utf-8');
 

src/Controller/AuthController/AuthController.php

@@ -19,10 +19,6 @@ class AuthController extends Controller {
         $error = '';
 
         if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-            if (!Session::validateCsrfToken($_POST['csrf_token'])) {
-                die('Invalid CSRF token');
-            }
-        
             $username = $_POST['username'] ?? '';
             $password = $_POST['password'] ?? '';
  

src/Controller/HomeController/HomeController.php

@@ -27,12 +27,6 @@ class HomeController extends Controller {
     // Saves the tick and reloads the homepage
     public function handleTick(){
         if ($_SERVER['REQUEST_METHOD'] === 'POST' and isset($_POST['tick'])) {
-            // ensure that the session is valid before proceeding
-            if (!Session::validateCsrfToken($_POST['csrf_token'])) {
-                // TODO: maybe redirect to login? Maybe with tick preserved?
-                die('Invalid CSRF token');
-            }
-
             // save the tick
             if (trim($_POST['tick'])){
                 TickModel::save($_POST['tick']);

src/Controller/MoodController/MoodController.php

@@ -17,11 +17,6 @@
 
         public function handlePost(){
             if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-                // ensure that the session is valid before proceeding
-                if (!Session::validateCsrfToken($_POST['csrf_token'])) {
-                    die('Invalid CSRF token');
-                }
-
                 // Get the data we need
                 global $config;
                 global $user;

src/Framework/Session/Session.php

@@ -16,20 +16,24 @@ class Session {
         }
     }
 
-    public static function validateCsrfToken($token): bool{
-        return hash_equals($_SESSION['csrf_token'], $token);
-    }
-
     public static function getCsrfToken(): string{
         return $_SESSION['csrf_token'];
     }
 
+    public static function isValidCsrfToken($token): bool{
+        return hash_equals($_SESSION['csrf_token'], $token);
+    }
+
     public static function isLoggedIn(): bool {
-        //echo "UserModel ID set: ". isset($_SESSION['user_id']). "<br/>";
-        //exit;
         return isset($_SESSION['user_id']);
     }
 
+    // A session is valid if the user is logged in and has a valid csrf token
+    // Test this before processing POST requests
+    public static function isValid(string $token): bool {
+        return self::isLoggedIn() && self::isValidCsrfToken($token);
+    }
+
     public static function end(): void {
         $_SESSION = [];
         session_destroy();