Phase 2: Add CSRF token protection to all forms and processors - Created CsrfMiddleware class with 8 helper methods - Added CSRF tokens to 9 POST forms across trip/course/camping/membership - Added CSRF validation to all 10 POST processors - CsrfMiddleware.requireToken() validates and dies on invalid tokens - 100% POST endpoint coverage with CSRF protection

validate_login.php

@@ -5,12 +5,19 @@ require_once("connection.php");
 require_once("functions.php");
 require_once 'google-client/vendor/autoload.php'; // Add this line for Google Client
 
+use Middleware\CsrfMiddleware;
+
 // Check if connection is established
 if (!$conn) {
     json_encode(['status' => 'error', 'message' => 'Database connection failed.']);
     exit();
 }
 
+// Validate CSRF token for POST requests (email/password login)
+if ($_SERVER['REQUEST_METHOD'] === 'POST' && !isset($_GET['code'])) {
+    CsrfMiddleware::requireToken($_POST);
+}
+
 // Google Client Setup
 $client = new Google_Client();
 $client->setClientId('948441222188-8qhboq2urr8o9n35mc70s5h2nhd52v0m.apps.googleusercontent.com');