Code restructure push

2025-12-04 15:09:44 +02:00
parent 86faad7a78
commit be2b757f4e
111 changed files with 17297 additions and 19420 deletions
--- a/docs/TASK_9_ADD_CSRF_FORMS.md
+++ b/docs/TASK_9_ADD_CSRF_FORMS.md
@@ -0,0 +1,206 @@
+# Phase 1 Task 9: Add CSRF Tokens to Forms - Quick Start Guide
+
+## What to Do
+
+Every `<form method="POST">` in the application needs a CSRF token hidden field.
+
+## How to Add CSRF Token to a Form
+
+### Simple One-Line Addition
+
+Add this ONE line before the closing `</form>` tag:
+
+```html
+<input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">
+```
+
+### Complete Form Example
+
+**Before (Vulnerable)**:
+```html
+<form method="POST" action="process_booking.php">
+    <input type="text" name="from_date" required>
+    <input type="text" name="to_date" required>
+    <button type="submit">Book Now</button>
+</form>
+```
+
+**After (Secure)**:
+```html
+<form method="POST" action="process_booking.php">
+    <input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">
+    <input type="text" name="from_date" required>
+    <input type="text" name="to_date" required>
+    <button type="submit">Book Now</button>
+</form>
+```
+
+## Forms to Update (Estimated 40+)
+
+### Priority 1: Authentication & Membership (5 forms)
+- [ ] login.php - Login form
+- [ ] register.php - Registration form
+- [ ] forgot_password.php - Password reset request
+- [ ] reset_password.php - Password reset form
+- [ ] change_password.php - Change password form
+
+### Priority 2: Bookings (6 forms)
+- [ ] campsite_booking.php - Campsite booking form
+- [ ] trips.php - Trip booking form
+- [ ] course_details.php - Course booking form
+- [ ] membership_application.php - Membership application form
+- [ ] update_application.php - Update membership form
+- [ ] view_indemnity.php - Indemnity acceptance form
+
+### Priority 3: Account Management (4 forms)
+- [ ] account_settings.php - Account settings form
+- [ ] update_user.php - User profile update form
+- [ ] member_info.php - Member info edit form
+- [ ] upload_profile_picture.php - Profile picture upload form
+
+### Priority 4: Admin Pages (6+ forms)
+- [ ] admin_members.php - Admin member management forms
+- [ ] admin_bookings.php - Admin booking management
+- [ ] admin_payments.php - Admin payment forms
+- [ ] admin_course_bookings.php - Course management
+- [ ] admin_trip_bookings.php - Trip management
+- [ ] admin_camp_bookings.php - Campsite management
+
+### Priority 5: Other Forms (10+ forms)
+- [ ] comment_box.php
+- [ ] contact.php
+- [ ] blog_details.php (if has comment form)
+- [ ] bar_tabs.php / fetch_bar_tabs.php
+- [ ] events.php
+- [ ] create_bar_tab.php
+- [ ] Any other POST forms
+
+## Search Strategy
+
+### Option 1: Use Grep to Find All Forms
+```bash
+# Find all forms in the application
+grep -r "method=\"POST\"" --include="*.php" .
+
+# Or find AJAX forms that might not have method="POST"
+grep -r "<form" --include="*.php" . | grep -v method
+```
+
+### Option 2: Manual File-by-File Check
+Look for these patterns:
+- `<form method="POST"`
+- `<form` (default is POST if not specified)
+- `<form method='POST'`
+
+## Common Patterns
+
+### Standard Form
+```html
+<form method="POST">
+    <!-- fields -->
+    <input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">
+    <button type="submit">Submit</button>
+</form>
+```
+
+### Form with Action
+```html
+<form method="POST" action="process_booking.php">
+    <!-- fields -->
+    <input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">
+    <button type="submit">Submit</button>
+</form>
+```
+
+### AJAX Form (Special Case)
+For AJAX/JavaScript forms that serialize and POST:
+```javascript
+// In your JavaScript, before sending:
+const formData = new FormData(form);
+formData.append('csrf_token', '<?php echo generateCSRFToken(); ?>');
+```
+
+### Admin/Modal Forms
+```html
+<form method="POST" class="modal-form">
+    <input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">
+    <!-- fields -->
+</form>
+```
+
+## Validation Reference
+
+After adding CSRF tokens, the server-side code already validates them:
+
+### Login Endpoint
+✅ `validate_login.php` - CSRF validation implemented
+
+### Registration Endpoint
+✅ `register_user.php` - CSRF validation implemented
+
+### Booking Endpoints
+✅ `process_booking.php` - CSRF validation implemented
+✅ `process_camp_booking.php` - CSRF validation implemented
+✅ `process_trip_booking.php` - CSRF validation implemented
+✅ `process_course_booking.php` - CSRF validation implemented
+✅ `process_signature.php` - CSRF validation implemented
+✅ `process_application.php` - CSRF validation implemented
+✅ `process_eft.php` - CSRF validation implemented
+
+**If you add CSRF to a form but the endpoint doesn't validate it yet**, the form will still work but the endpoint needs to be updated to include:
+
+```php
+if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
+    // Handle CSRF error
+    echo json_encode(['status' => 'error', 'message' => 'Security token validation failed.']);
+    exit();
+}
+```
+
+## Testing After Adding Tokens
+
+1. **Normal submission**: Form should work as before
+2. **Missing token**: Form should be rejected (if endpoint validates)
+3. **Invalid token**: Form should be rejected (if endpoint validates)
+4. **Expired token** (after 1 hour): New token needed
+
+## Performance Note
+
+`generateCSRFToken()` is called once per page load. It's safe to call multiple times on the same page - each form gets a unique token.
+
+## Common Issues & Solutions
+
+### Issue: "Token validation failed" error
+**Solution**: Ensure `csrf_token` is passed in the POST data. Check:
+1. Form includes `<input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">`
+2. Form method is POST (not GET)
+3. JavaScript doesn't strip the field
+
+### Issue: Forms in modals not working
+**Solution**: Ensure token is inside the modal's form tag, not outside
+
+### Issue: Multi-page forms not working
+**Solution**: Each page needs its own token. Token changes with each page load. This is intentional (single-use tokens).
+
+## Checklist for Task 9
+
+- [ ] Identify all forms with `method="POST"` or no method specified
+- [ ] Add `<input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">` to each
+- [ ] Test 5 critical forms to verify they still work
+- [ ] Test that form submission without CSRF token fails (if endpoint validates)
+- [ ] Verify password reset, login, and booking flows work
+- [ ] Commit changes with message: "Add CSRF tokens to all form templates"
+
+## Files to Reference
+
+- `functions.php` - See `generateCSRFToken()` function (~line 2000)
+- `validate_login.php` - Example of CSRF validation in action
+- `register_user.php` - Example of CSRF validation in action
+- PHASE_1_PROGRESS.md - Current progress documentation
+
+---
+
+**Estimated Time**: 2-3 hours  
+**Difficulty**: Low (repetitive task, minimal logic changes)  
+**Impact**: High (protects against CSRF attacks)  
+**Status**: READY TO START