fix csrf token

system/autoload/Csrf.php

@@ -6,83 +6,50 @@
  **/
 
 
- class Csrf
+class Csrf
- {
+{
-     private const int TOKEN_LENGTH = 16;
+    private static $tokenExpiration = 1800; // 30 minutes
-     private const int TOKEN_EXPIRATION = 1800;
+
- 
+    public static function generateToken($length = 16)
-     /**
+    {
-      * Generate a CSRF token.
+        return bin2hex(random_bytes($length));
-      *
+    }
-      * @param int $length
+
-      * @return string
+    public static function validateToken($token, $storedToken)
-      */
+    {
-     public static function generateToken(int $length = self::TOKEN_LENGTH): string
+        return hash_equals($token, $storedToken);
-     {
+    }
-         return bin2hex(random_bytes($length));
+
-     }
+    public static function check($token)
- 
+    {
-     /**
+        global $config;
-      * Validate the provided CSRF token against the stored token.
+        if($config['csrf_enabled'] == 'yes') {
-      *
+            if (isset($_SESSION['csrf_token'], $_SESSION['csrf_token_time'], $token)) {
-      * @param string $token
+                $storedToken = $_SESSION['csrf_token'];
-      * @param string $storedToken
+                $tokenTime = $_SESSION['csrf_token_time'];
-      * @return bool
+
-      */
+                if (time() - $tokenTime > self::$tokenExpiration) {
-     public static function validateToken(string $token, string $storedToken): bool
+                    self::clearToken();
-     {
+                    return false;
-         return hash_equals($token, $storedToken);
+                }
-     }
+
- 
+                return self::validateToken($token, $storedToken);
-     /**
+            }
-      * Check if the CSRF token is valid.
+            return false;
-      *
+        }
-      * @param string|null $token
+        return true;
-      * @return bool
+    }
-      */
+
-     public static function check(?string $token): bool
+    public static function generateAndStoreToken()
-     {
+    {
-         global $config;
+        $token = self::generateToken();
- 
+        $_SESSION['csrf_token'] = $token;
-         if ($config['csrf_enabled'] === 'yes') {
+        $_SESSION['csrf_token_time'] = time();
-             if (isset($_SESSION['nux_csrf_token'], $_SESSION['nux_csrf_token_time'], $token)) {
+        return $token;
-                 $storedToken = $_SESSION['nux_csrf_token'];
+    }
-                 $tokenTime = $_SESSION['nux_csrf_token_time'];
+
- 
+    public static function clearToken()
-                 if (time() - $tokenTime > self::TOKEN_EXPIRATION) {
+    {
-                     self::clearToken();
+        unset($_SESSION['csrf_token'], $_SESSION['csrf_token_time']);
-                     return false;
+    }
-                 }
+}
- 
-                 return self::validateToken($token, $storedToken);
-             }
- 
-             return false;
-         }
- 
-         return true; // CSRF is disabled
-     }
- 
-     /**
-      * Generate and store a new CSRF token in the session.
-      *
-      * @return string
-      */
-     public static function generateAndStoreToken(): string
-     {
-         $token = self::generateToken();
-         $_SESSION['nux_csrf_token'] = $token;
-         $_SESSION['nux_csrf_token_time'] = time();
-         return $token;
-     }
- 
-     /**
-      * Clear the stored CSRF token from the session.
-      *
-      * @return void
-      */
-     public static function clearToken(): void
-     {
-         unset($_SESSION['nux_csrf_token'], $_SESSION['nux_csrf_token_time']);
-     }
- }

system/controllers/pluginmanager.php

@@ -38,7 +38,7 @@ switch ($action) {
         r2(getUrl('pluginmanager'), 's', 'Refresh success');
         break;
     case 'dlinstall':
-        if ($_app_stage == 'demo') {
+        if ($_app_stage == 'Demo') {
             r2(getUrl('pluginmanager'), 'e', 'Demo Mode cannot install as it Security risk');
         }
         if (!is_writeable($CACHE_PATH)) {