feature: send csrf tokens in the header

closes #572

composer.json

@@ -15,6 +15,7 @@
 		"php": ">=8.1",
 
 		"phpgt/config": "^1.0",
+		"phpgt/csrf": "^v1.9",
 		"phpgt/dom": "^v4.0",
 		"phpgt/domtemplate": "^v3.1",
 		"phpgt/database": "^1.4",

src/Middleware/RequestHandler.php

@@ -4,6 +4,8 @@
 use Gt\Config\Config;
 use Gt\Config\ConfigFactory;
 use Gt\Config\ConfigSection;
+use Gt\Csrf\HTMLDocumentProtector;
+use Gt\Csrf\SessionTokenStore;
 use Gt\Dom\HTMLDocument;
 use Gt\DomTemplate\ComponentExpander;
 use Gt\DomTemplate\DocumentBinder;
@@ -183,7 +185,6 @@ public function handle(
 				$viewModel->body->classList->add($bodyDirClass);
 			}
 
-//			ini_set('session.serialize_handler', 'php_serialize');
 			$sessionConfig = $this->config->getSection("session");
 			$sessionId = $_COOKIE[$sessionConfig["name"]] ?? null;
 			$sessionHandler = SessionSetup::attachHandler(
@@ -196,17 +197,18 @@ public function handle(
 			);
 			$serviceContainer->set($session);
 
-//			TODO: Complete CSRF implementation - maybe use its own cookie?
-//			/** @var Session $session */
-//			$session = $serviceContainer->get(Session::class);
-//			$csrfTokenStore = new SessionTokenStore($session->getStore("csrf", true));
-//
-//			if($request->getMethod() === "POST") {
-//				$csrfTokenStore->processAndVerify($_POST);
-//			}
-//
-//			$protector = new HTMLDocumentProtector($viewModel, $csrfTokenStore);
-//			$protector->protectAndInject();
+			$session = $serviceContainer->get(Session::class);
+			$csrfTokenStore = new SessionTokenStore(
+				$session->getStore("csrf", true)
+			);
+
+			if($request->getMethod() === "POST") {
+				$csrfTokenStore->verify($_POST);
+			}
+
+			$protector = new HTMLDocumentProtector($viewModel, $csrfTokenStore);
+			$tokens = $protector->protect(HTMLDocumentProtector::ONE_TOKEN_PER_FORM);
+			$response = $response->withHeader("x-csrf", $tokens);
 		}
 
 // TODO: Kill globals.