Files
breadcrumb-the-shire/.agents/runs/2026-04-24-action-csrf-centralization-step4/analysis.json

23 lines
1.7 KiB
JSON

{
"task_id": "2026-04-24-action-csrf-centralization-step4",
"issue_summary": "Nach Abschluss von pages/admin gab es in non-admin Core-Seiten noch direkte requestInput()->method() und Session::checkCsrfToken()-Nutzung. Ziel war die gleiche Zentralisierung auch für pages/auth, pages/page, pages/lang und pages/flash.",
"affected_layers": ["pages", "tests"],
"affected_files": [
{ "path": "pages/lang().php", "role": "Locale switch endpoint (GET/POST mixed)" },
{ "path": "pages/flash/dismiss($id).php", "role": "Flash dismiss POST endpoint" },
{ "path": "pages/page/copy-language().php", "role": "Page content locale copy action" },
{ "path": "pages/page/index($slug).php", "role": "Page edit submit flow with optional JSON response" },
{ "path": "pages/auth/login().php", "role": "Multi-stage login action" },
{ "path": "pages/auth/register().php", "role": "Registration action" },
{ "path": "pages/auth/forgot().php", "role": "Password reset request action" },
{ "path": "pages/auth/verify().php", "role": "Password reset verification code action" },
{ "path": "pages/auth/verify-email().php", "role": "Email verification and resend action" },
{ "path": "pages/auth/reset().php", "role": "Password reset completion action" },
{ "path": "tests/Architecture/CorePageRequestGuardContractTest.php", "role": "Architecture contract to prevent legacy request/csrf checks in non-admin core pages" }
],
"risks_discovered": [
"Auth/page flows rely on in-page error handling instead of redirect on CSRF mismatch in several places; helper use must preserve this behavior.",
"Mixed GET/POST endpoints (lang, page/index) require conditional CSRF enforcement without breaking GET rendering paths."
]
}