<?php


define('CSRF_SECRET', 'your-very-secret-key-here-change-this');

function base64url_encode($data) {
    return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}

function base64url_decode($data) {
    return base64_decode(strtr($data, '-_', '+/'));
}

function generateCsrfToken($ip, $userAgent) {
    $timestamp = time();
    $data = $ip . '|' . $userAgent . '|' . $timestamp;
    $hash = hash_hmac('sha256', $data, CSRF_SECRET);
    // URL-safe base64
    return base64url_encode($timestamp . '|' . $ip . '|' . base64url_encode($userAgent) . '|' . $hash);
}

function validateCsrfToken($token, $currentIp, $currentUserAgent) {
    $decoded = base64url_decode($token);
    if (!$decoded) return false;

    $parts = explode('|', $decoded);
    if (count($parts) !== 4) return false;

    list($timestamp, $tokenIp, $encodedUserAgent, $hash) = $parts;
    $tokenUserAgent = base64url_decode($encodedUserAgent);

    // Check expiration (30 minutes)
    if ((time() - $timestamp) > 1800) return false;

    // IP match
    if ($tokenIp !== $currentIp) return false;

    // User-Agent match
    if ($tokenUserAgent !== $currentUserAgent) return false;

    // Hash verification
    $data = $tokenIp . '|' . $tokenUserAgent . '|' . $timestamp;
    $expectedHash = hash_hmac('sha256', $data, CSRF_SECRET);

    return hash_equals($expectedHash, $hash);
}
function getClientIP() {

    return $_SERVER['REMOTE_ADDR'] ;
}
?>