fixing some security issues and harderning service

app-code/api/account/update_2fa.php

@@ -1,15 +1,11 @@
 <?php
-session_start();
+include "../utils/security.php";
+secure_session_start();
+require_same_origin_request();
 header('Content-Type: application/json');
 
 // Check if the user is logged in
-if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) {
-    echo json_encode([
-        'success' => false,
-        'message' => 'Not logged in'
-    ]);
-    exit();
-}
+require_logged_in();
 
 // Include database configuration
 include "../../config/config.php";
@@ -34,6 +30,10 @@ $username = $_SESSION["username"];
 
 // Get the raw POST data (JSON)
 $data = json_decode(file_get_contents("php://input"));
+if(!isset($data->enable_2fa) || !is_bool($data->enable_2fa)){
+	echo json_encode(['success' => false, 'message' => 'Missing required fields.']);
+	exit();
+}
 if($data->enable_2fa==true){
 	//create 2fa secret key
 	$twofa_secret=generateBase32Secret();
@@ -68,4 +68,3 @@ if($data->enable_2fa==false){
 }
 
 ?>
-