fixing some security issues and harderning service

app-code/api/register/register_user.php

@@ -1,5 +1,8 @@
 <?php
 // Set response headers to return JSON
+include "../utils/security.php";
+secure_session_start();
+require_same_origin_request();
 header('Content-Type: application/json');
 
 include "../../config/config.php";
@@ -22,7 +25,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     $data = json_decode($input, true);
 
     // Validate input
-    if (!isset($data['username']) ||  !isset($data['password'])) {
+    if (!is_array($data) || !isset($data['username']) || !isset($data['password'])) {
         echo json_encode([
             'success' => false,
             'message' => 'Invalid input. Username and password are required.'
@@ -30,10 +33,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
         exit;
     }
 
-    $username = trim($data['username']);
-    $email = trim($data['email']);
-    $password = trim($data['password']);
-    $telegram_id = trim($data['telegram']);
+    $username = strtolower(trim((string) $data['username']));
+    $username = preg_replace("/[^a-z0-9_]/", "", $username);
+    $email = trim((string) ($data['email'] ?? ""));
+    $password = (string) $data['password'];
+    $telegram_id = trim((string) ($data['telegram'] ?? ""));
 
     // Check for empty fields
     if (empty($username) || empty($password)) {
@@ -44,6 +48,22 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
         exit;
     }
 
+    if (strlen($password) < 12) {
+        echo json_encode([
+            'success' => false,
+            'message' => 'Password must be at least 12 characters.'
+        ]);
+        exit;
+    }
+
+    if ($email !== "" && !filter_var($email, FILTER_VALIDATE_EMAIL)) {
+        echo json_encode([
+            'success' => false,
+            'message' => 'Invalid email address.'
+        ]);
+        exit;
+    }
+
     // Check if the username already exists
     $sql = "SELECT id FROM users WHERE username = ?";
     $stmt = mysqli_prepare($conn, $sql);