From a064f5b46189cbe01b545cc72f38b5e615354afc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 18 May 2026 23:39:43 +0000
Subject: [PATCH 1/9] Initial plan


From 03e73754253d9e13740d24440b55a156262b46fd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 18 May 2026 23:50:48 +0000
Subject: [PATCH 2/9] fix(security): add OAuth state validation and CSRF
 protection across POST forms

Agent-Logs-Url: https://github.com/marpisco/ClassLink/sessions/915c369e-d638-4384-89f9-6bf45604b511

Co-authored-by: marpisco <162377105+marpisco@users.noreply.github.com>
---
 admin/index.php      | 34 ++++++++++++++++++++++++++++++++++
 admin/relatorios.php |  6 ++++++
 login/index.php      | 40 +++++++++++++++++++++++++++++++++-------
 reservar/index.php   |  7 +++++++
 reservar/manage.php  |  8 +++++++-
 src/db.php           |  6 ++++--
 6 files changed, 91 insertions(+), 10 deletions(-)

diff --git a/admin/index.php b/admin/index.php
index 9474fbc..3aa85da 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -13,6 +13,7 @@
 <?php
     require_once(__DIR__ . '/../src/db.php');
     require_once(__DIR__ . '/../func/genuuid.php');
+    require_once(__DIR__ . '/../func/csrf.php');
     if (session_status() === PHP_SESSION_NONE) { session_start(); }
     
     require_once(__DIR__ . '/../func/get_config.php');
@@ -38,6 +39,14 @@
             $_SESSION['validity'] = time() + 1800;
         }
     }
+
+    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+        $csrfToken = $_POST['csrf_token'] ?? '';
+        if (!verify_csrf_token($csrfToken)) {
+            http_response_code(403);
+            die("<div class='alert alert-danger text-center'>Pedido inválido. Atualize a página e tente novamente.</div>");
+        }
+    }
 ?>
 <?php
     // Criação da Sidebar (reaproveito do módulo para as subpáginas)
@@ -177,6 +186,30 @@ function sidebarDropdownLink($url, $nome) {
     // Fechar Navbar no HTML, e passar o conteúdo para baixo
     echo "</ul></div></div></nav><div class='container-fluid mt-4 justify-content-center text-center'>";
 
+    $csrfTokenForJs = json_encode(generate_csrf_token());
+    echo "<script>
+        (function() {
+            const csrfToken = {$csrfTokenForJs};
+            function ensureCsrf(form) {
+                if (!form || String(form.method).toLowerCase() !== 'post') return;
+                if (!form.querySelector('input[name=\"csrf_token\"]')) {
+                    const input = document.createElement('input');
+                    input.type = 'hidden';
+                    input.name = 'csrf_token';
+                    input.value = csrfToken;
+                    form.appendChild(input);
+                }
+            }
+
+            document.addEventListener('DOMContentLoaded', function() {
+                document.querySelectorAll('form[method=\"POST\"], form[method=\"post\"]').forEach(ensureCsrf);
+            });
+            document.addEventListener('submit', function(event) {
+                ensureCsrf(event.target);
+            }, true);
+        })();
+    </script>";
+
 ?>
 
 <?php
@@ -299,6 +332,7 @@ function sidebarDropdownLink($url, $nome) {
         function formulario($action, $inputs) {
             $action_safe = htmlspecialchars($action, ENT_QUOTES, 'UTF-8');
             echo "<form action='$action_safe' method='POST' class='d-flex align-items-center'>";
+            echo csrf_token_field();
             foreach ($inputs as $input) {
                 $id_safe = htmlspecialchars($input['id'], ENT_QUOTES, 'UTF-8');
                 $value_safe = htmlspecialchars($input['value'], ENT_QUOTES, 'UTF-8');
diff --git a/admin/relatorios.php b/admin/relatorios.php
index 3f1c9e8..4258cf8 100644
--- a/admin/relatorios.php
+++ b/admin/relatorios.php
@@ -1,11 +1,16 @@
 <?php
 require_once(__DIR__ . '/../func/logaction.php');
+require_once(__DIR__ . '/../func/csrf.php');
 require_once(__DIR__ . '/../src/db.php');
 require_once(__DIR__ . '/../vendor/autoload.php');
 
 // Handle PDF generation
 if (isset($_POST['gerar_pdf'])) {
     if (session_status() === PHP_SESSION_NONE) { session_start(); }
+    if (!verify_csrf_token($_POST['csrf_token'] ?? '')) {
+        http_response_code(403);
+        die("<div class='alert alert-danger text-center'>Pedido inválido. Atualize a página e tente novamente.</div>");
+    }
     if (!$_SESSION['admin']) {
         http_response_code(403);
         die("<div class='alert alert-danger text-center'>Não tem permissão para entrar no painel administrativo. <a href='/'>Voltar para a página inicial</a></div>");
@@ -161,6 +166,7 @@ public function Footer() {
     <p>Gere um relatório em PDF da utilização de salas para um dia específico.</p>
     
     <form method="POST" style="max-width: 500px; margin: 20px auto;">
+        <?= csrf_token_field(); ?>
         <div class="mb-3">
             <label for="data_relatorio" class="form-label">Selecione a Data</label>
             <input type="date" class="form-control" id="data_relatorio" name="data_relatorio" value="<?php echo date('Y-m-d'); ?>" required>
diff --git a/login/index.php b/login/index.php
index 660b013..1f8f614 100644
--- a/login/index.php
+++ b/login/index.php
@@ -1,8 +1,13 @@
 <?php
     if (session_status() === PHP_SESSION_NONE) { session_start(); }
+    require_once(__DIR__ . '/../func/csrf.php');
 
     // Handle database selection
     if (isset($_POST['action']) && $_POST['action'] === 'select_db') {
+        if (!verify_csrf_token($_POST['csrf_token'] ?? '')) {
+            http_response_code(403);
+            die('Pedido inválido. Atualize a página e tente novamente.');
+        }
         $selectedDb = $_POST['db_selection'] ?? null;
         if ($selectedDb) {
             $_SESSION['selected_db'] = $selectedDb;
@@ -28,6 +33,7 @@
     $localAuthInfo = null;
     $localAuthStage = 'email';
     $emailValue = '';
+    $csrfTokenField = csrf_token_field();
 
     // --- Helper Functions for OTP/TOTP ---
 
@@ -144,9 +150,16 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
     // --- POST Request Handling ---
 
     if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+        $csrfToken = $_POST['csrf_token'] ?? '';
+        if (!verify_csrf_token($csrfToken)) {
+            http_response_code(403);
+            $localAuthError = 'Pedido inválido. Atualize a página e tente novamente.';
+            $localAuthStage = 'email';
+        }
+
         $action = $_POST['action'] ?? null;
 
-        if ($action === 'send_code' && isset($_POST['email'])) {
+        if (!$localAuthError && $action === 'send_code' && isset($_POST['email'])) {
             $emailValue = trim($_POST['email']);
             
             $localAuthStage = 'code';
@@ -186,7 +199,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
                     send_login_code_email($user['email'], $user['nome'], $code);
                 }
             }
-        } elseif ($action === 'verify_code' && isset($_POST['email'], $_POST['otp_code'])) {
+        } elseif (!$localAuthError && $action === 'verify_code' && isset($_POST['email'], $_POST['otp_code'])) {
             $emailValue = trim($_POST['email']);
             $localAuthStage = 'code';
             $user = get_user_by_email($emailValue);
@@ -248,7 +261,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
             } else {
                 $localAuthError = 'Código inválido ou expirado. Peça um novo código.';
             }
-        } elseif ($action === 'setup_name' && isset($_POST['nome'])) {
+        } elseif (!$localAuthError && $action === 'setup_name' && isset($_POST['nome'])) {
             if (!isset($_SESSION['pending_user_setup'])) {
                 $localAuthError = 'Sessão expirada. Por favor tente novamente.';
                 $localAuthStage = 'email';
@@ -275,7 +288,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
                     exit();
                 }
             }
-        } elseif ($action === 'verify_totp' && isset($_POST['totp_code'])) {
+        } elseif (!$localAuthError && $action === 'verify_totp' && isset($_POST['totp_code'])) {
             if (!isset($_SESSION['pending_totp_user'])) {
                 $localAuthError = 'A sessão expirou. Por favor inicie sessão de novo.';
             } else {
@@ -296,7 +309,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
                     $localAuthError = 'Código TOTP inválido. Por favor tente novamente.';
                 }
             }
-        } elseif ($action === 'verify_totp_setup' && isset($_POST['totp_code'])) {
+        } elseif (!$localAuthError && $action === 'verify_totp_setup' && isset($_POST['totp_code'])) {
             if (!isset($_SESSION['pending_totp_user']) || !isset($_SESSION['pending_totp_secret'])) {
                 $localAuthError = 'Sessão expirada. Por favor tente novamente.';
             } else {
@@ -336,7 +349,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
             exit();
         }
         $devModeBanner = is_development_mode() ? '<div style="background-color: #dc3545; color: white; padding: 4px; font-size: 12px; font-weight: bold; text-align: center; position: absolute; top: 0; width: 100%; z-index: 100;">⚠️ MODO DE DESENVOLVIMENTO - Dados de teste | Base de dados de desenvolvimento</div>' : '';
-        $content = $devModeBanner . '<div class="login-box"><h1>Verificação de Segurança</h1><p class="small">Introduza o código do seu autenticador para prosseguir.</p>' . (!empty($localAuthError) ? '<div class="error-msg">' . htmlspecialchars($localAuthError) . '</div>' : '') . '<form method="POST" action="/login/index.php"><input type="hidden" name="action" value="verify_totp"><div class="form-group"><input type="text" name="totp_code" placeholder="Código do autenticador" pattern="\d{6}" maxlength="6" autocomplete="one-time-code" required></div><button type="submit">Autenticar</button></form></div>';
+        $content = $devModeBanner . '<div class="login-box"><h1>Verificação de Segurança</h1><p class="small">Introduza o código do seu autenticador para prosseguir.</p>' . (!empty($localAuthError) ? '<div class="error-msg">' . htmlspecialchars($localAuthError) . '</div>' : '') . '<form method="POST" action="/login/index.php">' . $csrfTokenField . '<input type="hidden" name="action" value="verify_totp"><div class="form-group"><input type="text" name="totp_code" placeholder="Código do autenticador" pattern="\d{6}" maxlength="6" autocomplete="one-time-code" required></div><button type="submit">Autenticar</button></form></div>';
         render_login_template('Verificação de Segurança', $content);
         die();
     }
@@ -354,6 +367,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
         $content .= '<p class="small">Por favor, introduza o seu nome completo.</p>';
         if (!empty($localAuthError)) { $content .= '<div class="error-msg">' . htmlspecialchars($localAuthError) . '</div>'; }
         $content .= '<form method="POST" action="/login/index.php">';
+        $content .= $csrfTokenField;
         $content .= '<input type="hidden" name="action" value="setup_name">';
         $content .= '<div class="form-group"><input type="text" name="nome" placeholder="Nome completo" required></div>';
         $content .= '<button type="submit">Continuar</button>';
@@ -396,6 +410,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
         $content .= '<div class="qr-container"><img src="' . htmlspecialchars($qrCodeImage) . '" alt="QR Code"></div>';
         $content .= '<div class="info-msg"><strong>Código manual:</strong><br><span class="manual-code">' . htmlspecialchars($secret) . '</span></div>';
         $content .= '<form method="POST" action="/login/index.php">';
+        $content .= $csrfTokenField;
         $content .= '<input type="hidden" name="action" value="verify_totp_setup">';
         $content .= '<div class="form-group"><input type="text" name="totp_code" placeholder="Código do autenticador" pattern="\\d{6}" maxlength="6" autocomplete="one-time-code" required></div>';
         $content .= '<button type="submit">Validar e Ativar</button>';
@@ -451,6 +466,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
                 <h1>Iniciar Sessão no ClassLink</h1>
                 <?php if ($showDbPicker): ?>
                 <form method="POST" action="/login/index.php" style="margin-bottom: 1rem;">
+                    <?= $csrfTokenField ?>
                     <input type="hidden" name="action" value="select_db">
                     <select name="db_selection" onchange="this.form.submit()" class="form-select" style="max-width: 200px; margin: 0 auto;">
                         <option value="">Selecionar Base de Dados...</option>
@@ -475,6 +491,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
 
                 <?php if ($localAuthStage === 'email'): ?>
                 <form method="POST" action="/login/index.php">
+                    <?= $csrfTokenField ?>
                     <input type="hidden" name="action" value="send_code">
                     <div class="form-group">
                         <input type="email" name="email" placeholder="Endereço Eletrónico" value="<?= htmlspecialchars($emailValue) ?>" required>
@@ -483,6 +500,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
                 </form>
                 <?php else: ?>
                 <form method="POST" action="/login/index.php">
+                    <?= $csrfTokenField ?>
                     <input type="hidden" name="action" value="verify_code">
                     <div class="form-group">
                         <input type="email" name="email" placeholder="Endereço Eletrónico" value="<?= htmlspecialchars($emailValue) ?>" readonly style="opacity: 0.7;">
@@ -536,7 +554,15 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
     } else if (isset($_GET['error'])) {
 	?>
 <?php
-    }else if (isset($_GET['code'])){        $now = time();        try {
+    }else if (isset($_GET['code'])){        $now = time();
+        if (!isset($_GET['state']) || !isset($_SESSION['oauth2state']) || !hash_equals($_SESSION['oauth2state'], $_GET['state'])) {
+            unset($_SESSION['oauth2state']);
+            session_destroy();
+            header('Location: /login/');
+            exit();
+        }
+        unset($_SESSION['oauth2state']);
+        try {
             $accessToken = $provider->getAccessToken('authorization_code', [
                 'code' => $_GET['code']
             ]);
diff --git a/reservar/index.php b/reservar/index.php
index 595b61c..737536e 100644
--- a/reservar/index.php
+++ b/reservar/index.php
@@ -1,11 +1,16 @@
 <?php
 require_once(__DIR__ . '/../src/db.php');
+require_once(__DIR__ . '/../func/csrf.php');
 if (session_status() === PHP_SESSION_NONE) { session_start(); }
 if (!isset($_SESSION['validity']) || $_SESSION['validity'] < time()) {
     http_response_code(403);
     header("Location: /login");
     die("A reencaminhar para iniciar sessão...");
 }
+if ($_SERVER['REQUEST_METHOD'] === 'POST' && !verify_csrf_token($_POST['csrf_token'] ?? '')) {
+    http_response_code(403);
+    die("Pedido inválido. Atualize a página e tente novamente.");
+}
 ?>
 <!DOCTYPE html>
 <html lang="pt">
@@ -120,6 +125,7 @@ function clearBulkUserSelection() {
     <div class="d-flex align-items-center justify-content-center flex-column">
         <p class="h2 fw-light">Reservar uma Sala</p>
         <form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="POST" class="d-flex align-items-center">
+            <?= csrf_token_field(); ?>
             <div class="form-floating me-2">
                 <select class="form-select" id="sala" name="sala" required onchange="this.form.submit();">
                     <?php if ($_POST['sala'] == "0" | !$_POST['sala']) {
@@ -183,6 +189,7 @@ function clearBulkUserSelection() {
         
         echo (
             "<form id='bulkReservationForm' method='POST' action='/reservar/manage.php?subaction=bulk' data-prevent-double-submit>
+            " . csrf_token_field() . "
             <div class='reservation-table-container'>
             <table class='table table-bordered' style='table-layout: fixed; width: 100%; max-width: 70%; margin: 0 auto; font-size: 0.85rem;'><thead><tr><th scope='col' style='font-size: 0.75rem;'>Tempos</th>"
         );
diff --git a/reservar/manage.php b/reservar/manage.php
index 86c2cfd..06f1c9b 100644
--- a/reservar/manage.php
+++ b/reservar/manage.php
@@ -2,6 +2,7 @@
 require_once(__DIR__ . '/../func/logaction.php');
 require_once(__DIR__ . '/../func/email_helper.php');
 require_once(__DIR__ . '/../func/get_config.php');
+require_once(__DIR__ . '/../func/csrf.php');
 require_once(__DIR__ . '/../src/db.php');
 if (session_status() === PHP_SESSION_NONE) { session_start(); }
 if (!isset($_SESSION['validity']) || $_SESSION['validity'] < time()) {
@@ -28,6 +29,11 @@ function saveReservationMaterials($db, $sala, $tempo, $data, $materiais) {
 $id = $_SESSION['id'] ?? null;
 $today = date("Y-m-d");
 
+if ($_SERVER['REQUEST_METHOD'] === 'POST' && !verify_csrf_token($_POST['csrf_token'] ?? '')) {
+    http_response_code(403);
+    die("Pedido inválido. Atualize a página e tente novamente.");
+}
+
 // Bulk POST handling: show messages on page (no redirect)
 if (isset($_GET['subaction']) && $_GET['subaction'] === 'bulk' && $_SERVER['REQUEST_METHOD'] === 'POST') {
     if (!isset($_POST['motivo']) || empty($_POST['motivo'])) {
@@ -685,7 +691,7 @@ function clearUserSelection() {
                             $materiaisResult = $materiaisStmt->get_result();
                             $materiaisStmt->close();
                             
-                            echo "<form action='/reservar/manage.php?subaction=reservar&tempo=" . urlencode($tempo) . "&data=" . urlencode($data) . "&sala=" . urlencode($sala) . "' method='POST' data-prevent-double-submit>
+                            echo "<form action='/reservar/manage.php?subaction=reservar&tempo=" . urlencode($tempo) . "&data=" . urlencode($data) . "&sala=" . urlencode($sala) . "' method='POST' data-prevent-double-submit>" . csrf_token_field() . "
                         <div class='form-floating mb-3'>
                         <input type='text' class='form-control' id='sala' name='sala' placeholder='Sala' value='" . htmlspecialchars($salaextenso, ENT_QUOTES, 'UTF-8') . "' disabled>
                         <label for='sala'>Sala</label>
diff --git a/src/db.php b/src/db.php
index c3b0a4a..fad1dd0 100644
--- a/src/db.php
+++ b/src/db.php
@@ -18,7 +18,9 @@
     
     $db = new mysqli($db['servidor'], $db['user'], $db['password'], $dbName, $db['porta']);
     if ($db->connect_error) {
-        die("Ligação ao servidor falhou: " . $db->connect_error);
+        error_log("ClassLink DB connection failed: " . $db->connect_error);
+        http_response_code(500);
+        die("Ligação ao servidor falhou.");
     }
     $db->set_charset("utf8mb4");
 
@@ -112,4 +114,4 @@
     
     // Constant for pre-registered user ID prefix
     define('PRE_REGISTERED_PREFIX', 'pre_');
-?>
\ No newline at end of file
+?>

From 41d27498efcf16172ac8435d1bacb48a508922ff Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 18 May 2026 23:52:28 +0000
Subject: [PATCH 3/9] fix(security): harden admin API path check and log OAuth
 state failures

Agent-Logs-Url: https://github.com/marpisco/ClassLink/sessions/915c369e-d638-4384-89f9-6bf45604b511

Co-authored-by: marpisco <162377105+marpisco@users.noreply.github.com>
---
 admin/index.php | 12 +++++++++---
 login/index.php |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/admin/index.php b/admin/index.php
index 3aa85da..32237e5 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -40,7 +40,10 @@
         }
     }
 
-    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $requestPath = parse_url($_SERVER['REQUEST_URI'] ?? '', PHP_URL_PATH) ?? '';
+    $requestPath = '/' . ltrim($requestPath, '/');
+    $isAdminApiRequest = str_starts_with($requestPath, '/admin/api/');
+    if ($_SERVER['REQUEST_METHOD'] === 'POST' && !$isAdminApiRequest) {
         $csrfToken = $_POST['csrf_token'] ?? '';
         if (!verify_csrf_token($csrfToken)) {
             http_response_code(403);
@@ -186,13 +189,16 @@ function sidebarDropdownLink($url, $nome) {
     // Fechar Navbar no HTML, e passar o conteúdo para baixo
     echo "</ul></div></div></nav><div class='container-fluid mt-4 justify-content-center text-center'>";
 
-    $csrfTokenForJs = json_encode(generate_csrf_token());
+    $csrfTokenHtml = htmlspecialchars(generate_csrf_token(), ENT_QUOTES, 'UTF-8');
+    echo "<input type='hidden' id='global-csrf-token' value='{$csrfTokenHtml}'>";
     echo "<script>
         (function() {
-            const csrfToken = {$csrfTokenForJs};
             function ensureCsrf(form) {
                 if (!form || String(form.method).toLowerCase() !== 'post') return;
                 if (!form.querySelector('input[name=\"csrf_token\"]')) {
+                    const tokenSource = document.getElementById('global-csrf-token');
+                    const csrfToken = tokenSource ? tokenSource.value : '';
+                    if (!csrfToken) return;
                     const input = document.createElement('input');
                     input.type = 'hidden';
                     input.name = 'csrf_token';
diff --git a/login/index.php b/login/index.php
index 1f8f614..20f3eb7 100644
--- a/login/index.php
+++ b/login/index.php
@@ -556,8 +556,8 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
 <?php
     }else if (isset($_GET['code'])){        $now = time();
         if (!isset($_GET['state']) || !isset($_SESSION['oauth2state']) || !hash_equals($_SESSION['oauth2state'], $_GET['state'])) {
+            error_log("ClassLink OAuth state validation failed for callback.");
             unset($_SESSION['oauth2state']);
-            session_destroy();
             header('Location: /login/');
             exit();
         }

From 58df062f5ba594c6967c164b81927ecf06dc1f79 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 18 May 2026 23:53:10 +0000
Subject: [PATCH 4/9] chore(security): enrich OAuth state mismatch audit log
 context

Agent-Logs-Url: https://github.com/marpisco/ClassLink/sessions/915c369e-d638-4384-89f9-6bf45604b511

Co-authored-by: marpisco <162377105+marpisco@users.noreply.github.com>
---
 login/index.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/login/index.php b/login/index.php
index 20f3eb7..218c26e 100644
--- a/login/index.php
+++ b/login/index.php
@@ -556,7 +556,8 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
 <?php
     }else if (isset($_GET['code'])){        $now = time();
         if (!isset($_GET['state']) || !isset($_SESSION['oauth2state']) || !hash_equals($_SESSION['oauth2state'], $_GET['state'])) {
-            error_log("ClassLink OAuth state validation failed for callback.");
+            $clientIp = function_exists('get_client_ip') ? get_client_ip() : 'unknown';
+            error_log("ClassLink OAuth state validation failed for callback. ip={$clientIp}; session_id=" . session_id());
             unset($_SESSION['oauth2state']);
             header('Location: /login/');
             exit();

From c460324e8e742c7b7b8d7feb2b41c7e328004387 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 18 May 2026 23:53:59 +0000
Subject: [PATCH 5/9] fix(security): enforce early CSRF rejection and tighten
 admin API path matching

Agent-Logs-Url: https://github.com/marpisco/ClassLink/sessions/915c369e-d638-4384-89f9-6bf45604b511

Co-authored-by: marpisco <162377105+marpisco@users.noreply.github.com>
---
 admin/index.php |  2 +-
 login/index.php | 18 ++++++++----------
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/admin/index.php b/admin/index.php
index 32237e5..8955808 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -42,7 +42,7 @@
 
     $requestPath = parse_url($_SERVER['REQUEST_URI'] ?? '', PHP_URL_PATH) ?? '';
     $requestPath = '/' . ltrim($requestPath, '/');
-    $isAdminApiRequest = str_starts_with($requestPath, '/admin/api/');
+    $isAdminApiRequest = preg_match('#^/admin/api(?:/[A-Za-z0-9._-]+)?$#', $requestPath) === 1;
     if ($_SERVER['REQUEST_METHOD'] === 'POST' && !$isAdminApiRequest) {
         $csrfToken = $_POST['csrf_token'] ?? '';
         if (!verify_csrf_token($csrfToken)) {
diff --git a/login/index.php b/login/index.php
index 218c26e..751eab4 100644
--- a/login/index.php
+++ b/login/index.php
@@ -150,16 +150,14 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
     // --- POST Request Handling ---
 
     if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-        $csrfToken = $_POST['csrf_token'] ?? '';
-        if (!verify_csrf_token($csrfToken)) {
+        if (!verify_csrf_token($_POST['csrf_token'] ?? '')) {
             http_response_code(403);
-            $localAuthError = 'Pedido inválido. Atualize a página e tente novamente.';
-            $localAuthStage = 'email';
+            die('Pedido inválido. Atualize a página e tente novamente.');
         }
 
         $action = $_POST['action'] ?? null;
 
-        if (!$localAuthError && $action === 'send_code' && isset($_POST['email'])) {
+        if ($action === 'send_code' && isset($_POST['email'])) {
             $emailValue = trim($_POST['email']);
             
             $localAuthStage = 'code';
@@ -199,7 +197,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
                     send_login_code_email($user['email'], $user['nome'], $code);
                 }
             }
-        } elseif (!$localAuthError && $action === 'verify_code' && isset($_POST['email'], $_POST['otp_code'])) {
+        } elseif ($action === 'verify_code' && isset($_POST['email'], $_POST['otp_code'])) {
             $emailValue = trim($_POST['email']);
             $localAuthStage = 'code';
             $user = get_user_by_email($emailValue);
@@ -261,7 +259,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
             } else {
                 $localAuthError = 'Código inválido ou expirado. Peça um novo código.';
             }
-        } elseif (!$localAuthError && $action === 'setup_name' && isset($_POST['nome'])) {
+        } elseif ($action === 'setup_name' && isset($_POST['nome'])) {
             if (!isset($_SESSION['pending_user_setup'])) {
                 $localAuthError = 'Sessão expirada. Por favor tente novamente.';
                 $localAuthStage = 'email';
@@ -288,7 +286,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
                     exit();
                 }
             }
-        } elseif (!$localAuthError && $action === 'verify_totp' && isset($_POST['totp_code'])) {
+        } elseif ($action === 'verify_totp' && isset($_POST['totp_code'])) {
             if (!isset($_SESSION['pending_totp_user'])) {
                 $localAuthError = 'A sessão expirou. Por favor inicie sessão de novo.';
             } else {
@@ -309,7 +307,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
                     $localAuthError = 'Código TOTP inválido. Por favor tente novamente.';
                 }
             }
-        } elseif (!$localAuthError && $action === 'verify_totp_setup' && isset($_POST['totp_code'])) {
+        } elseif ($action === 'verify_totp_setup' && isset($_POST['totp_code'])) {
             if (!isset($_SESSION['pending_totp_user']) || !isset($_SESSION['pending_totp_secret'])) {
                 $localAuthError = 'Sessão expirada. Por favor tente novamente.';
             } else {
@@ -556,7 +554,7 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
 <?php
     }else if (isset($_GET['code'])){        $now = time();
         if (!isset($_GET['state']) || !isset($_SESSION['oauth2state']) || !hash_equals($_SESSION['oauth2state'], $_GET['state'])) {
-            $clientIp = function_exists('get_client_ip') ? get_client_ip() : 'unknown';
+            $clientIp = get_client_ip();
             error_log("ClassLink OAuth state validation failed for callback. ip={$clientIp}; session_id=" . session_id());
             unset($_SESSION['oauth2state']);
             header('Location: /login/');

From a74ca66dc359ee2118fa0f8933ea5acf3a3680dc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 18 May 2026 23:54:40 +0000
Subject: [PATCH 6/9] chore(security): broaden admin API path regex for nested
 routes

Agent-Logs-Url: https://github.com/marpisco/ClassLink/sessions/915c369e-d638-4384-89f9-6bf45604b511

Co-authored-by: marpisco <162377105+marpisco@users.noreply.github.com>
---
 admin/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/index.php b/admin/index.php
index 8955808..8eb76c3 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -42,7 +42,7 @@
 
     $requestPath = parse_url($_SERVER['REQUEST_URI'] ?? '', PHP_URL_PATH) ?? '';
     $requestPath = '/' . ltrim($requestPath, '/');
-    $isAdminApiRequest = preg_match('#^/admin/api(?:/[A-Za-z0-9._-]+)?$#', $requestPath) === 1;
+    $isAdminApiRequest = preg_match('#^/admin/api(?:/[A-Za-z0-9._/-]+)?$#', $requestPath) === 1;
     if ($_SERVER['REQUEST_METHOD'] === 'POST' && !$isAdminApiRequest) {
         $csrfToken = $_POST['csrf_token'] ?? '';
         if (!verify_csrf_token($csrfToken)) {

From d3d099651b5ebedd12576b481a2625a78c00c742 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 18 May 2026 23:55:35 +0000
Subject: [PATCH 7/9] fix(security): normalize admin API path checks and hash
 OAuth session audit ids

Agent-Logs-Url: https://github.com/marpisco/ClassLink/sessions/915c369e-d638-4384-89f9-6bf45604b511

Co-authored-by: marpisco <162377105+marpisco@users.noreply.github.com>
---
 admin/index.php | 5 ++++-
 login/index.php | 5 +++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/admin/index.php b/admin/index.php
index 8eb76c3..b8cdb90 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -41,8 +41,11 @@
     }
 
     $requestPath = parse_url($_SERVER['REQUEST_URI'] ?? '', PHP_URL_PATH) ?? '';
+    $requestPath = rawurldecode($requestPath);
+    $requestPath = str_replace('\\', '/', $requestPath);
+    $requestPath = preg_replace('#/+#', '/', $requestPath);
     $requestPath = '/' . ltrim($requestPath, '/');
-    $isAdminApiRequest = preg_match('#^/admin/api(?:/[A-Za-z0-9._/-]+)?$#', $requestPath) === 1;
+    $isAdminApiRequest = str_starts_with($requestPath, '/admin/api/') && !str_contains($requestPath, '/../');
     if ($_SERVER['REQUEST_METHOD'] === 'POST' && !$isAdminApiRequest) {
         $csrfToken = $_POST['csrf_token'] ?? '';
         if (!verify_csrf_token($csrfToken)) {
diff --git a/login/index.php b/login/index.php
index 751eab4..896f8c6 100644
--- a/login/index.php
+++ b/login/index.php
@@ -553,9 +553,10 @@ function start_authenticated_session($userId, $userName, $userEmail, $isAdmin) {
 	?>
 <?php
     }else if (isset($_GET['code'])){        $now = time();
-        if (!isset($_GET['state']) || !isset($_SESSION['oauth2state']) || !hash_equals($_SESSION['oauth2state'], $_GET['state'])) {
+        if (!isset($_GET['state']) || !isset($_SESSION['oauth2state']) || $_GET['state'] === '' || $_SESSION['oauth2state'] === '' || !hash_equals($_SESSION['oauth2state'], $_GET['state'])) {
             $clientIp = get_client_ip();
-            error_log("ClassLink OAuth state validation failed for callback. ip={$clientIp}; session_id=" . session_id());
+            $sessionHash = substr(hash('sha256', session_id()), 0, 8);
+            error_log("ClassLink OAuth state validation failed for callback. ip={$clientIp}; session_hash={$sessionHash}");
             unset($_SESSION['oauth2state']);
             header('Location: /login/');
             exit();

From c10b25a777da3b0d14e2f45ebd176d773a79baa7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 18 May 2026 23:56:18 +0000
Subject: [PATCH 8/9] chore(security): handle malformed request URIs in admin
 API path detection

Agent-Logs-Url: https://github.com/marpisco/ClassLink/sessions/915c369e-d638-4384-89f9-6bf45604b511

Co-authored-by: marpisco <162377105+marpisco@users.noreply.github.com>
---
 admin/index.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/admin/index.php b/admin/index.php
index b8cdb90..d97889c 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -40,12 +40,16 @@
         }
     }
 
-    $requestPath = parse_url($_SERVER['REQUEST_URI'] ?? '', PHP_URL_PATH) ?? '';
+    $parsedRequestPath = parse_url($_SERVER['REQUEST_URI'] ?? '', PHP_URL_PATH);
+    if ($parsedRequestPath === false) {
+        $parsedRequestPath = '';
+    }
+    $requestPath = $parsedRequestPath;
     $requestPath = rawurldecode($requestPath);
     $requestPath = str_replace('\\', '/', $requestPath);
     $requestPath = preg_replace('#/+#', '/', $requestPath);
     $requestPath = '/' . ltrim($requestPath, '/');
-    $isAdminApiRequest = str_starts_with($requestPath, '/admin/api/') && !str_contains($requestPath, '/../');
+    $isAdminApiRequest = str_starts_with($requestPath, '/admin/api/');
     if ($_SERVER['REQUEST_METHOD'] === 'POST' && !$isAdminApiRequest) {
         $csrfToken = $_POST['csrf_token'] ?? '';
         if (!verify_csrf_token($csrfToken)) {

From 549d983109e3adf8b7c0097164196d76b66c19bd Mon Sep 17 00:00:00 2001
From: Marco Pisco <marco@marcopisco.com>
Date: Sat, 23 May 2026 13:59:16 +0000
Subject: [PATCH 9/9] =?UTF-8?q?fix(security):=20complete=20security=20revi?=
 =?UTF-8?q?ew=20=E2=80=94=20CSRF=20hardening,=20prepared=20statements,=20t?=
 =?UTF-8?q?ransactions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- materiais.php: Convert apagar action from GET to POST with CSRF token;
  add explicit CSRF token fields to criar_completo and update forms
- reservaemmassa.php: Add transaction wrapper (begin/commit/rollback) to
  CSV import and mass reservation loops for atomicity; add explicit CSRF
  token to mass reservation form; use separate insertErrorCount to avoid
  rollback on validation-only errors
- reservar/manage.php: Replace all $db->query() with real_escape_string()
  (6 occurrences) with prepared statements per coding rules
---
 admin/materiais.php      | 12 +++++++++---
 admin/reservaemmassa.php | 20 ++++++++++++++++++++
 reservar/manage.php      | 38 ++++++++++++++++++++++++++++++++------
 3 files changed, 61 insertions(+), 9 deletions(-)

diff --git a/admin/materiais.php b/admin/materiais.php
index 92ebca0..0a83b17 100644
--- a/admin/materiais.php
+++ b/admin/materiais.php
@@ -132,6 +132,7 @@
         echo "<div class='alert alert-info fade show' role='alert'>Completar informações do material</div>";
         ?>
         <form action="materiais.php?action=criar_completo" method="POST" class="mb-3">
+            <?= csrf_token_field(); ?>
             <div class="form-floating mb-2">
                 <input type="text" class="form-control" id="nomematerial" name="nomematerial" placeholder="Nome do Material" value="<?php echo htmlspecialchars($_POST['nomematerial'], ENT_QUOTES, 'UTF-8'); ?>" required>
                 <label for="nomematerial">Nome do Material</label>
@@ -175,13 +176,13 @@
         
     // Delete material
     case "apagar":
-        if (!isset($_GET['id'])) {
+        if (!isset($_POST['id'])) {
             echo "<div class='alert alert-danger fade show' role='alert'>ID inválido.</div>";
             break;
         }
         
         $stmt = $db->prepare("DELETE FROM materiais WHERE id = ?");
-        $stmt->bind_param("s", $_GET['id']);
+        $stmt->bind_param("s", $_POST['id']);
         $stmt->execute();
         $stmt->close();
         acaoexecutada("Eliminação de Material");
@@ -208,6 +209,7 @@
         echo "<div class='alert alert-warning fade show' role='alert'>A editar o Material <b>" . htmlspecialchars($d['nome'], ENT_QUOTES, 'UTF-8') . "</b>.</div>";
         ?>
         <form action="materiais.php?action=update&id=<?php echo urlencode($d['id']); ?>" method="POST" class="mb-3">
+            <?= csrf_token_field(); ?>
             <div class="form-floating mb-2">
                 <input type="text" class="form-control" id="nomematerial" name="nomematerial" placeholder="Nome do Material" value="<?php echo htmlspecialchars($d['nome'], ENT_QUOTES, 'UTF-8'); ?>" required>
                 <label for="nomematerial">Nome do Material</label>
@@ -298,7 +300,11 @@
         echo "<td><span class='badge bg-info'>{$salaNome}</span></td>";
         echo "<td>";
         echo "<a href='/admin/materiais.php?action=edit&id={$idEnc}' class='btn btn-sm btn-outline-primary me-1'>Editar</a>";
-        echo "<a href='/admin/materiais.php?action=apagar&id={$idEnc}' class='btn btn-sm btn-outline-danger' onclick='return confirm(\"Tem a certeza que pretende apagar este material?\");'>Apagar</a>";
+        echo "<form action='/admin/materiais.php?action=apagar' method='POST' style='display:inline;' onsubmit='return confirm(\"Tem a certeza que pretende apagar este material?\");'>";
+        echo csrf_token_field();
+        echo "<input type='hidden' name='id' value='{$idEnc}'>";
+        echo "<button type='submit' class='btn btn-sm btn-outline-danger'>Apagar</button>";
+        echo "</form>";
         echo "</td>";
         echo "</tr>";
     }
diff --git a/admin/reservaemmassa.php b/admin/reservaemmassa.php
index 71efdeb..c924dfc 100644
--- a/admin/reservaemmassa.php
+++ b/admin/reservaemmassa.php
@@ -296,9 +296,12 @@ function validateForm(event) {
         $stmtCheck = $db->prepare("SELECT 1 FROM reservas WHERE sala = ? AND tempo = ? AND data = ? LIMIT 1");
         $stmtInsert = $db->prepare("INSERT INTO reservas (sala, tempo, data, requisitor, aprovado, motivo, extra) VALUES (?, ?, ?, ?, 1, ?, ?)");
 
+        $db->begin_transaction();
+
         $lineNumber = 0;
         $successCount = 0;
         $errorCount = 0;
+        $insertErrorCount = 0;
         $duplicateCount = 0;
         $errors = [];
         $maxDisplayedErrors = 10;
@@ -375,10 +378,17 @@ function validateForm(event) {
                 $successCount++;
             } else {
                 $errorCount++;
+                $insertErrorCount++;
                 $recordError("Linha {$lineNumber}: Erro ao inserir reserva.");
             }
         }
 
+        if ($insertErrorCount > 0) {
+            $db->rollback();
+        } else {
+            $db->commit();
+        }
+
         $stmtSalaExists->close();
         $stmtRequisitorExists->close();
         $stmtTempoExists->close();
@@ -462,6 +472,7 @@ function validateForm(event) {
 </div>
 
 <form id="massReservationForm" action="reservaemmassa.php" method="POST" class="mt-4">
+    <?= csrf_token_field(); ?>
     <div class="row mb-3">
         <div class="col-md-6">
             <div class="form-floating">
@@ -690,6 +701,8 @@ function validateForm(event) {
                 $reservas_duplicadas = 0;
                 $erros = [];
                 $num_semanas = 0;
+                $db->begin_transaction();
+
                 
                 // Create reservations for each week until we pass the end date
                 $current_date = $first_date;
@@ -740,6 +753,13 @@ function validateForm(event) {
                 }
                 
                 // Send email notification to the user if any reservations were created
+                if (!empty($erros)) {
+                    $db->rollback();
+                    $reservas_criadas = 0;
+                } else {
+                    $db->commit();
+                }
+
                 if ($reservas_criadas > 0) {
                     sendRecurringWeeklyReservationsEmail(
                         $db,
diff --git a/reservar/manage.php b/reservar/manage.php
index cc4a222..b36aa7f 100644
--- a/reservar/manage.php
+++ b/reservar/manage.php
@@ -102,7 +102,12 @@ function saveReservationMaterials($db, $sala, $tempo, $data, $materiais) {
             $bulkRequisitor = $requisitor;
             $lastSlotSala = $slotSala;
 
-            $requisitorEmail = ($requisitor === $id) ? $_SESSION['email'] : ($db->query("SELECT email FROM cache WHERE id='" . $db->real_escape_string($requisitor) . "'")->fetch_assoc()['email'] ?? '');
+            $requisitorEmailStmt = $db->prepare("SELECT email FROM cache WHERE id = ?");
+            $requisitorEmailStmt->bind_param("s", $requisitor);
+            $requisitorEmailStmt->execute();
+            $requisitorEmailResult = $requisitorEmailStmt->get_result();
+            $requisitorEmail = ($requisitor === $id) ? $_SESSION['email'] : ($requisitorEmailResult->fetch_assoc()['email'] ?? '');
+            $requisitorEmailStmt->close();
             $internalDomain = get_app_config('internal_email_domain', '');
             $isInternalUser = !empty($internalDomain) && str_ends_with(strtolower($requisitorEmail), '@' . $internalDomain);
             $aprovado = ($salaInfo['tipo_sala'] == 2 && $isInternalUser) ? 1 : 0;
@@ -113,10 +118,22 @@ function saveReservationMaterials($db, $sala, $tempo, $data, $materiais) {
             if ($stmt->execute()) {
                 $successCount++;
                 saveReservationMaterials($db, $slotSala, $slotTempo, $slotData, $_POST['materiais'] ?? null);
-                $salaNome = $db->query("SELECT nome FROM salas WHERE id='" . $db->real_escape_string($slotSala) . "'")->fetch_assoc()['nome'] ?? $slotSala;
-                $tempoNome = $db->query("SELECT horashumanos FROM tempos WHERE id='" . $db->real_escape_string($slotTempo) . "'")->fetch_assoc()['horashumanos'] ?? $slotTempo;
+                $salaNomeStmt = $db->prepare("SELECT nome FROM salas WHERE id = ?");
+                $salaNomeStmt->bind_param("s", $slotSala);
+                $salaNomeStmt->execute();
+                $salaNome = $salaNomeStmt->get_result()->fetch_assoc()['nome'] ?? $slotSala;
+                $salaNomeStmt->close();
+                $tempoNomeStmt = $db->prepare("SELECT horashumanos FROM tempos WHERE id = ?");
+                $tempoNomeStmt->bind_param("s", $slotTempo);
+                $tempoNomeStmt->execute();
+                $tempoNome = $tempoNomeStmt->get_result()->fetch_assoc()['horashumanos'] ?? $slotTempo;
+                $tempoNomeStmt->close();
                 if ($_SESSION['admin'] && $requisitor != $id) {
-                    $userName = $db->query("SELECT nome FROM cache WHERE id='" . $db->real_escape_string($requisitor) . "'")->fetch_assoc()['nome'] ?? 'Utilizador';
+                    $userNameStmt = $db->prepare("SELECT nome FROM cache WHERE id = ?");
+                    $userNameStmt->bind_param("s", $requisitor);
+                    $userNameStmt->execute();
+                    $userName = $userNameStmt->get_result()->fetch_assoc()['nome'] ?? 'Utilizador';
+                    $userNameStmt->close();
                     logaction("Criou uma reserva para o utilizador '{$userName}': sala '{$salaNome}' no dia {$slotData} às {$tempoNome}", $_SESSION['id']);
                 } else {
                     logaction("Criou uma reserva: sala '{$salaNome}' no dia {$slotData} às {$tempoNome}", $requisitor);
@@ -134,7 +151,11 @@ function saveReservationMaterials($db, $sala, $tempo, $data, $materiais) {
         $out .= ($isAutonomous) ? "<div class='alert alert-success'><h4 class='alert-heading'>Reservas Aprovadas!</h4><p class='mb-0'>{$successCount} reserva(s) criada(s) com sucesso e aprovadas automaticamente.</p></div>" : "<div class='alert alert-success'><h4 class='alert-heading'>Reservas Submetidas!</h4><p class='mb-0'>{$successCount} reserva(s) criada(s) com sucesso e submetidas para aprovação.</p></div>";
         if (count($failedSlots) > 0) $out .= "<div class='alert alert-warning'><strong>Algumas reservas falharam:</strong><br>" . implode('<br>', $failedSlots) . "</div>";
         if ($successCount > 0 && isset($lastSlotSala)) {
-            $salaData = $db->query("SELECT nome, post_reservation_content FROM salas WHERE id='" . $db->real_escape_string($lastSlotSala) . "'")->fetch_assoc();
+            $salaDataStmt = $db->prepare("SELECT nome, post_reservation_content FROM salas WHERE id = ?");
+            $salaDataStmt->bind_param("s", $lastSlotSala);
+            $salaDataStmt->execute();
+            $salaData = $salaDataStmt->get_result()->fetch_assoc();
+            $salaDataStmt->close();
             if (!empty($salaData['post_reservation_content'])) {
                 $out .= "<div class='card mb-3'><div class='card-body'><h5 class='card-title'>Informações Importantes - " . htmlspecialchars($salaData['nome'], ENT_QUOTES, 'UTF-8') . "</h5><div class='post-reservation-content'>" . $salaData['post_reservation_content'] . "</div></div></div>";
             }
@@ -176,7 +197,12 @@ function saveReservationMaterials($db, $sala, $tempo, $data, $materiais) {
                 if ($userExists) $requisitor = $_POST['requisitor_id'];
             }
 
-            $requisitorEmail = ($requisitor === $id) ? $_SESSION['email'] : ($db->query("SELECT email FROM cache WHERE id='" . $db->real_escape_string($requisitor) . "'")->fetch_assoc()['email'] ?? '');
+            $requisitorEmailStmt = $db->prepare("SELECT email FROM cache WHERE id = ?");
+            $requisitorEmailStmt->bind_param("s", $requisitor);
+            $requisitorEmailStmt->execute();
+            $requisitorEmailResult = $requisitorEmailStmt->get_result();
+            $requisitorEmail = ($requisitor === $id) ? $_SESSION['email'] : ($requisitorEmailResult->fetch_assoc()['email'] ?? '');
+            $requisitorEmailStmt->close();
             $internalDomain = get_app_config('internal_email_domain', '');
             $isInternalUser = !empty($internalDomain) && str_ends_with(strtolower($requisitorEmail), '@' . $internalDomain);
             $aprovado = ($salaInfo['tipo_sala'] == 2 && $isInternalUser) ? 1 : 0;