fix: allow booking submission from the booking page when embedded in an iframe

Booking::register ran a custom CSRF check that compared the submitted
csrf_token field against the csrf_cookie value read from the request
cookies. When the booking page is embedded in a cross-origin iframe,
browsers do not send that cookie along with the POST (SameSite /
third-party cookie restrictions), so the check failed with 'Security
validation failed. Please refresh the page and try again.'.

The booking/* URI is already excluded from the global CSRF protection,
and Booking::register has its own rate limiting, CAPTCHA / ALTCHA
verification (when enabled) and strict input validation, so the
duplicate cookie-based check provided no additional security while
breaking iframe embedding. Removed it.

Author: alextselegidis

CHANGELOG.md

@@ -7,6 +7,7 @@ developers to maintain and readjust their custom modifications on the main proje
 
 ### Fixed
 
+- Submitting a booking from the public booking page no longer fails with "Security validation failed. Please refresh the page and try again." when the booking page is embedded in a cross-origin iframe
 - Changing the language from the public booking page no longer fails with "The action you have requested is not allowed" when the booking page is embedded in a cross-origin iframe
 - Public booking flow endpoints (registration, available hours, unavailable dates, booking confirmation, booking cancellation, CAPTCHA image, ALTCHA challenge, personal information deletion) now allow being embedded in an iframe, so the booking page works correctly on third-party websites
 

application/controllers/Booking.php

@@ -82,22 +82,6 @@ public function __construct()
         $this->load->library('jitsi_client');
     }
 
-    /**
-     * Verify CSRF token for booking submissions.
-     *
-     * @throws RuntimeException If CSRF token is invalid.
-     */
-    private function verify_csrf_token(): void
-    {
-        $csrf_token = request('csrf_token') ?? $this->input->get_request_header('X-CSRF');
-        $csrf_cookie = $this->input->cookie('csrf_cookie');
-
-        if (empty($csrf_token) || empty($csrf_cookie) || !hash_equals($csrf_cookie, $csrf_token)) {
-            log_message('error', 'Invalid CSRF token in booking request from IP: ' . $this->input->ip_address());
-            throw new RuntimeException('Security validation failed. Please refresh the page and try again.');
-        }
-    }
-
     /**
      * Render the booking page and display the selected appointment.
      *
@@ -374,9 +358,6 @@ public function register(): void
 
             allow_iframe_embedding(); // Reached from the booking page which may be embedded in an iframe.
 
-            // Verify CSRF token for booking submissions
-            $this->verify_csrf_token();
-
             $disable_booking = setting('disable_booking');
 
             if ($disable_booking) {