Application Scope

Admin settings to enable/disable 2FA site-wide and require 2FA for admin accounts. Includes live adoption stats showing users and admins with 2FA enabled.

All destructive GET-based admin actions (delete/toggle for announcements, ads, resources, paths, lessons, classrooms, API keys) now require a CSRF token and cast IDs to integer to prevent injection.

All 7 input handlers in api/learn.php now use InputSanitizer: enrollment, lesson completion, bookmarks, and path import. Slug validation, score range enforcement, and lesson content sanitization added.

All 12 input handlers in api/classroom.php now use InputSanitizer: class creation, assignments, discussions, grading, rubrics, bulk import, and moderation. Array type checks added for nested inputs.

New InputSanitizer class with 10 methods: text, richText, positiveInt, float, enum, email, url, slug, csvList, and json. Strips dangerous HTML (scripts, iframes, event handlers, JS URIs) while preserving safe formatting tags.

All admin POST forms (settings, announcements, ads, resources, learning paths, lessons) now include CSRF tokens. All destructive GET actions (delete, toggle) require a valid token parameter. Uses Auth::generateCsrfToken/verifyCsrfToken with 2-hour expiry.

Replaced hardcoded admin credentials with the Auth system. Admin panel now requires login via the users table with role-based access control — only admin and superadmin roles are permitted. Includes full Auth features: rate limiting, account lockout, and session management.

RateLimiter and ApiMiddleware classes enforce per-key hourly rate limits with X-RateLimit headers and 429 responses.