xamxam/app/public/admin/actions/filepond/process.php

<?php
/**
 * FilePond process endpoint — receives one file per request (admin).
 *
 * POST /admin/actions/filepond/process.php
 * Headers:  X-CSRF-Token
 * Fields:   file (multipart), queue_type (string)
 *
 * Returns plain text file_id on success (200), or error message on failure (4xx).
 */

require_once __DIR__ . '/../../../../bootstrap.php';
require_once __DIR__ . '/../../../../src/AdminAuth.php';
require_once __DIR__ . '/../../../../src/FilepondHandler.php';

// ── Auth (admin only) ────────────────────────────────────────────────────
AdminAuth::requireLogin();

// ── CSRF via header ──────────────────────────────────────────────────────
$csrfHeader = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
if (!isset($_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $csrfHeader)) {
    error_log('[filepond:admin:process] CSRF FAIL');
    http_response_code(403);
    die('Token CSRF invalide.');
}

$handler = new FilepondHandler('[filepond:admin]');
$handler->handleProcess();