Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update: 2026-06-15 19:39:21

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-15 19:39:21 +03:00
parent c472a78416
commit 04943e3d52
23 changed files with 1497 additions and 324 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
backend/ride/rides/add_ride.php
View File

@@ -57,6 +57,7 @@ error_log("[add_ride] Request started. passenger_id=" . ($_POST['passenger_id']
$start_location = filterRequest("start_location");
$end_location = filterRequest("end_location");
$price = filterRequest("price");
$price_token = filterRequest("price_token");
$passenger_id = filterRequest("passenger_id");
$driver_id = filterRequest("driver_id") ?: 0;
$status = filterRequest("status");
@@ -82,6 +83,15 @@ $step2 = filterRequest("step2");
$step3 = filterRequest("step3");
$step4 = filterRequest("step4");
// Helper to compare coordinates (allowing slight GPS precision drift up to ~500m)
function coordsMatch($coordStr1, $coordStr2, $tolerance = 0.005) {
if (empty($coordStr1) || empty($coordStr2)) return false;
$c1 = array_map('floatval', explode(',', $coordStr1));
$c2 = array_map('floatval', explode(',', $coordStr2));
if (count($c1) < 2 || count($c2) < 2) return false;
return (abs($c1[0] - $c2[0]) < $tolerance) && (abs($c1[1] - $c2[1]) < $tolerance);
}
// Validation
if (empty($passenger_id) || empty($start_location) || empty($end_location) || empty($price)) {
error_log("[add_ride] Validation failed — missing required fields.");
@@ -89,6 +99,50 @@ if (empty($passenger_id) || empty($start_location) || empty($end_location) || em
exit;
}
// SECURE PRICE TOKEN VERIFICATION
if (empty($price_token)) {
error_log("[add_ride] Security failed — price_token is missing.");
printFailure("Secure price token is required");
exit;
}
$decrypted = isset($encryptionHelper) ? $encryptionHelper->decryptData($price_token) : false;
if (!$decrypted) {
error_log("[add_ride] Security failed — failed to decrypt price_token.");
printFailure("Invalid or tampered price token");
exit;
}
$tokenData = json_decode($decrypted, true);
if (!$tokenData || !isset($tokenData['expires']) || $tokenData['expires'] < time()) {
error_log("[add_ride] Security failed — token is expired or invalid JSON.");
printFailure("Price token has expired, please request estimation again");
exit;
}
if ($tokenData['passenger_id'] != $passenger_id) {
error_log("[add_ride] Security failed — passenger_id mismatch.");
printFailure("Tampered price token (passenger mismatch)");
exit;
}
if (!coordsMatch($tokenData['start_location'], $start_location) || !coordsMatch($tokenData['end_location'], $end_location)) {
error_log("[add_ride] Security failed — coordinates mismatch. Token: " . ($tokenData['start_location'] . " / " . $tokenData['end_location']) . " Request: " . ($start_location . " / " . $end_location));
printFailure("Tampered price token (route mismatch)");
exit;
}
if (!isset($tokenData['prices'][$carType])) {
error_log("[add_ride] Security failed — car type $carType not found in token.");
printFailure("Invalid car type for this token");
exit;
}
// Securely override pricing from the cryptographically signed token
$price = $tokenData['prices'][$carType]['price'];
$price_for_driver = $tokenData['prices'][$carType]['driver_price'];
$price_for_passenger = $price;
// ── 2. تنسيق التواريخ ─────────────────────────────────────────
$date_formatted = date("Y-m-d");
$time_formatted = date("H:i:s");