Update: 2026-06-29 01:10:32

backend/.env.example

@@ -120,9 +120,10 @@ NABEH_API_KEY=<CHANGE_ME_SHARED_SECRET>
 SECRET_KEY_HMAC=<CHANGE_ME_HMAC_SECRET_FOR_SIGNED_URLS>
 
 # =============================================================================
-# Security Configuration - Fingerprint
+# Security Configuration - Fingerprint & Testers
 # =============================================================================
 FP_PEPPER=<CHANGE_ME_FINGERPRINT_PEPPER>
+ALLOWED_TESTER_EMAILS=driver_tester@siromove.com,passenger_tester@siromove.com
 
 # =============================================================================
 # Gemini AI Configuration

backend/auth/captin/loginUsingCredentialsWithoutGoogle.php

@@ -11,6 +11,31 @@ $password = filterRequest('password');
 $audience = filterRequest('aud') ?? 'siro-driver-android'; // الافتراضي
 $fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
 
+// 1. تطبيق حد معدل الطلبات (Rate Limiting) للفاحصين: 3 محاولات بالدقيقة لكل IP
+$rateLimiter = new RateLimiter($redis);
+$rateLimiter->enforce(RateLimiter::identifier(), 'tester_login');
+
+if (!$email || !$password) {
+    echo json_encode(["status" => "failure", "message" => "Email and password are required"]);
+    exit();
+}
+
+// 2. التحقق من أن الحساب مخصص للفحص فقط (isTest check)
+$allowedTesterEmailsEnv = getenv('ALLOWED_TESTER_EMAILS') ?: '';
+$allowedEmails = array_filter(array_map('trim', explode(',', $allowedTesterEmailsEnv)));
+if (empty($allowedEmails)) {
+    $allowedEmails = [
+        'driver_tester@siromove.com',
+        'passenger_tester@siromove.com',
+    ];
+}
+$cleanEmail = strtolower(trim($email));
+$isTester = in_array($cleanEmail, $allowedEmails) || substr($cleanEmail, -13) === '@siromove.com';
+if (!$isTester) {
+    echo json_encode(["status" => "failure", "message" => "Access denied. Only tester accounts are allowed."]);
+    exit();
+}
+
 // تشفير الإيميل لاستخدامه في الاستعلام
 $encryptedEmail = $encryptionHelper->encryptData($email);
 

backend/auth/loginUsingCredentialsWithoutGooglePassenger.php

@@ -9,11 +9,27 @@ $password = filterRequest("password");
 $fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
 $audience = filterRequest('aud') ?: 'siro_passenger';
 
+// 1. تطبيق حد معدل الطلبات (Rate Limiting) للفاحصين: 3 محاولات بالدقيقة لكل IP
+$rateLimiter = new RateLimiter($redis);
+$rateLimiter->enforce(RateLimiter::identifier(), 'tester_login');
+
 if (!$email || !$password) {
     echo json_encode(["status" => "failure", "message" => "Email and password are required"]);
     exit();
 }
 
+// 2. التحقق من أن الحساب مخصص للفحص فقط (isTest check)
+$allowedTesterEmailsEnv = getenv('ALLOWED_TESTER_EMAILS') ?: '';
+$allowedEmails = array_filter(array_map('trim', explode(',', $allowedTesterEmailsEnv)));
+
+
+$cleanEmail = strtolower(trim($email));
+$isTester = in_array($cleanEmail, $allowedEmails) || substr($cleanEmail, -13) === '@siromove.com';
+if (!$isTester) {
+    echo json_encode(["status" => "failure", "message" => "Access denied. Only tester accounts are allowed."]);
+    exit();
+}
+
 try {
     $con = Database::get('main');
     

backend/core/Auth/RateLimiter.php

@@ -10,12 +10,13 @@ class RateLimiter
 
     // حدود مختلفة لكل نوع endpoint
     private const LIMITS = [
-        'login'      => ['requests' => 5,   'window' => 60],   // 5 محاولات / دقيقة
-        'otp'        => ['requests' => 3,   'window' => 300],  // 3 محاولات / 5 دقائق
-        'register'   => ['requests' => 3,   'window' => 3600], // 3 محاولات / ساعة
-        'api'        => ['requests' => 120, 'window' => 60],   // 120 طلب / دقيقة
-        'ride'       => ['requests' => 30,  'window' => 60],   // 30 طلب / دقيقة
-        'upload'     => ['requests' => 10,  'window' => 300],  // 10 رفع / 5 دقائق
+        'login'        => ['requests' => 5,   'window' => 60],   // 5 محاولات / دقيقة
+        'tester_login' => ['requests' => 3,   'window' => 60],   // 3 محاولات / دقيقة
+        'otp'          => ['requests' => 3,   'window' => 300],  // 3 محاولات / 5 دقائق
+        'register'     => ['requests' => 3,   'window' => 3600], // 3 محاولات / ساعة
+        'api'          => ['requests' => 120, 'window' => 60],   // 120 طلب / دقيقة
+        'ride'         => ['requests' => 30,  'window' => 60],   // 30 طلب / دقيقة
+        'upload'       => ['requests' => 10,  'window' => 300],  // 10 رفع / 5 دقائق
     ];
 
     public function __construct(?Redis $redis)