Update: 2026-06-29 01:10:32

backend/auth/captin/loginUsingCredentialsWithoutGoogle.php

@@ -11,6 +11,31 @@ $password = filterRequest('password');
 $audience = filterRequest('aud') ?? 'siro-driver-android'; // الافتراضي
 $fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
 
+// 1. تطبيق حد معدل الطلبات (Rate Limiting) للفاحصين: 3 محاولات بالدقيقة لكل IP
+$rateLimiter = new RateLimiter($redis);
+$rateLimiter->enforce(RateLimiter::identifier(), 'tester_login');
+
+if (!$email || !$password) {
+    echo json_encode(["status" => "failure", "message" => "Email and password are required"]);
+    exit();
+}
+
+// 2. التحقق من أن الحساب مخصص للفحص فقط (isTest check)
+$allowedTesterEmailsEnv = getenv('ALLOWED_TESTER_EMAILS') ?: '';
+$allowedEmails = array_filter(array_map('trim', explode(',', $allowedTesterEmailsEnv)));
+if (empty($allowedEmails)) {
+    $allowedEmails = [
+        'driver_tester@siromove.com',
+        'passenger_tester@siromove.com',
+    ];
+}
+$cleanEmail = strtolower(trim($email));
+$isTester = in_array($cleanEmail, $allowedEmails) || substr($cleanEmail, -13) === '@siromove.com';
+if (!$isTester) {
+    echo json_encode(["status" => "failure", "message" => "Access denied. Only tester accounts are allowed."]);
+    exit();
+}
+
 // تشفير الإيميل لاستخدامه في الاستعلام
 $encryptedEmail = $encryptionHelper->encryptData($email);