Update: 2026-06-29 01:10:32
This commit is contained in:
@@ -1,10 +0,0 @@
|
|||||||
<?php
|
|
||||||
require_once __DIR__ . '/backend/core/bootstrap.php';
|
|
||||||
try {
|
|
||||||
$con = Database::get('main');
|
|
||||||
$con->exec("ALTER TABLE adminUser ADD COLUMN country VARCHAR(100) DEFAULT 'Jordan'");
|
|
||||||
echo "SUCCESS: Added country column to adminUser\n";
|
|
||||||
} catch (Exception $e) {
|
|
||||||
echo "INFO: " . $e->getMessage() . "\n";
|
|
||||||
}
|
|
||||||
unlink(__FILE__);
|
|
||||||
@@ -120,9 +120,10 @@ NABEH_API_KEY=<CHANGE_ME_SHARED_SECRET>
|
|||||||
SECRET_KEY_HMAC=<CHANGE_ME_HMAC_SECRET_FOR_SIGNED_URLS>
|
SECRET_KEY_HMAC=<CHANGE_ME_HMAC_SECRET_FOR_SIGNED_URLS>
|
||||||
|
|
||||||
# =============================================================================
|
# =============================================================================
|
||||||
# Security Configuration - Fingerprint
|
# Security Configuration - Fingerprint & Testers
|
||||||
# =============================================================================
|
# =============================================================================
|
||||||
FP_PEPPER=<CHANGE_ME_FINGERPRINT_PEPPER>
|
FP_PEPPER=<CHANGE_ME_FINGERPRINT_PEPPER>
|
||||||
|
ALLOWED_TESTER_EMAILS=driver_tester@siromove.com,passenger_tester@siromove.com
|
||||||
|
|
||||||
# =============================================================================
|
# =============================================================================
|
||||||
# Gemini AI Configuration
|
# Gemini AI Configuration
|
||||||
|
|||||||
@@ -11,6 +11,31 @@ $password = filterRequest('password');
|
|||||||
$audience = filterRequest('aud') ?? 'siro-driver-android'; // الافتراضي
|
$audience = filterRequest('aud') ?? 'siro-driver-android'; // الافتراضي
|
||||||
$fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
|
$fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
|
||||||
|
|
||||||
|
// 1. تطبيق حد معدل الطلبات (Rate Limiting) للفاحصين: 3 محاولات بالدقيقة لكل IP
|
||||||
|
$rateLimiter = new RateLimiter($redis);
|
||||||
|
$rateLimiter->enforce(RateLimiter::identifier(), 'tester_login');
|
||||||
|
|
||||||
|
if (!$email || !$password) {
|
||||||
|
echo json_encode(["status" => "failure", "message" => "Email and password are required"]);
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
|
// 2. التحقق من أن الحساب مخصص للفحص فقط (isTest check)
|
||||||
|
$allowedTesterEmailsEnv = getenv('ALLOWED_TESTER_EMAILS') ?: '';
|
||||||
|
$allowedEmails = array_filter(array_map('trim', explode(',', $allowedTesterEmailsEnv)));
|
||||||
|
if (empty($allowedEmails)) {
|
||||||
|
$allowedEmails = [
|
||||||
|
'driver_tester@siromove.com',
|
||||||
|
'passenger_tester@siromove.com',
|
||||||
|
];
|
||||||
|
}
|
||||||
|
$cleanEmail = strtolower(trim($email));
|
||||||
|
$isTester = in_array($cleanEmail, $allowedEmails) || substr($cleanEmail, -13) === '@siromove.com';
|
||||||
|
if (!$isTester) {
|
||||||
|
echo json_encode(["status" => "failure", "message" => "Access denied. Only tester accounts are allowed."]);
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
// تشفير الإيميل لاستخدامه في الاستعلام
|
// تشفير الإيميل لاستخدامه في الاستعلام
|
||||||
$encryptedEmail = $encryptionHelper->encryptData($email);
|
$encryptedEmail = $encryptionHelper->encryptData($email);
|
||||||
|
|
||||||
|
|||||||
@@ -9,11 +9,27 @@ $password = filterRequest("password");
|
|||||||
$fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
|
$fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
|
||||||
$audience = filterRequest('aud') ?: 'siro_passenger';
|
$audience = filterRequest('aud') ?: 'siro_passenger';
|
||||||
|
|
||||||
|
// 1. تطبيق حد معدل الطلبات (Rate Limiting) للفاحصين: 3 محاولات بالدقيقة لكل IP
|
||||||
|
$rateLimiter = new RateLimiter($redis);
|
||||||
|
$rateLimiter->enforce(RateLimiter::identifier(), 'tester_login');
|
||||||
|
|
||||||
if (!$email || !$password) {
|
if (!$email || !$password) {
|
||||||
echo json_encode(["status" => "failure", "message" => "Email and password are required"]);
|
echo json_encode(["status" => "failure", "message" => "Email and password are required"]);
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// 2. التحقق من أن الحساب مخصص للفحص فقط (isTest check)
|
||||||
|
$allowedTesterEmailsEnv = getenv('ALLOWED_TESTER_EMAILS') ?: '';
|
||||||
|
$allowedEmails = array_filter(array_map('trim', explode(',', $allowedTesterEmailsEnv)));
|
||||||
|
|
||||||
|
|
||||||
|
$cleanEmail = strtolower(trim($email));
|
||||||
|
$isTester = in_array($cleanEmail, $allowedEmails) || substr($cleanEmail, -13) === '@siromove.com';
|
||||||
|
if (!$isTester) {
|
||||||
|
echo json_encode(["status" => "failure", "message" => "Access denied. Only tester accounts are allowed."]);
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$con = Database::get('main');
|
$con = Database::get('main');
|
||||||
|
|
||||||
|
|||||||
@@ -10,12 +10,13 @@ class RateLimiter
|
|||||||
|
|
||||||
// حدود مختلفة لكل نوع endpoint
|
// حدود مختلفة لكل نوع endpoint
|
||||||
private const LIMITS = [
|
private const LIMITS = [
|
||||||
'login' => ['requests' => 5, 'window' => 60], // 5 محاولات / دقيقة
|
'login' => ['requests' => 5, 'window' => 60], // 5 محاولات / دقيقة
|
||||||
'otp' => ['requests' => 3, 'window' => 300], // 3 محاولات / 5 دقائق
|
'tester_login' => ['requests' => 3, 'window' => 60], // 3 محاولات / دقيقة
|
||||||
'register' => ['requests' => 3, 'window' => 3600], // 3 محاولات / ساعة
|
'otp' => ['requests' => 3, 'window' => 300], // 3 محاولات / 5 دقائق
|
||||||
'api' => ['requests' => 120, 'window' => 60], // 120 طلب / دقيقة
|
'register' => ['requests' => 3, 'window' => 3600], // 3 محاولات / ساعة
|
||||||
'ride' => ['requests' => 30, 'window' => 60], // 30 طلب / دقيقة
|
'api' => ['requests' => 120, 'window' => 60], // 120 طلب / دقيقة
|
||||||
'upload' => ['requests' => 10, 'window' => 300], // 10 رفع / 5 دقائق
|
'ride' => ['requests' => 30, 'window' => 60], // 30 طلب / دقيقة
|
||||||
|
'upload' => ['requests' => 10, 'window' => 300], // 10 رفع / 5 دقائق
|
||||||
];
|
];
|
||||||
|
|
||||||
public function __construct(?Redis $redis)
|
public function __construct(?Redis $redis)
|
||||||
|
|||||||
Reference in New Issue
Block a user