Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update: 2026-06-29 01:10:32

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-29 01:10:32 +03:00
parent b5e2bf2fed
commit 0af4eed1ce
5 changed files with 50 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
add_admin_country.php
View File

@@ -1,10 +0,0 @@
<?php
require_once __DIR__ . '/backend/core/bootstrap.php';
try {
$con = Database::get('main');
$con->exec("ALTER TABLE adminUser ADD COLUMN country VARCHAR(100) DEFAULT 'Jordan'");
echo "SUCCESS: Added country column to adminUser\n";
} catch (Exception $e) {
echo "INFO: " . $e->getMessage() . "\n";
}
unlink(__FILE__);

3
backend/.env.example
View File

@@ -120,9 +120,10 @@ NABEH_API_KEY=<CHANGE_ME_SHARED_SECRET>
SECRET_KEY_HMAC=<CHANGE_ME_HMAC_SECRET_FOR_SIGNED_URLS> SECRET_KEY_HMAC=<CHANGE_ME_HMAC_SECRET_FOR_SIGNED_URLS>
# ============================================================================= # =============================================================================
# Security Configuration - Fingerprint # Security Configuration - Fingerprint & Testers
# ============================================================================= # =============================================================================
FP_PEPPER=<CHANGE_ME_FINGERPRINT_PEPPER> FP_PEPPER=<CHANGE_ME_FINGERPRINT_PEPPER>
ALLOWED_TESTER_EMAILS=driver_tester@siromove.com,passenger_tester@siromove.com
# ============================================================================= # =============================================================================
# Gemini AI Configuration # Gemini AI Configuration

25
backend/auth/captin/loginUsingCredentialsWithoutGoogle.php
View File

@@ -11,6 +11,31 @@ $password = filterRequest('password');
$audience = filterRequest('aud') ?? 'siro-driver-android'; // الافتراضي $audience = filterRequest('aud') ?? 'siro-driver-android'; // الافتراضي
$fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint'); $fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
// 1. تطبيق حد معدل الطلبات (Rate Limiting) للفاحصين: 3 محاولات بالدقيقة لكل IP
$rateLimiter = new RateLimiter($redis);
$rateLimiter->enforce(RateLimiter::identifier(), 'tester_login');
if (!$email || !$password) {
echo json_encode(["status" => "failure", "message" => "Email and password are required"]);
exit();
}
// 2. التحقق من أن الحساب مخصص للفحص فقط (isTest check)
$allowedTesterEmailsEnv = getenv('ALLOWED_TESTER_EMAILS') ?: '';
$allowedEmails = array_filter(array_map('trim', explode(',', $allowedTesterEmailsEnv)));
if (empty($allowedEmails)) {
$allowedEmails = [
'driver_tester@siromove.com',
'passenger_tester@siromove.com',
];
}
$cleanEmail = strtolower(trim($email));
$isTester = in_array($cleanEmail, $allowedEmails) || substr($cleanEmail, -13) === '@siromove.com';
if (!$isTester) {
echo json_encode(["status" => "failure", "message" => "Access denied. Only tester accounts are allowed."]);
exit();
}
// تشفير الإيميل لاستخدامه في الاستعلام // تشفير الإيميل لاستخدامه في الاستعلام
$encryptedEmail = $encryptionHelper->encryptData($email); $encryptedEmail = $encryptionHelper->encryptData($email);

16
backend/auth/loginUsingCredentialsWithoutGooglePassenger.php
View File

@@ -9,11 +9,27 @@ $password = filterRequest("password");
$fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint'); $fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
$audience = filterRequest('aud') ?: 'siro_passenger'; $audience = filterRequest('aud') ?: 'siro_passenger';
// 1. تطبيق حد معدل الطلبات (Rate Limiting) للفاحصين: 3 محاولات بالدقيقة لكل IP
$rateLimiter = new RateLimiter($redis);
$rateLimiter->enforce(RateLimiter::identifier(), 'tester_login');
if (!$email || !$password) { if (!$email || !$password) {
echo json_encode(["status" => "failure", "message" => "Email and password are required"]); echo json_encode(["status" => "failure", "message" => "Email and password are required"]);
exit(); exit();
} }
// 2. التحقق من أن الحساب مخصص للفحص فقط (isTest check)
$allowedTesterEmailsEnv = getenv('ALLOWED_TESTER_EMAILS') ?: '';
$allowedEmails = array_filter(array_map('trim', explode(',', $allowedTesterEmailsEnv)));
$cleanEmail = strtolower(trim($email));
$isTester = in_array($cleanEmail, $allowedEmails) || substr($cleanEmail, -13) === '@siromove.com';
if (!$isTester) {
echo json_encode(["status" => "failure", "message" => "Access denied. Only tester accounts are allowed."]);
exit();
}
try { try {
$con = Database::get('main'); $con = Database::get('main');

13
backend/core/Auth/RateLimiter.php
View File

@@ -10,12 +10,13 @@ class RateLimiter
// حدود مختلفة لكل نوع endpoint // حدود مختلفة لكل نوع endpoint
private const LIMITS = [ private const LIMITS = [
'login' => ['requests' => 5, 'window' => 60], // 5 محاولات / دقيقة 'login' => ['requests' => 5, 'window' => 60], // 5 محاولات / دقيقة
'otp' => ['requests' => 3, 'window' => 300], // 3 محاولات / 5 دقائق 'tester_login' => ['requests' => 3, 'window' => 60], // 3 محاولات / دقيقة
'register' => ['requests' => 3, 'window' => 3600], // 3 محاولات / ساعة 'otp' => ['requests' => 3, 'window' => 300], // 3 محاولات / 5 دقائق
'api' => ['requests' => 120, 'window' => 60], // 120 طلب / دقيقة 'register' => ['requests' => 3, 'window' => 3600], // 3 محاولات / ساعة
'ride' => ['requests' => 30, 'window' => 60], // 30 طلب / دقيقة 'api' => ['requests' => 120, 'window' => 60], // 120 طلب / دقيقة
'upload' => ['requests' => 10, 'window' => 300], // 10 رفع / 5 دقائق 'ride' => ['requests' => 30, 'window' => 60], // 30 طلب / دقيقة
'upload' => ['requests' => 10, 'window' => 300], // 10 رفع / 5 دقائق
]; ];
public function __construct(?Redis $redis) public function __construct(?Redis $redis)