fix(security): fix login AND logic to OR, add signup input validation, separate OTP rate limit keys
This commit is contained in:
Hamza-Ayed
@@ -6,8 +6,23 @@ $email = filterRequest('email');
|
||||
$phone = filterRequest('phone');
|
||||
$password = filterRequest('password');
|
||||
|
||||
// Hash the password
|
||||
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
|
||||
if (empty($phone) && empty($email)) {
|
||||
echo json_encode(["status" => "Failure", "data" => "Phone or email is required."]);
|
||||
exit;
|
||||
}
|
||||
|
||||
// Build WHERE dynamically: support phone-only, email-only, or both
|
||||
$conditions = [];
|
||||
$params = [':password' => $password];
|
||||
if (!empty($phone)) {
|
||||
$conditions[] = "passengers.phone = :phone";
|
||||
$params[':phone'] = $phone;
|
||||
}
|
||||
if (!empty($email)) {
|
||||
$conditions[] = "passengers.email = :email";
|
||||
$params[':email'] = $email;
|
||||
}
|
||||
$where = implode(' OR ', $conditions);
|
||||
|
||||
$sql = "SELECT
|
||||
passengers.`id`,
|
||||
@@ -29,11 +44,9 @@ FROM
|
||||
`passengers`
|
||||
LEFT JOIN email_verifications ON email_verifications.email = passengers.email
|
||||
WHERE
|
||||
passengers.phone = :phone AND passengers.email = :email ";
|
||||
$where";
|
||||
$stmt = $con->prepare($sql);
|
||||
$stmt->bindParam(':email', $email);
|
||||
$stmt->bindParam(':phone', $phone);
|
||||
$stmt->execute();
|
||||
$stmt->execute($params);
|
||||
$data = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
||||
$count = $stmt->rowCount();
|
||||
|
||||
|
||||
@@ -7,7 +7,7 @@ require_once __DIR__ . '/../../functions.php';
|
||||
|
||||
// 0. Rate Limiting: 3 محاولات OTP كل 5 دقائق لكل IP
|
||||
$rateLimiter = new RateLimiter($redis);
|
||||
$rateLimiter->enforce(RateLimiter::identifier(), 'otp');
|
||||
$rateLimiter->enforce(RateLimiter::identifier(), 'otp_verify');
|
||||
|
||||
// 1. Fetch input parameters
|
||||
$phone_number = filterRequest("phone_number");
|
||||
|
||||
@@ -12,6 +12,24 @@ $gender = filterRequest("gender");
|
||||
$birthdate = filterRequest("birthdate");
|
||||
$site = filterRequest("site");
|
||||
|
||||
// --- Input Validation ---
|
||||
if (empty($phone) || strlen(preg_replace('/\D+/', '', $phone)) < 8) {
|
||||
jsonError("Valid phone number is required.");
|
||||
exit;
|
||||
}
|
||||
if (!empty($email) && !filter_var($email, FILTER_VALIDATE_EMAIL)) {
|
||||
jsonError("Valid email address is required.");
|
||||
exit;
|
||||
}
|
||||
if (empty($password) || strlen($password) < 6) {
|
||||
jsonError("Password must be at least 6 characters.");
|
||||
exit;
|
||||
}
|
||||
if (empty($first_name) || empty($last_name)) {
|
||||
jsonError("First name and last name are required.");
|
||||
exit;
|
||||
}
|
||||
|
||||
// تشفير البيانات الحساسة
|
||||
$phone = $encryptionHelper->encryptData($phone);
|
||||
$email = $encryptionHelper->encryptData($email);
|
||||
|
||||
Reference in New Issue
Block a user