fix(security): fix login AND logic to OR, add signup input validation, separate OTP rate limit keys

backend/auth/login.php

@@ -6,8 +6,23 @@ $email = filterRequest('email');
 $phone = filterRequest('phone');
 $password = filterRequest('password');
 
-// Hash the password
-$hashed_password = password_hash($password, PASSWORD_DEFAULT);
+if (empty($phone) && empty($email)) {
+    echo json_encode(["status" => "Failure", "data" => "Phone or email is required."]);
+    exit;
+}
+
+// Build WHERE dynamically: support phone-only, email-only, or both
+$conditions = [];
+$params = [':password' => $password];
+if (!empty($phone)) {
+    $conditions[] = "passengers.phone = :phone";
+    $params[':phone'] = $phone;
+}
+if (!empty($email)) {
+    $conditions[] = "passengers.email = :email";
+    $params[':email'] = $email;
+}
+$where = implode(' OR ', $conditions);
 
 $sql = "SELECT
     passengers.`id`,
@@ -29,11 +44,9 @@ FROM
     `passengers`
 LEFT JOIN email_verifications ON email_verifications.email = passengers.email
 WHERE
-    passengers.phone = :phone AND passengers.email = :email ";
+    $where";
 $stmt = $con->prepare($sql);
-$stmt->bindParam(':email', $email);
-$stmt->bindParam(':phone', $phone);
-$stmt->execute();
+$stmt->execute($params);
 $data = $stmt->fetchAll(PDO::FETCH_ASSOC);
 $count = $stmt->rowCount();