Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update: 2026-06-16 22:44:11

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-16 22:44:11 +03:00
parent b516fbc4ed
commit 2c3816badb
97 changed files with 10137 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/add.php
View File

@@ -1,58 +1,104 @@
<?php
/**
* driverWallet/add.php — إضافة رصيد لمحفظة السائق
*
* ═══════════════════════════════════════════════════════════════
* SECURITY FIX:
* - إضافة التحقق من ملكية الحساب (driverID == JWT user_id)
* - لف العملية في Transaction ذرية
* - استخدام FOR UPDATE لمنع Race Condition على التوكن
* - التحقق من صحة المبلغ
* ═══════════════════════════════════════════════════════════════
*/
// Include the database connection file
// Include the database connection file (calls authenticateJWT)
include "../../connect.php";
//ride/driverWallet/add.php
// Get the request parameters
$driverID = filterRequest("driverID");
$paymentID = filterRequest("paymentID");
$amount = filterRequest("amount");
// ── 1. استخراج user_id من JWT المصادق ──────────────────────────
$jwtUserId = $decodedToken->user_id ?? $decodedToken->sub ?? null;
// ── 2. استخراج والتحقق من البيانات ──────────────────────────
$driverID = filterRequest("driverID");
$paymentID = filterRequest("paymentID");
$amount = filterRequest("amount");
$paymentMethod = filterRequest("paymentMethod");
$token = filterRequest("token");
$token = filterRequest("token");
// Retrieve token details from the database
$stmt = $con->prepare("SELECT * FROM payment_tokens WHERE token = :token AND isUsed = FALSE");
$stmt->execute(array(
':token' => $token
));
$tokenData = $stmt->fetch();
if ($tokenData) {
// Add payment to the driver's wallet table
$sql = "INSERT INTO `driverWallet` (
`driverID`,
`paymentID`,
`amount`,
`paymentMethod`
) VALUES (
:driverID,
:paymentID,
:amount,
:paymentMethod
);";
$stmt = $con->prepare($sql);
$stmt->execute(array(
':driverID' => $driverID,
':paymentID' => $paymentID,
':amount' => $amount,
':paymentMethod' => $paymentMethod
));
if ($stmt->rowCount() > 0) {
// Print a success message
printSuccess("Record saved successfully");
// Mark the token as used in the database
$stmt = $con->prepare("UPDATE payment_tokens SET isUsed = TRUE WHERE id = :tokenID");
$stmt->execute(array(
':tokenID' => $tokenData['id']
));
} else {
// Print a failure message
printFailure("Failed to save record");
}
} else {
printFailure("Invalid or already used token");
if (empty($driverID) || !isset($amount) || empty($paymentMethod) || empty($token)) {
printFailure("Missing required parameters");
exit;
}
// ── 3. التحقق من ملكية الحساب ────────────────────────────────
// السائق المصادق يمكنه فقط إضافة رصيد لمحفظته الشخصية
if ($jwtUserId !== null && $driverID !== $jwtUserId) {
error_log(sprintf(
'⚠️ [SECURITY] Ownership mismatch in add.php | jwt_user=%s | requested_driverID=%s | IP=%s',
$jwtUserId, $driverID, $_SERVER['REMOTE_ADDR'] ?? 'unknown'
));
http_response_code(403);
printFailure("Forbidden: You can only modify your own wallet");
exit;
}
// ── 4. التحقق من المبلغ ─────────────────────────────────────
$amount = floatval($amount);
if ($amount <= 0 || $amount > 1000000) {
printFailure("Invalid amount");
exit;
}
// ── 5. العملية الذرية ─────────────────────────────────────────
try {
$con->beginTransaction();
// التحقق من التوكن مع قفل السجل (FOR UPDATE) لمنع Race Condition
$stmt = $con->prepare("SELECT * FROM payment_tokens WHERE token = :token AND isUsed = FALSE FOR UPDATE");
$stmt->execute([':token' => $token]);
$tokenData = $stmt->fetch();
if ($tokenData) {
// إدخال سجل المحفظة
$sql = "INSERT INTO `driverWallet` (
`driverID`,
`paymentID`,
`amount`,
`paymentMethod`
) VALUES (
:driverID,
:paymentID,
:amount,
:paymentMethod
);";
$stmt = $con->prepare($sql);
$stmt->execute([
':driverID' => $driverID,
':paymentID' => $paymentID,
':amount' => $amount,
':paymentMethod' => $paymentMethod
]);
if ($stmt->rowCount() > 0) {
// تحديث حالة التوكن
$stmt = $con->prepare("UPDATE payment_tokens SET isUsed = TRUE WHERE id = :tokenID");
$stmt->execute([':tokenID' => $tokenData['id']]);
$con->commit();
printSuccess("Record saved successfully");
} else {
$con->rollBack();
printFailure("Failed to save record");
}
} else {
$con->rollBack();
printFailure("Invalid or already used token");
}
} catch (Exception $e) {
if ($con->inTransaction()) {
$con->rollBack();
}
error_log("[driverWallet/add] " . $e->getMessage());
printFailure("An error occurred");
}

124
walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/addFromAdmin.php
View File

@@ -1,17 +1,67 @@
<?php
/**
* addFromAdmin.php — إضافة رصيد من المسؤول (Admin Only)
*
* ═══════════════════════════════════════════════════════════════
* SECURITY FIX: كان هذا الملف بدون أي مصادقة! ❌
* الآن يتطلب:
* 1. JWT مصادق (عبر authenticateJWT)
* 2. التحقق من دور المسؤول (admin role)
* 3. التحقق من المبلغ (حد أقصى)
* 4. تسجيل تدقيق لكل عملية (audit log)
* ═══════════════════════════════════════════════════════════════
*/
// Include the database connection file
include "../../jwtconnect.php";
//ride/driverWallet/add.php
// Get the request parameters
$driverID = filterRequest("driverID");
$paymentID = filterRequest("paymentID");
$amount = filterRequest("amount");
// Include the database connection WITH JWT authentication
include "../../connect.php";
// connect.php calls authenticateJWT() → 5-layer security check ✅
// ── 1. استخراج user_id من JWT المصادق ──────────────────────────
$adminUserId = $decodedToken->user_id ?? $decodedToken->sub ?? null;
$adminRole = $decodedToken->role ?? null;
// ── 2. التحقق من صلاحيات المسؤول ────────────────────────────
// فقط المسؤول يمكنه إضافة رصيد يدوياً
if ($adminRole !== 'admin' && $adminRole !== 'super_admin') {
error_log(sprintf(
'⚠️ [SECURITY] Non-admin attempted addFromAdmin | user=%s | role=%s | IP=%s',
$adminUserId,
$adminRole ?? '(null)',
$_SERVER['REMOTE_ADDR'] ?? 'unknown'
));
http_response_code(403);
printFailure("Forbidden: Admin access required");
exit;
}
// ── 3. استخراج والتحقق من البيانات ──────────────────────────
$driverID = filterRequest("driverID");
$paymentID = filterRequest("paymentID");
$amount = filterRequest("amount");
$paymentMethod = filterRequest("paymentMethod");
$phone = filterRequest("phone");
$phone = filterRequest("phone");
if (empty($driverID) || !isset($amount) || empty($paymentMethod)) {
printFailure("Missing required parameters: driverID, amount, paymentMethod");
exit;
}
// Add payment to the driver's wallet table
// ── 4. التحقق من المبلغ ─────────────────────────────────────
$amount = floatval($amount);
if ($amount <= 0 || $amount > 1000000) {
error_log(sprintf(
'⚠️ [SECURITY] Invalid amount in addFromAdmin | admin=%s | amount=%s | driverID=%s',
$adminUserId, $amount, $driverID
));
printFailure("Invalid amount: must be between 0 and 1,000,000");
exit;
}
// ── 5. العملية الذرية ─────────────────────────────────────────
try {
$con->beginTransaction();
// إدخال سجل المحفظة
$sql = "INSERT INTO `driverWallet` (
`driverID`,
`paymentID`,
@@ -25,27 +75,51 @@ $phone = filterRequest("phone");
);";
$stmt = $con->prepare($sql);
$stmt->execute(array(
':driverID' => $driverID,
':paymentID' => $paymentID,
':amount' => $amount,
$stmt->execute([
':driverID' => $driverID,
':paymentID' => $paymentID ?? ('admin_' . time() . '_' . bin2hex(random_bytes(4))),
':amount' => $amount,
':paymentMethod' => $paymentMethod
));
]);
if ($stmt->rowCount() > 0) {
// Print a success message
// ── 6. تسجيل تدقيق (Audit Log) ─────────────────────────
$auditStmt = $con->prepare(
"INSERT INTO `admin_audit_log` (`admin_id`, `action`, `table_name`, `record_id`, `details`)
VALUES (:admin_id, :action, :table_name, :record_id, :details)"
);
$auditStmt->execute([
':admin_id' => $adminUserId,
':action' => 'addFromAdmin_wallet',
':table_name' => 'driverWallet',
':record_id' => $driverID,
':details' => json_encode([
'amount' => $amount,
'paymentMethod' => $paymentMethod,
'phone' => $phone,
'ip' => $_SERVER['REMOTE_ADDR'] ?? 'unknown',
'timestamp' => date('Y-m-d H:i:s')
], JSON_UNESCAPED_UNICODE)
]);
$con->commit();
printSuccess("Record saved successfully");
$messageBody = "تم إضافة رصيد بقيمة $amount إلى محفظتك بنجاح."; // "Balance of $amount added successfully."
sendWhatsAppFromServer($phone, $messageBody);
// Mark the token as used in the database
/* $stmt = $con->prepare("UPDATE payment_tokens SET isUsed = TRUE WHERE id = :tokenID");
$stmt->execute(array(
':tokenID' => $tokenData['id']
));*/
// إرسال إشعار واتساب للسائق
if (!empty($phone)) {
$messageBody = "تم إضافة رصيد بقيمة $amount إلى محفظتك بنجاح.";
sendWhatsAppFromServer($phone, $messageBody);
}
} else {
// Print a failure message
$con->rollBack();
printFailure("Failed to save record");
}
} catch (Exception $e) {
if ($con->inTransaction()) {
$con->rollBack();
}
error_log("[addFromAdmin] Error: " . $e->getMessage());
printFailure("An error occurred");
}

12
walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/sendEmailTransfer.php
View File

@@ -91,28 +91,28 @@ if ($language === 'ar') {
</head>
<body>
<div class='container'>
<img src='https://lh3.googleusercontent.com/a/ACg8ocLe5TgvmTjoFx7KjIoWGxX0G2ryKBTzUZi2-mBYb9DI1dsKQ0WEYh5ZPdnA3WeFbp9VnaTNzJuA0w8S4RiQ7042AKrOwXo3=s576-c-no' alt='SEFER App Logo' style='width: 150px; margin: 20px auto; display: block;'>
<img src='https://lh3.googleusercontent.com/a/ACg8ocLe5TgvmTjoFx7KjIoWGxX0G2ryKBTzUZi2-mBYb9DI1dsKQ0WEYh5ZPdnA3WeFbp9VnaTNzJuA0w8S4RiQ7042AKrOwXo3=s576-c-no' alt='SIRO App Logo' style='width: 150px; margin: 20px auto; display: block;'>
<h1>Your SEFER Transfer Details</h1>
<h1>Your SIRO Transfer Details</h1>
<p>Thank you for using our service. We hope you have a great day!</p>
<p>We want to inform you that an amount of $amount has been transferred from your account to the new driver: $newDriverName (Phone: $driverPhone).</p>
<p>Regards,<br> SEFER Team</p>
<p>Regards,<br> SIRO Team</p>
</div>
</body>
</html>";
}
// Email headers
$supportEmail = 'seferteam@sefer.live';
$supportEmail = 'siroteam@siro.live';
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=UTF-8\r\n";
$headers .= "From: $supportEmail\r\n";
// Send email
if (!empty($driverEmail)) {
if (mail($driverEmail, "Your SEFER Transfer Details", $bodyEmail, $headers)) {
if (mail($driverEmail, "Your SIRO Transfer Details", $bodyEmail, $headers)) {
mail($newEmail, "Your SEFER Transfer Details", $bodyEmail, $headers);
mail($newEmail, "Your SIRO Transfer Details", $bodyEmail, $headers);
echo "Email sent successfully.";
} else {
echo "Email sending failed.";

8
walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/transfer.php
View File

@@ -84,7 +84,7 @@ try {
$paymentID2 = "transfer_recv_" . time() . bin2hex(random_bytes(4));
$token1 = bin2hex(random_bytes(32));
$token2 = bin2hex(random_bytes(32));
$seferToken = bin2hex(random_bytes(32));
$siroToken = bin2hex(random_bytes(32));
// 4. Deduct from Sender (payments table)
$deductAmount = -$amount;
@@ -108,12 +108,12 @@ try {
':token' => $token2
]);
// 6. Add Fee to Sefer Wallet
$stmt = $con->prepare("INSERT INTO seferWallet (amount, paymentMethod, passengerId, token, driverId)
// 6. Add Fee to Siro Wallet
$stmt = $con->prepare("INSERT INTO siroWallet (amount, paymentMethod, passengerId, token, driverId)
VALUES (:fee, 'payout fee', 'driver', :token, :senderID)");
$stmt->execute([
':fee' => $fee,
':token' => $seferToken,
':token' => $siroToken,
':senderID' => $senderID
]);