Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #19: Plaintext OTP hashing + hardcoded server paths

Browse Source 
- Changed OTP storage in Admin/auth/login.php from plaintext to sha256 hash
- Updated Admin/auth/verify_login.php to hash user input before comparison
- Replaced hardcoded /home/siro-api/ paths with environment variables:
  - ERROR_LOG_PATH, ENV_FILE_PATH, SECRET_KEY_PAY_PATH, SECRET_KEY_PATH
  - Falls back to __DIR__-relative paths when env vars are unset
This commit is contained in:
Hamza-Ayed
2026-06-17 07:49:46 +03:00
parent 790d58aaa2
commit 2d607d9e90
5 changed files with 15 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
backend/Admin/auth/loginWallet.php
View File

@@ -22,12 +22,13 @@ if ($admin->role !== 'admin' && $admin->role !== 'super_admin') {
}
try {
// جلب المفتاح المشترك لسيرفر المحفظة
$payKeyPath = '/home/siro-api/.secret_key_pay';
$payKey = file_exists($payKeyPath) ? trim(file_get_contents($payKeyPath)) : getenv('SECRET_KEY_PAY');
// جلب المفتاح المشترك لسيرفر المحفظة من متغير البيئة أو الملف
$payKeyPath = getenv('SECRET_KEY_PAY_PATH');
$payKey = ($payKeyPath && file_exists($payKeyPath)) ? trim(file_get_contents($payKeyPath)) : getenv('SECRET_KEY_PAY');
if (empty($payKey)) {
$payKey = trim(@file_get_contents('/home/siro-api/.secret_key'));
$fallbackPath = getenv('SECRET_KEY_PATH');
$payKey = ($fallbackPath && file_exists($fallbackPath)) ? trim(file_get_contents($fallbackPath)) : null;
}
if (empty($payKey)) {