Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): remove JWT role extraction without signature, add OTP replay protection, fix user enumeration

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-17 06:45:53 +03:00
parent 81376a2245
commit 3dad979eb5
3 changed files with 15 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
backend/auth/otp/request.php
View File

@@ -18,17 +18,7 @@ if (empty($receiver)) {
$user_type = filterRequest("user_type");
$authHeader = $_SERVER['HTTP_AUTHORIZATION'] ?? (function_exists('apache_request_headers') ? (apache_request_headers()['Authorization'] ?? null) : null);
if (!empty($authHeader) && preg_match('/Bearer\s(\S+)/', $authHeader, $matches)) {
$jwtToken = $matches[1];
$tokenParts = explode('.', $jwtToken);
if (count($tokenParts) === 3) {
$payload = json_decode(base64_decode($tokenParts[1]), true);
if (isset($payload['role'])) {
$user_type = $payload['role'];
}
}
}
// user_type is taken from request only (JWT not trusted without signature verification)
$country = filterRequest("country"); // Egypt | Syria | Jordan
$method = filterRequest("method"); // whatsapp | sms | voice | flash_call | bearer_send