From 50a5308f43b872a4095488840d18fe49ec82c63d Mon Sep 17 00:00:00 2001
From: Hamza-Ayed <hamzaayedflutter@gmail.com>
Date: Wed, 17 Jun 2026 07:51:01 +0300
Subject: [PATCH] Fix #20: DDL removal from register.php, CORS policy,  secret
 leak

- Removed ALTER TABLE DDL statements from Admin/auth/register.php (belongs in migration scripts)
- Added validated CORS with configurable allowed origins via CORS_ALLOWED_ORIGINS env var
- Removed  assignment in load_env.php (secrets no longer exposed in superglobal)
---
 backend/Admin/auth/register.php | 6 ------
 backend/core/bootstrap.php      | 8 +++++++-
 backend/load_env.php            | 1 -
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/backend/Admin/auth/register.php b/backend/Admin/auth/register.php
index aa40e81..f0e1496 100644
--- a/backend/Admin/auth/register.php
+++ b/backend/Admin/auth/register.php
@@ -53,12 +53,6 @@ try {
     $encPhone = $encPhoneInput;
     $encFp    = $encryptionHelper->encryptData($fingerprint);
 
-    // التأكد من وجود عمود phone و status في الجدول
-    try {
-        $con->exec("ALTER TABLE adminUser ADD COLUMN phone VARCHAR(255) NULL AFTER name");
-        $con->exec("ALTER TABLE adminUser ADD COLUMN status VARCHAR(50) DEFAULT 'pending' AFTER role");
-    } catch (Exception $e) { /* الأعمدة موجودة مسبقاً */ }
-
     // 4. الإدخال في قاعدة البيانات بحالة pending
     $sql = "INSERT INTO adminUser (id, fingerprint, fingerprint_hash, name, phone, password, role, status, created_at) 
             VALUES (:id, :fp, :fp_hash, :name, :phone, :pass, 'admin', 'pending', NOW())";
diff --git a/backend/core/bootstrap.php b/backend/core/bootstrap.php
index 444e216..b048ba5 100644
--- a/backend/core/bootstrap.php
+++ b/backend/core/bootstrap.php
@@ -34,7 +34,13 @@ header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
 header("X-XSS-Protection: 1; mode=block");
 
 
-// CORS (يجب تخصيصه في endpoints مخصصة إن لزم، لكن هذا افتراضي)
+// CORS مع التحقق من المصدر المسموح
+$allowedOrigins = array_map('trim', explode(',', getenv('CORS_ALLOWED_ORIGINS') ?: 'https://siromove.com,https://admin.siromove.com'));
+$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
+if (in_array($origin, $allowedOrigins)) {
+    header("Access-Control-Allow-Origin: $origin");
+    header('Access-Control-Allow-Credentials: true');
+}
 header('Access-Control-Allow-Methods: POST, GET, OPTIONS');
 header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Device-FP, X-HMAC-Auth, X-Internal-Key');
 
diff --git a/backend/load_env.php b/backend/load_env.php
index 38c666a..38cfc1a 100644
--- a/backend/load_env.php
+++ b/backend/load_env.php
@@ -15,7 +15,6 @@ function loadEnvironment($env_file) {
             $value = trim($value, "\"'");
             putenv("$keyName=$value");
             $_ENV[$keyName] = $value;
-            $_SERVER[$keyName] = $value;
         }
     }