feat: add Nabeh integration with phone-to-user resolution and environment configuration support

walletintaleq.intaleq.xyz/v2/main/jwtconnect.php

@@ -10,7 +10,8 @@
  *   Path 2: Payment Key     → PAYMENT_KEY header  
  *   Path 3: Webhook Token   → X-Auth-Token header
  *   Path 4: Cron Key / CLI  → X-Cron-Key header أو CLI execution
- *   Path 5: JWT (default)   → Authorization: Bearer <token>
+ *   Path 5: Nabeh API Key   → X-API-Key header (server-to-server من منصة نبه)
+ *   Path 6: JWT (default)   → Authorization: Bearer <token>
  *
  * أي طلب بدون أي مصادقة → يُرفض تلقائياً من authenticateJWT()
  * ═══════════════════════════════════════════════════════════════
@@ -40,7 +41,7 @@ if (in_array($origin, $allowedOrigins)) {
     header("Access-Control-Allow-Origin: https://walletintaleq.intaleq.xyz");
 }
 header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
-header("Access-Control-Allow-Headers: Content-Type, Authorization, X-S2S-Api-Key, PAYMENT_KEY, X-Auth-Token, X-Cron-Key, X-HMAC-Auth, X-Device-FP");
+header("Access-Control-Allow-Headers: Content-Type, Authorization, X-S2S-Api-Key, PAYMENT_KEY, X-Auth-Token, X-Cron-Key, X-HMAC-Auth, X-Device-FP, X-API-Key");
 header('Content-Type: application/json');
 
 // Handle preflight requests (OPTIONS)
@@ -118,7 +119,17 @@ try {
         }
     }
 
-    // --- Path 5 (DEFAULT): JWT Authentication ---
+    // --- Path 5: Nabeh API Key (server-to-server من منصة نبه) ---
+    if (!$authMethod) {
+        $nabehKey = $_SERVER['HTTP_X_API_KEY'] ?? '';
+        $expectedNabeh = getenv('NABEH_API_KEY');
+
+        if (!empty($nabehKey) && !empty($expectedNabeh) && hash_equals($expectedNabeh, $nabehKey)) {
+            $authMethod = 'NABEH';
+        }
+    }
+
+    // --- Path 6 (DEFAULT): JWT Authentication ---
     // إذا لم يتم التعرف على أي مسار آخر، يُفرض JWT.
     // authenticateJWT() ستُرجع 401 وتوقف التنفيذ إذا لم يكن هناك JWT صالح.
     if (!$authMethod) {