Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): add auth to FCM relay, HMAC to shamcash webhook, fix jwtconnect webhook bypass

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-17 06:27:07 +03:00
parent d6f29802e0
commit 8c6dea5d96
3 changed files with 40 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
backend/ride/firebase/send_fcm.php
View File

@@ -1,7 +1,16 @@
<?php
// send_fcm.php - FCM HTTP v1 Sender
// send_fcm.php - FCM HTTP v1 Sender (Internal use only)
header('Content-Type: application/json; charset=utf-8');
// 🔐 Require internal API key for authentication
$apiKey = $_SERVER['HTTP_X_API_KEY'] ?? '';
$expectedKey = getenv('FCM_INTERNAL_API_KEY');
if (empty($expectedKey) || !hash_equals($expectedKey, $apiKey)) {
http_response_code(403);
echo json_encode(['status' => 'error', 'message' => 'Unauthorized']);
exit;
}
$serviceAccountFile = __DIR__ . '/service-account.json';
// السماح فقط بـ POST