Update: 2026-06-16 02:52:06

walletintaleq.intaleq.xyz/v2/main/connect.php

@@ -2,14 +2,17 @@
 // Load environment variables from .env file
 require_once realpath(__DIR__ . '/../vendor/autoload.php');
 require_once 'load_env.php';
-$env_file = '/home/intaleq-walletintaleq/env/.env';
-loadEnvironment($env_file);
+$envFile = '/home/intaleq-walletintaleq/env/.env';
+if (!file_exists($envFile)) {
+    $envFile = __DIR__ . '/../.env';
+}
+loadEnvironment($envFile);
 
 // Get environment variables (You don't need user/pass for JWT auth itself)
 $secretKey = getenv('SECRET_KEY'); // Only need the secret key now
 
 // --- CORS Headers ---
-header("Access-Control-Allow-Origin: https://wallet.sefer.live");
+header("Access-Control-Allow-Origin: https://wallet.siromove.com");
 header("Access-Control-Allow-Methods: GET, POST, OPTIONS"); // Adjust as needed
 header("Access-Control-Allow-Headers: Content-Type, Authorization");
 header('Content-Type: application/json'); // Set content type to JSON

walletintaleq.intaleq.xyz/v2/main/encrypt_decrypt.php

@@ -104,18 +104,8 @@ class EncryptionHelper {
 
 try {
     $encryptionHelper = new EncryptionHelper($key, $iv);
-
-    // ✅ Test encryption and decryption with padding matching Flutter
-     $plainText = "https://sefer.click/"; // Example plaintext
-    $encryptedText = $encryptionHelper->encryptData($plainText);
-    $decryptedText = $encryptionHelper->decryptData($encryptedText);
-/*
-     echo "🔹 Original Text: " . $plainText . PHP_EOL;
-     echo "🔹 Encrypted Text: " . $encryptedText . PHP_EOL;
-     echo "🔹 Decrypted Text: " . $decryptedText . PHP_EOL;
-*/
 } catch (Exception $e) {
-    echo "Error: " . $e->getMessage() . PHP_EOL;
+    error_log("[encrypt_decrypt] Initialization error: " . $e->getMessage());
 }
 
 ?>

walletintaleq.intaleq.xyz/v2/main/functions.php

@@ -28,7 +28,14 @@ define("MB", 1048576);
 
 function authenticateJWT(bool $isReg = false): object
 {
-    $secretKey  = trim(file_get_contents('/home/intaleq-walletintaleq/.secret_key'));
+    $keyPath = getenv('WALLET_SECRET_KEY_PATH');
+    $secretKey = '';
+    if ($keyPath && file_exists($keyPath)) {
+        $secretKey = trim(file_get_contents($keyPath));
+    }
+    if (!$secretKey) {
+        $secretKey = getenv('SECRET_KEY') ?: '';
+    }
     $hmacSecret = getenv('SECRET_KEY_HMAC');
     $fpPepper   = getenv('FP_PEPPER');
 

walletintaleq.intaleq.xyz/v2/main/load_env.php

@@ -1,12 +1,17 @@
 <?php
-function loadEnvironment() {
- 
-    $externalEnv = '/home/intaleq-walletintaleq/env/.env';
-
-    if (file_exists($externalEnv)) {
-        $env_file = $externalEnv;
+function loadEnvironment($env_file = null) {
+  
+    if ($env_file && file_exists($env_file)) {
+        // use provided path
     } else {
-        error_log("❌ .env not found in both locations.");
+        $env_file = '/home/intaleq-walletintaleq/env/.env';
+        if (!file_exists($env_file)) {
+            $env_file = __DIR__ . '/../.env';
+        }
+    }
+
+    if (!file_exists($env_file)) {
+        error_log("❌ .env not found: $env_file");
         return false;
     }
 

walletintaleq.intaleq.xyz/v2/main/loginWallet.php

@@ -1,141 +0,0 @@
-<?php
-
-require_once realpath(__DIR__ . '/../vendor/autoload.php');
-require_once 'load_env.php';
-$env_file = '/home/intaleq-wallet/env/.env';
-loadEnvironment($env_file);
-use Firebase\JWT\JWT;
-use Firebase\JWT\Key;
-
-// Retrieve environment variables - Check for existence
-//$secretKey = getenv('SECRET_KEY');
-$secretKey = trim(file_get_contents('/home/intaleq-wallet/.secret_key'));
-$allowed1 = getenv('allowed1');
-$allowed2 = getenv('allowed2');
-
-// $allowed1 = getenv('allowedWallet1');
-// $allowed2 = getenv('allowedWallet2');
-
-$issuer = 'Tripz-Wallet';  // You might want to put this in the .env file too
-$allowedAudiences = [$allowed1, $allowed2];
-$passwordnewpassenger = getenv('passwordnewpassenger');  // Hashed password
-
-// include "connect.php";
-include "functions.php";
-
-
-// Validate that required environment variables are set
-if (!$secretKey || !$passwordnewpassenger || empty($allowedAudiences)) {
-    error_log("Missing required environment variables.");
-    http_response_code(500);
-    exit(json_encode(['error' => 'Server configuration error: Missing environment variables.']));
-}
-
-// CORS Headers - Be specific in production
-header('Content-Type: application/json');
-header("Access-Control-Allow-Origin: https://wallet.sefer.live");  // Replace * with your Flutter app's origin
-header("Access-Control-Allow-Methods: POST, OPTIONS");
-header("Access-Control-Allow-Headers: Content-Type, Authorization");
-// MED FIX: إضافة Security Headers
-header('X-Content-Type-Options: nosniff');
-header('X-Frame-Options: DENY');
-header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
-header("Referrer-Policy: strict-origin-when-cross-origin");
-header("X-XSS-Protection: 1; mode=block");
-
-// Handle preflight OPTIONS requests
-if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
-    http_response_code(200);
-    exit;
-}
-
-try {
-    $id = filterRequest('id') ?? '';
-    $password = filterRequest('password') ?? '';
-    $audience = filterRequest('aud') ?? '';
-    $dbname = getenv('dbname');
-    // Input validation - More specific
-    if (empty($id)) {
-        throw new InvalidArgumentException("ID is required.");
-    }
-    if (empty($password)) {
-        throw new InvalidArgumentException("Password is required.");
-    }
-    if (empty($audience)) {
-        throw new InvalidArgumentException("Audience is required.");
-    }
-    if (!in_array($audience, $allowedAudiences)) {
-        http_response_code(400); // Bad Request
-        exit(json_encode(['error' => 'Invalid audience']));
-    }
-
-$fingerPrint = filterRequest('fingerPrint') ?? '';
-
-if (empty($fingerPrint)) {
-    throw new InvalidArgumentException("Device fingerprint is required.");
-}
-$dbuser = getenv('USER');    // Get DB user here, consistent naming
-$dbpass = getenv('PASS');    // Get DB password here
- if (password_verify($password, $passwordnewpassenger)) {
-// Fetch token data from the database
-$dsn = "mysql:host=localhost;dbname=$dbname;charset=utf8mb4";
-    $options = [
-        PDO::ATTR_EMULATE_PREPARES => false,
-        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
-        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
-        PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES UTF8"
-    ];
-    $con = new PDO($dsn, $dbuser, $dbpass, $options);
-    $sql = "SELECT `id`, `token`, `passengerID`, `fingerPrint` FROM `tokens` WHERE `passengerID` = :passengerID";
-    $stmt = $con->prepare($sql);
-    $stmt->bindParam(':passengerID', $id, PDO::PARAM_STR);
-    $stmt->execute();
-    $tokenData = $stmt->fetch(PDO::FETCH_ASSOC);
-
-
-
-  /*
-
-    // Verify fingerprint
-     if (!$tokenData) { //|| !hash_equals($tokenData['fingerPrint'], $fingerPrint)) {
-         http_response_code(403); // Forbidden
-         exit(json_encode(['error' => 'Device fingerprint verification failed']));
-     }   
-
-    */
-        $payload = [
-    'user_id' => $id,
-    'fingerPrint' => $fingerPrint,
-    'exp' => time() + 60,
-    'iat' => time(),
-    'iss' => $issuer,
-    'aud' => $audience
-];
-
-$jwt = JWT::encode($payload, $secretKey, 'HS256');
-$hmac = hash_hmac('sha256', $id, getenv('SECRET_KEY_HMAC'));
-
-        echo json_encode([
-            'status' => 'success',
-            'jwt' => $jwt,
-            'hmac' => $hmac,
-            // 'refresh_token' => $refreshToken,
-            'expires_in' => 300
-        ]);
-        http_response_code(200);
-
- }else{
-     echo 'fffff';
- }
-
-} catch (InvalidArgumentException $e) {
-    // HIGH-05 FIX: لا تكشف رسائل الخطأ من الاستثناءات مباشرة
-    error_log("Input validation error: " . $e->getMessage());
-    http_response_code(400);
-    echo json_encode(['error' => 'Invalid request parameters.']);
-} catch (Exception $e) {
-    // HIGH-05 FIX: لا تكشف رسائل الخطأ الداخلية
-    error_log("Server error: " . $e->getMessage());
-    http_response_code(500);
-    echo json_encode(['error' => 'An unexpected error occurred.']);
-}