fix(security): wallet race conditions - FOR UPDATE + atomic claims on payments, webhooks, bonuses

walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/process_wait_compensation.php

@@ -27,8 +27,8 @@ try {
     // الخطوة 1: التحقق من التوكنات (Security Check)
     // ---------------------------------------------------------
     
-    // أ) فحص توكن السائق
-    $stmtCheckD = $con->prepare("SELECT id FROM payment_tokens WHERE token = ? AND isUsed = FALSE");
+    // أ) فحص توكن السائق (مع FOR UPDATE)
+    $stmtCheckD = $con->prepare("SELECT id FROM payment_tokens WHERE token = ? AND isUsed = FALSE FOR UPDATE");
     $stmtCheckD->execute([$tokenDriver]);
     $tokenDriverData = $stmtCheckD->fetch();
 
@@ -36,8 +36,8 @@ try {
         throw new Exception("Invalid or used Driver Token");
     }
 
-    // ب) فحص توكن الراكب
-    $stmtCheckP = $con->prepare("SELECT id FROM payment_tokens_passenger WHERE token = ? AND isUsed = FALSE");
+    // ب) فحص توكن الراكب (مع FOR UPDATE)
+    $stmtCheckP = $con->prepare("SELECT id FROM payment_tokens_passenger WHERE token = ? AND isUsed = FALSE FOR UPDATE");
     $stmtCheckP->execute([$tokenPassenger]);
     $tokenPassengerData = $stmtCheckP->fetch();