fix(security): wallet race conditions - FOR UPDATE + atomic claims on payments, webhooks, bonuses

walletintaleq.intaleq.xyz/v2/main/ride/siroWallet/add.php

@@ -19,14 +19,12 @@ if (!$token || !$passenger_id || !$amount || !$payment_method) {
 }
 
 try {
-//    logDebug("Checking token validity: $token with DriverID: $driver_id");
-
-    // Choose correct table based on driverId
     $table = ($driver_id == 'passenger') ? "payment_tokens_passenger" : "payment_tokens";
-//    logDebug("table is: " . $table);
 
-    // Check if token is valid and not used
-    $stmt = $con->prepare("SELECT * FROM $table WHERE token = :token AND isUsed = FALSE");
+    $con->beginTransaction();
+
+    // Check if token is valid and not used (locked row)
+    $stmt = $con->prepare("SELECT * FROM $table WHERE token = :token AND isUsed = FALSE FOR UPDATE");
     $stmt->execute(array(':token' => $token));
     $tokenData = $stmt->fetch();
 
@@ -60,24 +58,21 @@ try {
         $stmt->bindParam(':token', $token, PDO::PARAM_STR);
 
         if ($stmt->execute()) {
-    //        logDebug("Wallet data saved successfully.");
-
-            // Mark token as used in the correct table
             $stmt = $con->prepare("UPDATE $table SET isUsed = TRUE WHERE id = :tokenID");
             $stmt->execute(array(':tokenID' => $tokenData['id']));
 
-       //     logDebug("Token marked as used in $table.");
+            $con->commit();
             printSuccess("Wallet data saved successfully");
         } else {
-        //    logDebug("Failed to save wallet data.");
+            $con->rollBack();
             printFailure("Failed to save wallet data");
         }
     } else {
-     //   logDebug("Invalid or already used token: $token");
+        $con->rollBack();
         printFailure("Invalid or already used token");
     }
 } catch (Exception $e) {
-  //  logDebug("Exception: " . $e->getMessage());
+    if ($con->inTransaction()) { $con->rollBack(); }
     error_log("[siroWallet/add] " . $e->getMessage());
     printFailure("An error occurred");
 }