fix(security): fix pervasive IDOR - force JWT user identity in 9 endpoints, fix host injection, exception leaks, wallet auth

backend/ride/rides/acceptRide.php

@@ -17,7 +17,8 @@ try {
 
 // ── 1. Input & Validation ──────────────────────────────────────
 $rideId = filterRequest("id");
-$driverId = filterRequest("driver_id");
+// Force driver_id from JWT — never trust user-supplied driver_id
+$driverId = $user_id;
 $status = filterRequest("status");       // القيمة التي يرسلها التطبيق: 'accepted'
 $passengerToken = filterRequest("passengerToken");
 

backend/ride/rides/add_ride.php

@@ -57,7 +57,9 @@ $start_location = filterRequest("start_location");
 $end_location = filterRequest("end_location");
 $price = filterRequest("price");
 $price_token = filterRequest("price_token");
-$passenger_id = filterRequest("passenger_id");
+
+// Force passenger_id from JWT — never trust user-supplied passenger_id
+$passenger_id = $user_id;
 $driver_id = filterRequest("driver_id") ?: 0;
 $status = filterRequest("status");
 $price_for_driver = filterRequest("price_for_driver");

backend/ride/rides/finish_ride_updates.php

@@ -34,7 +34,8 @@ define('WALLET_PAYMENT_URL', 'https://walletintaleq.intaleq.xyz/v1/main/ride/pay
 // 1. Receive Raw Parameters (NO price from client)
 // ============================================================
 $rideId         = filterRequest("rideId");
-$driver_id      = filterRequest("driver_id");
+// Force driver_id from JWT — never trust user-supplied driver_id
+$driver_id      = $user_id;
 $passengerId    = filterRequest("passengerId");
 $newStatus      = filterRequest("status");   // Expected: "Finished"
 $actualDistance = filterRequest("actualDistance");