fix(security): fix pervasive IDOR - force JWT user identity in 9 endpoints, fix host injection, exception leaks, wallet auth

backend/uploadImagePortrate.php

@@ -25,12 +25,13 @@ try {
     $limiter = new RateLimiter($redis);
     $limiter->enforce(RateLimiter::identifier($user_id ?? null), 'upload');
 
-    $driverID = filterRequest("driverID");
-    uploadLog("📥 Received driverID: $driverID");
+    // Force driverID from JWT — never trust user-supplied driverID
+    $driverID = $user_id;
+    uploadLog("📥 Using JWT driverID: $driverID");
 
     if (empty($driverID)) {
-        uploadLog("❌ Driver ID is missing.", 'ERROR');
-        jsonError('Driver ID is required.', 400);
+        uploadLog("❌ Driver ID from JWT is missing.", 'ERROR');
+        jsonError('Authentication required.', 400);
     }
 
     // 2. استخدام دالة الرفع الآمنة (MIME check, random name, 5MB limit)
@@ -47,8 +48,9 @@ try {
     uploadLog("✅ File moved successfully to: " . $uploadResult['path']);
 
     // 3. تحديث قاعدة البيانات ديناميكياً
-    $host = $_SERVER['HTTP_HOST'] ?? 'api.siromove.com';
-    $protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? "https" : "http";
+    // Use configured domain instead of Host header to prevent host header injection
+    $host = getenv('APP_DOMAIN') ?: 'api.siromove.com';
+    $protocol = 'https';
     $linkImage = "$protocol://$host/siro/portrate_captain_image/" . $new_filename;
     
     // تأكد من أن الاتصال قادم من connect.php أو اجلبه