first commit
This commit is contained in:
Hamza-Ayed
88
backend/login.php
Normal file
88
backend/login.php
Normal file
@@ -0,0 +1,88 @@
|
||||
<?php
|
||||
// ============================================================
|
||||
// login.php — تجديد توكن الراكب
|
||||
// ============================================================
|
||||
|
||||
require_once __DIR__ . '/core/bootstrap.php';
|
||||
|
||||
header('Content-Type: application/json');
|
||||
header('Access-Control-Allow-Origin: https://intaleqapp.com');
|
||||
header('Access-Control-Allow-Methods: POST, OPTIONS');
|
||||
header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Device-FP');
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
|
||||
http_response_code(200);
|
||||
exit;
|
||||
}
|
||||
|
||||
$startTime = microtime(true);
|
||||
|
||||
try {
|
||||
$limiter = new RateLimiter($redis);
|
||||
$limiter->enforce(RateLimiter::identifier(), 'login');
|
||||
|
||||
$passengerId = filterRequest('id');
|
||||
$fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
|
||||
$audience = filterRequest('aud');
|
||||
|
||||
if (empty($passengerId) || empty($fingerprint) || empty($audience)) {
|
||||
jsonError('Missing required parameters', 400);
|
||||
}
|
||||
|
||||
$con = Database::get('main');
|
||||
|
||||
// التحقق من الجهاز من خلال البصمة
|
||||
$stmt = $con->prepare('
|
||||
SELECT passengerID, fingerprint
|
||||
FROM tokens
|
||||
WHERE passengerID = :pid
|
||||
LIMIT 1
|
||||
');
|
||||
$stmt->execute([':pid' => $passengerId]);
|
||||
$row = $stmt->fetch();
|
||||
|
||||
$fpVerified = false;
|
||||
if ($row) {
|
||||
$fpPepper = getenv('FP_PEPPER') ?: '';
|
||||
$storedFp = $row['fingerprint'];
|
||||
|
||||
// دعم الطريقة الجديدة (hash) والقديمة (مباشر)
|
||||
if ($fpPepper) {
|
||||
$expectedHash = hash('sha256', $fingerprint . $fpPepper);
|
||||
$fpVerified = hash_equals($storedFp, $expectedHash);
|
||||
if (!$fpVerified) {
|
||||
$fpVerified = hash_equals($storedFp, $fingerprint);
|
||||
}
|
||||
} else {
|
||||
$fpVerified = hash_equals($storedFp, $fingerprint);
|
||||
}
|
||||
}
|
||||
|
||||
// وقت رد ثابت لمنع Timing Attack
|
||||
$elapsed = microtime(true) - $startTime;
|
||||
if ($elapsed < 0.1) usleep((int)((0.1 - $elapsed) * 1000000));
|
||||
|
||||
if (!$fpVerified) {
|
||||
securityLog("Invalid login fingerprint", ['passengerId' => $passengerId]);
|
||||
jsonError('Invalid credentials', 401);
|
||||
}
|
||||
|
||||
$limiter->reset(RateLimiter::identifier(), 'login');
|
||||
|
||||
$jwtService = new JwtService($redis);
|
||||
$jwt = $jwtService->generateAccessToken($passengerId, 'passenger', $audience, $fingerprint);
|
||||
// $refresh = $jwtService->generateRefreshToken($passengerId);
|
||||
|
||||
jsonSuccess([
|
||||
'jwt' => $jwt,
|
||||
// 'refresh_token' => $refresh['token'],
|
||||
'expires_in' => 3600
|
||||
]);
|
||||
|
||||
} catch (PDOException $e) {
|
||||
securityLog("Login PDO Error", ['msg' => $e->getMessage()]);
|
||||
jsonError('Database error', 500);
|
||||
} catch (Exception $e) {
|
||||
securityLog("Login Error", ['msg' => $e->getMessage()]);
|
||||
jsonError('Server error', 500);
|
||||
}
|
||||
Reference in New Issue
Block a user