first commit

backend/loginJwtDriver.php

@@ -0,0 +1,95 @@
+<?php
+// ============================================================
+// loginJwtDriver.php — تجديد توكن السائق
+// ============================================================
+
+require_once __DIR__ . '/core/bootstrap.php';
+
+header('Content-Type: application/json; charset=utf-8');
+header('Access-Control-Allow-Origin: https://intaleqapp.com');
+header('Access-Control-Allow-Methods: POST, OPTIONS');
+header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Device-FP');
+
+if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+    http_response_code(204);
+    exit;
+}
+
+$startTime = microtime(true);
+
+function unauthorizedDriver(): never {
+    global $startTime;
+    $elapsed = microtime(true) - $startTime;
+    if ($elapsed < 0.1) usleep((int)((0.1 - $elapsed) * 1000000));
+    jsonError('Invalid driver credentials', 401);
+}
+
+try {
+    $limiter = new RateLimiter($redis);
+    $limiter->enforce(RateLimiter::identifier(), 'login');
+
+    $id          = filterRequest('id');
+    $audience    = filterRequest('aud');
+    $fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint'); 
+
+    $aud1 = getenv('allowedDriver1');
+    $aud2 = getenv('allowedDriver2');
+    $allowedAudiences = array_values(array_filter([$aud1, $aud2]));
+
+    if (empty($id) || empty($audience)) {
+        jsonError('Missing required fields', 400);
+    }
+
+    if (!in_array($audience, $allowedAudiences, true)) {
+        jsonError('Invalid audience', 400);
+    }
+
+    $con = Database::get('main');
+    $pepper = getenv('SECRET_KEY_HMAC');
+
+    $stmt = $con->prepare('
+        SELECT id, phone, national_number, email, password
+        FROM driver
+        WHERE id = :id
+        LIMIT 1
+    ');
+    $stmt->execute([':id' => $id]);
+    $driver = $stmt->fetch();
+
+    if (!$driver || empty($driver['password'])) {
+        unauthorizedDriver();
+    }
+
+    $decPhone = !empty($driver['phone']) ? $encryptionHelper->decryptData($driver['phone']) : null;
+    $decNat   = !empty($driver['national_number']) ? $encryptionHelper->decryptData($driver['national_number']) : null;
+
+    if (empty($decPhone) || empty($decNat)) {
+        unauthorizedDriver();
+    }
+
+    $baseString = $driver['id'] . '|' . trim($decPhone) . '|' . trim($decNat);
+    $hmacHex    = hash_hmac('sha256', $baseString, $pepper, false);
+
+    if (!password_verify($hmacHex, $driver['password'])) {
+        unauthorizedDriver();
+    }
+
+    $limiter->reset(RateLimiter::identifier(), 'login');
+
+    $jwtService = new JwtService($redis);
+    $jwt = $jwtService->generateAccessToken($driver['id'], 'driver', $audience, $fingerprint);
+    // $refresh = $jwtService->generateRefreshToken($driver['id']);
+
+    jsonSuccess([
+        'jwt' => $jwt,
+        // 'refresh_token' => $refresh['token'],
+        'expires_in' => 14400
+    ]);
+
+} catch (PDOException $e) {
+    securityLog("LoginDriver PDO Error", ['msg' => $e->getMessage()]);
+    jsonError('Database error', 500);
+} catch (Exception $e) {
+    securityLog("LoginDriver Error", ['msg' => $e->getMessage()]);
+    jsonError('Server error', 500);
+}