Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #16: SSL pinning in all 4 Flutter apps

Browse Source 
- Created ssl_pinning.dart with SHA-256 DER hash pinning for intaleq.xyz and siromove.com
- Replaced http.post/http.get with pinned client in all CRUD classes
- Added crypto dependency to siro_admin and siro_driver pubspec
This commit is contained in:
Hamza-Ayed
2026-06-17 07:40:43 +03:00
parent 0e28814e7d
commit f528e1d3c5
10 changed files with 220 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
siro_admin/lib/controller/functions/crud.dart
View File

@@ -17,9 +17,11 @@ import '../../print.dart';
import 'device_info.dart';
import 'encrypt_decrypt.dart';
import 'security_checks.dart';
import 'ssl_pinning.dart';
class CRUD {
var dev = '';
final _client = SslPinning.createPinnedClient();
getJWT() async {
// إذا كان الأدمن مسجل دخوله بالفعل، لا تقم بتوليد توكن "ضيف" قديم
if (box.read(BoxName.driverID) != null) {
@@ -35,7 +37,7 @@ class CRUD {
'aud': '${AK.allowed}$dev',
};
Log.print('payload: ${payload}');
var response1 = await http.post(
var response1 = await _client.post(
Uri.parse(AppLink.loginJwtDriver),
body: payload,
);
@@ -85,7 +87,7 @@ class CRUD {
Log.print('URL: $link');
Log.print('Payload: $payload');
var response = await http.post(
var response = await _client.post(
url,
body: payload,
headers: {
@@ -142,7 +144,7 @@ class CRUD {
Log.print('URL: $link');
Log.print('Payload: $payload');
var response = await http.post(
var response = await _client.post(
url,
body: payload,
headers: {
@@ -210,7 +212,7 @@ class CRUD {
'Wallet SSO token starts with: ${mainToken.substring(0, mainToken.length > 10 ? 10 : mainToken.length)}');
// استخدام الـ SSO للسيرفر الرئيسي إذا كان الأدمن مسجل دخوله
var response1 = await http.post(
var response1 = await _client.post(
Uri.parse(AppLink.loginWalletAdminV3),
headers: {
'Authorization': 'Bearer $mainToken',
@@ -254,7 +256,7 @@ class CRUD {
'aud': '${Env.allowedWallet}${Platform.isAndroid ? 'android' : 'ios'}',
'fingerPrint': fingerPrint
};
var fallbackRes = await http.post(
var fallbackRes = await _client.post(
Uri.parse(AppLink.loginWalletAdmin),
body: payload,
);
@@ -287,7 +289,7 @@ class CRUD {
}
try {
var response = await http.post(
var response = await _client.post(
url,
body: payload,
headers: {
@@ -345,7 +347,7 @@ class CRUD {
try {
// await LoginDriverController().getJWT();
var response = await http.post(
var response = await _client.post(
url,
body: payload,
headers: {
@@ -397,7 +399,7 @@ class CRUD {
required String uid,
}) async {
var uid = box.read(BoxName.phone) ?? box.read(BoxName.phoneDriver);
var res = await http.get(
var res = await _client.get(
Uri.parse(
'https://repulsive-pig-rugby-shirt.cyclic.app/token?channelName=$channelName'),
headers: {'Authorization': 'Bearer ${AK.agoraAppCertificate}'});
@@ -434,7 +436,7 @@ class CRUD {
],
"temperature": 0.9
});
var response = await http.post(
var response = await _client.post(
url,
body: data,
headers: headers,
@@ -564,7 +566,7 @@ class CRUD {
],
"temperature": 0.9
});
var response = await http.post(
var response = await _client.post(
url,
body: data,
headers: headers,
@@ -613,7 +615,7 @@ class CRUD {
"receiver": phone
});
var res = await http.post(
var res = await _client.post(
Uri.parse(AppLink.sendSms),
body: body,
headers: headers,
@@ -629,7 +631,7 @@ class CRUD {
var url = Uri.parse(
link,
);
var response = await http.post(url,
var response = await _client.post(url,
body: payload, headers: {'Content-Type': 'application/json'});
var jsonData = jsonDecode(response.body);
@@ -671,7 +673,7 @@ class CRUD {
var url = Uri.parse(
link,
);
var response = await http.post(
var response = await _client.post(
url,
body: payload,
headers: {
@@ -707,7 +709,7 @@ class CRUD {
'https://verify.twilio.com/v2/Services/$verifySid/Verifications');
// Send the verification request
final response = await http.post(
final response = await _client.post(
verificationUri,
headers: {
'Authorization':
@@ -730,7 +732,7 @@ class CRUD {
final checkUri = Uri.parse(
'https://verify.twilio.com/v2/Services/$verifySid/VerificationCheck');
final checkResponse = await http.post(
final checkResponse = await _client.post(
checkUri,
headers: {
'Authorization':
@@ -754,7 +756,7 @@ class CRUD {
var url = Uri.parse(
link,
);
var response = await http.post(
var response = await _client.post(
url,
body: payload,
);

41
siro_admin/lib/controller/functions/ssl_pinning.dart Normal file
View File

@@ -0,0 +1,41 @@
import 'dart:convert';
import 'dart:io';
import 'package:crypto/crypto.dart';
import 'package:http/http.dart' as http;
class SslPinning {
SslPinning._();
static final Map<String, List<String>> _pins = {
'intaleq.xyz': [
'/tNRUeeLxUhQU5gbgdpVWC6QBGAqc/ujg8Kcf0wQiAM=',
'Hlx/0EWNDH5Xkt2KzvqxUzbw0vvEsyZSlibialSyGqI=',
],
'siromove.com': [
'C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHESsl=',
'diGVwiVYbubAI3RW4hB9xU8e/CH2GnkuvVFZE8zmgzI=',
],
};
static final List<String> _globalPins = [
'Ex/Od4QBaJmloAIDqe/IDxjrvXVYBxftwVU1gJMINuw=',
'lrzsBiZJdvN0YHeazyjFp8/oo8Cq4RqP/O4FwL3fCMY=',
'aXKbjhWobvwXelevtxcd/GSt0owvyozxUH40RTzLFHA=',
];
static http.Client createPinnedClient() {
final httpClient = HttpClient()
..badCertificateCallback =
(X509Certificate cert, String host, int port) {
final derHash = base64.encode(sha256.convert(cert.der).bytes);
for (final entry in _pins.entries) {
if (host.endsWith(entry.key)) {
if (entry.value.contains(derHash)) return true;
}
}
if (_globalPins.contains(derHash)) return true;
return false;
};
return http.IOClient(httpClient);
}
}