Fix #16: SSL pinning in all 4 Flutter apps

- Created ssl_pinning.dart with SHA-256 DER hash pinning for intaleq.xyz and siromove.com - Replaced http.post/http.get with pinned client in all CRUD classes - Added crypto dependency to siro_admin and siro_driver pubspec
2026-06-17 07:40:43 +03:00
parent 0e28814e7d
commit f528e1d3c5
10 changed files with 220 additions and 47 deletions
--- a/siro_driver/lib/controller/functions/crud.dart
+++ b/siro_driver/lib/controller/functions/crud.dart
@@ -16,9 +16,11 @@ import '../../constant/api_key.dart';
 import '../../views/widgets/error_snakbar.dart';
 import 'gemeni.dart';
 import 'upload_image.dart';
+import 'ssl_pinning.dart';

 class CRUD {
  final NetGuard _netGuard = NetGuard();
+  final _client = SslPinning.createPinnedClient();

  static bool _isRefreshingJWT = false;
  static String _lastErrorSignature = '';
@@ -251,7 +253,7 @@ class CRUD {
      }

      var url = Uri.parse(link);
-      var response = await http.post(
+      var response = await _client.post(
        url,
        body: payload,
        headers: {
@@ -327,7 +329,7 @@ class CRUD {
    final hmac = box.read(BoxName.hmac);
    var url = Uri.parse(link);

-    var response = await http.post(
+    var response = await _client.post(
      url,
      body: payload,
      headers: {
@@ -371,7 +373,7 @@ class CRUD {
    final url = Uri.parse(link);

    try {
-      final response = await http.post(
+      final response = await _client.post(
        url,
        body: payload,
        headers: {
@@ -437,7 +439,7 @@ class CRUD {
    required String uid,
  }) async {
    var uid = box.read(BoxName.phone) ?? box.read(BoxName.phoneDriver);
-    var res = await http.get(
+    var res = await _client.get(
      Uri.parse(
          'https://orca-app-b2i85.ondigitalocean.app/token?channelName=$channelName'),
      headers: {'Authorization': 'Bearer ${AK.agoraAppCertificate}'},
@@ -470,7 +472,7 @@ class CRUD {
      ],
      'temperature': 0.9,
    });
-    var response = await http.post(url, body: data, headers: headers);
+    var response = await _client.post(url, body: data, headers: headers);
    if (response.statusCode == 200) return response.body;
    return response.statusCode;
  }
@@ -536,7 +538,7 @@ class CRUD {
      ],
      'temperature': 0.9,
    });
-    var response = await http.post(url, body: data, headers: headers);
+    var response = await _client.post(url, body: data, headers: headers);
    if (response.statusCode == 200) return response.body;
    return response.statusCode;
  }
@@ -544,7 +546,7 @@ class CRUD {
  Future<dynamic> postPayMob(
      {required String link, Map<String, dynamic>? payload}) async {
    var url = Uri.parse(link);
-    var response = await http.post(url,
+    var response = await _client.post(url,
        body: payload, headers: {'Content-Type': 'application/json'});
    var jsonData = jsonDecode(response.body);
    if (response.statusCode == 200) {
@@ -585,7 +587,7 @@ class CRUD {
  Future<dynamic> postFromDialogue(
      {required String link, Map<String, dynamic>? payload}) async {
    var url = Uri.parse(link);
-    var response = await http.post(
+    var response = await _client.post(
      url,
      body: payload,
      headers: {
@@ -609,7 +611,7 @@ class CRUD {
    final authToken = AK.authTokenTwillo;
    final verifySid = AK.twilloRecoveryCode;

-    await http.post(
+    await _client.post(
      Uri.parse(
          'https://verify.twilio.com/v2/Services/$verifySid/Verifications'),
      headers: {
@@ -624,7 +626,7 @@ class CRUD {
  Future<dynamic> getGoogleApi(
      {required String link, Map<String, dynamic>? payload}) async {
    var url = Uri.parse(link);
-    var response = await http.post(url, body: payload);
+    var response = await _client.post(url, body: payload);
    var jsonData = jsonDecode(response.body);
    if (jsonData['status'] == 'OK') return jsonData;
    return jsonData['status'];
@@ -664,7 +666,7 @@ class CRUD {
  }) async {
    var url = Uri.parse(link);
    try {
-      var response = await http.get(
+      var response = await _client.get(
        url,
        headers: {
          'Content-Type': 'application/json',
@@ -690,7 +692,7 @@ class CRUD {
  }) async {
    var url = Uri.parse(link);
    try {
-      var response = await http.post(
+      var response = await _client.post(
        url,
        body: jsonEncode(payload),
        headers: {