Update: 2026-06-16 01:17:28
This commit is contained in:
Hamza-Ayed
@@ -36,18 +36,18 @@ class JwtService
|
||||
|
||||
public function __construct(?Redis $redis = null)
|
||||
{
|
||||
$this->secretKey = trim(file_get_contents('/home/siro-api/.secret_key'));
|
||||
// ✅ FIX C-02: استخدام getenv بدلاً من file_get_contents الثابت
|
||||
$keyPath = getenv('JWT_SECRET_KEY_PATH');
|
||||
if ($keyPath && file_exists($keyPath)) {
|
||||
$this->secretKey = trim(file_get_contents($keyPath));
|
||||
} else {
|
||||
$this->secretKey = getenv('JWT_SECRET_KEY') ?: '';
|
||||
}
|
||||
|
||||
$this->hmacSecret = getenv('SECRET_KEY_HMAC') ?: '';
|
||||
$this->fpPepper = getenv('FP_PEPPER') ?: '';
|
||||
$this->issuer = (string)(getenv('APP_ISSUER') ?: '');
|
||||
$this->redis = $redis;
|
||||
|
||||
// Debugging fpPepper
|
||||
if (empty($this->fpPepper)) {
|
||||
error_log("[JWT_DEBUG] fpPepper is EMPTY in constructor");
|
||||
} else {
|
||||
error_log("[JWT_DEBUG] fpPepper is SET (length: " . strlen($this->fpPepper) . ")");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -144,19 +144,8 @@ class JwtService
|
||||
} catch (ExpiredException $e) {
|
||||
self::abort(401, 'Token expired');
|
||||
} catch (SignatureInvalidException $e) {
|
||||
// محاولة فك التشفير بمفتاح المحفظة (Wallet secret fallback)
|
||||
$payKeyPath = '/home/siro-api/.secret_key_pay';
|
||||
$payKey = file_exists($payKeyPath) ? trim(file_get_contents($payKeyPath)) : '';
|
||||
|
||||
if ($payKey) {
|
||||
try {
|
||||
$decoded = JWT::decode($token, new Key($payKey, self::ALGO));
|
||||
} catch (Exception $e2) {
|
||||
self::abort(401, 'Invalid token signature');
|
||||
}
|
||||
} else {
|
||||
self::abort(401, 'Invalid token signature');
|
||||
}
|
||||
// ممنوع استخدام أي مفتاح آخر - مفتاح JWT واحد فقط
|
||||
self::abort(401, 'Invalid token signature');
|
||||
} catch (BeforeValidException $e) {
|
||||
self::abort(401, 'Token not yet valid');
|
||||
} catch (Exception $e) {
|
||||
@@ -262,12 +251,11 @@ class JwtService
|
||||
$expectedHmac = hash_hmac('sha256', $payloadToSign, $userSecret);
|
||||
|
||||
if (!hash_equals($expectedHmac, $hmacHeader)) {
|
||||
$debugMsg = "User: $userId | Expected: $expectedHmac | Got: $hmacHeader | DerivedSecret: $userSecret | MasterSecret(4): " . substr($this->hmacSecret, 0, 4) . " | Body($bodyLen): '$body' | TS: '$timestamp' | Nonce: '$nonce'";
|
||||
$bodyLen = strlen($body);
|
||||
error_log("[SECURITY] HMAC mismatch | " . $debugMsg);
|
||||
// TEMPORARY: expose debug in response for diagnosis
|
||||
error_log("[SECURITY] HMAC mismatch | User: $userId | BodyLen: $bodyLen | TS: '$timestamp'");
|
||||
// ✅ FIX H-02: إزالة معلومات الـ Debug من الاستجابة
|
||||
http_response_code(403);
|
||||
echo json_encode(['error' => 'HMAC_DEBUG', 'debug' => $debugMsg]);
|
||||
echo json_encode(['error' => 'Request verification failed']);
|
||||
exit;
|
||||
}
|
||||
}
|
||||
@@ -288,7 +276,13 @@ class JwtService
|
||||
{
|
||||
$keyPath = getenv('INTERNAL_SOCKET_KEY_PATH');
|
||||
$sent = $_SERVER['HTTP_X_INTERNAL_KEY'] ?? '';
|
||||
$expected = (file_exists($keyPath) ? trim(file_get_contents($keyPath)) : '') ?: 'Siro_Secure_Bridge_Key_2026_@!socket';
|
||||
$expected = '';
|
||||
if ($keyPath && file_exists($keyPath)) {
|
||||
$expected = trim(file_get_contents($keyPath));
|
||||
}
|
||||
if (!$expected) {
|
||||
$expected = getenv('INTERNAL_SOCKET_KEY');
|
||||
}
|
||||
|
||||
if (!$expected || !hash_equals($expected, $sent)) {
|
||||
error_log('[SECURITY] Invalid internal key from: ' . ($_SERVER['REMOTE_ADDR'] ?? '?'));
|
||||
|
||||
Reference in New Issue
Block a user