Update: 2026-06-16 01:17:28

backend/loginAdmin.php

@@ -6,7 +6,22 @@
 require_once __DIR__ . '/core/bootstrap.php';
 
 header('Content-Type: application/json');
-header("Access-Control-Allow-Origin: " . (getenv('ALLOWED_ORIGIN') ?: '*'));
+// ✅ FIX H-03: allowlist صارم للـ Admin Origins
+$allowedOrigins = array_filter([
+    getenv('ALLOWED_ORIGIN') ?: 'https://siromove.com',
+    'http://localhost',
+    'http://127.0.0.1',
+]);
+
+$requestOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
+if (!empty($requestOrigin)) {
+    if (in_array($requestOrigin, $allowedOrigins, true)) {
+        header("Access-Control-Allow-Origin: " . $requestOrigin);
+    } else {
+        header("Access-Control-Allow-Origin: https://siromove.com");
+    }
+}
+header("Access-Control-Allow-Credentials: true");
 header("Access-Control-Allow-Methods: POST, OPTIONS");
 header("Access-Control-Allow-Headers: Content-Type, Authorization");
 
@@ -38,9 +53,8 @@ try {
 
     $con = Database::get('main');
 
-    // ── جلب بيانات المشرف ────────────────────────────────────
-    // ملاحظة: جدول admin_users سيتم إنشاؤه في Phase 4 (db_improvements.sql)
-    $stmt = $con->prepare("SELECT id, password, email, role FROM admin_users WHERE username = :id OR email = :id LIMIT 1");
+    // ── جلب بيانات المشرف من جدول adminUser الموحد ──────────
+    $stmt = $con->prepare("SELECT id, password, email, role FROM adminUser WHERE id = :id OR email = :id LIMIT 1");
     $stmt->execute([':id' => $id]);
     $admin = $stmt->fetch();
 
@@ -73,9 +87,9 @@ try {
     }
 
 } catch (PDOException $e) {
-    securityLog("Admin Login PDO Error", ['msg' => $e->getMessage()]);
+    error_log("[Admin Login PDO Error] " . $e->getMessage());
     jsonError('Login failed: Database error', 500);
 } catch (Exception $e) {
-    securityLog("Admin Login Error", ['msg' => $e->getMessage()]);
+    error_log("[Admin Login Error] " . $e->getMessage());
     jsonError('Login failed: Server error', 500);
-}
+}