Update: 2026-06-16 01:17:28

backend/ride/call/driver/create_call_session.php

@@ -61,7 +61,8 @@ try {
             "Content-Type: application/json"
         ],
         CURLOPT_TIMEOUT => 5,
-        CURLOPT_SSL_VERIFYPEER => false
+        CURLOPT_SSL_VERIFYPEER => true,
+        CURLOPT_SSL_VERIFYHOST => 2
     ]);
 
     $result = curl_exec($ch);

backend/ride/call/passenger/create_call_session.php

@@ -66,7 +66,8 @@ try {
             "Content-Type: application/json"
         ],
         CURLOPT_TIMEOUT => 5,
-        CURLOPT_SSL_VERIFYPEER => false
+        CURLOPT_SSL_VERIFYPEER => true,
+        CURLOPT_SSL_VERIFYHOST => 2
     ]);
 
     $result = curl_exec($ch);

backend/ride/driverWallet/transfer.php

@@ -5,30 +5,41 @@ require_once __DIR__ . '/../../connect.php';
 
 header('Content-Type: application/json');
 
-// 1. Authenticate user
-$decodedToken = authenticateJWT();
-if (!$decodedToken) {
+// 1. الـ Sender ID من JWT مباشرة (connect.php) — ممنوع استقباله من الـ request
+if (empty($user_id) || $role !== 'driver') {
+    http_response_code(403);
     echo json_encode(['status' => 'error', 'message' => 'Unauthorized']);
     exit;
 }
 
-$senderID = filterRequest('driverID');
+$senderID = $user_id;                       // ✅ من JWT
 $receiverPhone = filterRequest('receiverPhone');
 $amount = filterRequest('amount');
 $country = filterRequest('country');
 
-if (empty($senderID) || empty($receiverPhone) || empty($amount) || empty($country)) {
+if (empty($receiverPhone) || empty($amount) || empty($country)) {
     echo json_encode(['status' => 'error', 'message' => 'Missing required fields']);
     exit;
 }
 
-// Ensure the sender matches the token
-if ($decodedToken->id != $senderID) {
-     echo json_encode(['status' => 'error', 'message' => 'Unauthorized driver ID']);
-     exit;
+// 2. حد أقصى للتحويل (حسب الدولة والعملة)
+$maxAmount = 1000000; // افتراضي
+$amountInt = (int)$amount;
+if ($amountInt <= 0) {
+    echo json_encode(['status' => 'error', 'message' => 'Invalid amount']);
+    exit;
+}
+$countryLower = strtolower($country);
+if ($countryLower === 'syria')      $maxAmount = 500;
+elseif ($countryLower === 'jordan') $maxAmount = 15;
+elseif ($countryLower === 'egypt')  $maxAmount = 1000;
+
+if ($amountInt > $maxAmount) {
+    echo json_encode(['status' => 'error', 'message' => "Transfer amount exceeds maximum limit of $maxAmount"]);
+    exit;
 }
 
-// 2. Fetch Receiver details
+// 3. Fetch Receiver details
 $stmt = $con->prepare("SELECT d.id as driver_id, dt.token as fcm_token, d.name_arabic 
                        FROM driver d 
                        LEFT JOIN driverToken dt ON d.id = dt.captain_id 
@@ -48,7 +59,7 @@ if ($receiverID == $senderID) {
     exit;
 }
 
-// 3. Determine Payment Server URL based on Country
+// 4. Determine Payment Server URL based on Country
 $walletServer = "https://walletintaleq.intaleq.xyz"; // Default
 if (strtolower($country) === 'jordan') {
     $walletServer = getenv('WALLET_SERVER_JORDAN') ?: "https://walletintaleq.intaleq.xyz";
@@ -69,14 +80,14 @@ $postData = [
 
 // Generate Headers for Payment Server (Use internal payment key)
 $headers = [];
-$paymentKey = getenv('PAYMENT_KEY') ;
+$paymentKey = getenv('PAYMENT_KEY');
 
-if (!empty($paymentKey)) {
-    $headers[] = "payment-key: $paymentKey";
-} else {
-    // Fallback just in case
-    $headers[] = "payment-key: default_internal_secret_123";
+if (empty($paymentKey)) {
+    error_log("CRITICAL: PAYMENT_KEY environment variable is not set. Transfer blocked.");
+    echo json_encode(['status' => 'error', 'message' => 'Payment configuration error']);
+    exit;
 }
+$headers[] = "payment-key: $paymentKey";
 
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, $paymentServerUrl);
@@ -91,7 +102,7 @@ curl_close($ch);
 
 $paymentResponse = json_decode($paymentResponseRaw, true);
 
-// 4. Handle Payment Server Response
+// 5. Handle Payment Server Response
 if ($httpCode === 200 && isset($paymentResponse['status']) && $paymentResponse['status'] === 'success') {
     // Transaction successful, send Push Notification
     if (!empty($receiver['fcm_token'])) {
@@ -118,11 +129,11 @@ if ($httpCode === 200 && isset($paymentResponse['status']) && $paymentResponse['
         'receiver' => $receiver['name_arabic']
     ]);
 } else {
-    // Payment failed or server error
+    // Payment failed or server error — ممنوع تسريب debug في الإنتاج
+    error_log("[transfer] Payment server error | HTTP: $httpCode | Response: $paymentResponseRaw");
     echo json_encode([
         'status' => 'error', 
-        'message' => $paymentResponse['message'] ?? 'Payment server error',
-        'debug' => $paymentResponseRaw
+        'message' => $paymentResponse['message'] ?? 'Payment server error'
     ]);
 }
 ?>

backend/ride/location/getUpdatedLocationForAdmin.php

@@ -5,7 +5,7 @@
 
 require_once __DIR__ . '/../../connect.php';
 
-header("Access-Control-Allow-Origin: *");
+header("Access-Control-Allow-Origin: https://siromove.com");
 header("Content-Type: application/json; charset=UTF-8");
 
 // تفعيل إظهار الأخطاء لمعرفة مشكلة الكتابة

backend/ride/places_syria/reverse_geocode.php

@@ -2,11 +2,20 @@
 // ضبط الهيدر لإرجاع JSON بترميز UTF-8
 header('Content-Type: application/json; charset=utf-8');
 
+require_once __DIR__ . '/../../load_env.php';
+loadEnvironment('/home/siro-api/env/.env');
+
 // --- إعدادات الاتصال بقاعدة البيانات ---
-$servername = "localhost";
-$username = "routeuser";       // <== عدّل
-$password = "VETA9mX4tSZzm6AGouIM";   // <== عدّل
-$dbname = "routedb";           // <== عدّل
+$servername = getenv('DB_REVERSE_GEO_HOST') ?: 'localhost';
+$username   = getenv('DB_REVERSE_GEO_USER') ?: '';
+$password   = getenv('DB_REVERSE_GEO_PASS') ?: '';
+$dbname     = getenv('DB_REVERSE_GEO_NAME') ?: '';
+
+if (empty($username) || empty($password) || empty($dbname)) {
+    http_response_code(500);
+    echo json_encode(['status' => 'error', 'message' => 'Database configuration error']);
+    exit;
+}
 
 // --- استقبال الإحداثيات من الطلب ---
 $input_lat = isset($_GET['lat']) ? (float)$_GET['lat'] : null;

backend/ride/pricing/get.php

@@ -286,20 +286,23 @@ foreach ($categories as $key => $carType) {
 $priceToken = "";
 if (isset($encryptionHelper)) {
     $tokenPayload = [
-        'passenger_id' => $passenger_id,
+        'passenger_id'   => $passenger_id,
         'start_location' => $passengerLat . ',' . $passengerLng,
-        'end_location' => $destLat . ',' . $destLng,
-        'expires' => time() + 180, // Valid for 3 minutes
-        'prices' => $pricesRaw
+        'end_location'   => $destLat . ',' . $destLng,
+        // ✅ FIX R6: تضمين distance و duration في الـ token لمنع التلاعب
+        'distance'       => $distance,
+        'duration'       => $duration,
+        'expires'        => time() + 180, // Valid for 3 minutes
+        'prices'         => $pricesRaw
     ];
     $priceToken = $encryptionHelper->encryptData(json_encode($tokenPayload));
 }
 
 echo json_encode([
-    'status' => 'success',
-    'data' => $prices,
-    'price_token' => $priceToken,
-    'applied_discount' => $discount,
+    'status'                => 'success',
+    'data'                  => $prices,
+    'price_token'           => $priceToken,
+    'applied_discount'      => $discount,
     'added_negative_balance' => $negativeBalance
 ]);
 ?>

backend/ride/rides/add_ride.php

@@ -18,8 +18,7 @@ try {
 // =================================================================================
 function broadcastRideToMarket($rideId, $lat, $lng, $payloadData) {
     $url = getenv('LOCATION_SOCKET_URL'); 
-    $keyPath = getenv('INTERNAL_SOCKET_KEY_PATH');
-    $INTERNAL_KEY = $keyPath && file_exists($keyPath) ? trim(file_get_contents($keyPath)) : '';
+    $INTERNAL_KEY = function_exists('getInternalSocketKey') ? getInternalSocketKey() : '';
 
     $marketPayload = [
         'id'            => (string)$rideId,
@@ -138,6 +137,19 @@ if (!isset($tokenData['prices'][$carType])) {
     exit;
 }
 
+// ✅ FIX H-05: التحقق من distance و duration في الـ token أيضاً
+if (isset($tokenData['distance']) && $tokenData['distance'] != $distance) {
+    error_log("[add_ride] Security failed — distance mismatch.");
+    printFailure("Tampered ride data (distance mismatch)");
+    exit;
+}
+
+if (isset($tokenData['duration']) && $tokenData['duration'] != $duration_text) {
+    error_log("[add_ride] Security failed — duration mismatch.");
+    printFailure("Tampered ride data (duration mismatch)");
+    exit;
+}
+
 // Securely override pricing from the cryptographically signed token
 $price = $tokenData['prices'][$carType]['price'];
 $price_for_driver = $tokenData['prices'][$carType]['driver_price'];

backend/ride/rides/get_driver_location.php

@@ -4,7 +4,7 @@
 require_once __DIR__ . '/../../get_connect.php';
 
 // السماح بالوصول من أي دومين (لأن الرابط سيفتح في متصفح العميل)
-header("Access-Control-Allow-Origin: *");
+header("Access-Control-Allow-Origin: https://siromove.com");
 header("Content-Type: application/json; charset=UTF-8");
 
     $rideID = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);

backend/ride/rides/public_track_location.php

@@ -13,7 +13,7 @@ while (ob_get_level()) {
 // ابدأ مخزناً جديداً ونظيفاً لهذا الملف فقط
 ob_start();
 
-header("Access-Control-Allow-Origin: *");
+header("Access-Control-Allow-Origin: https://siromove.com");
 header("Access-Control-Allow-Methods: GET");
 header("Content-Type: application/json; charset=UTF-8");
 
@@ -41,8 +41,9 @@ try {
 
     $driverID = $rideData['driver_id'];
     $status   = $rideData['status'];
-    $secretSalt = "Siro_Secure_Track_2025"; 
-    $generatedToken = md5(trim(strval($rideID)) . trim(strval($driverID)) . $secretSalt);
+    // ✅ FIX H-03: استبدال md5 بـ hash_hmac
+    $secretSalt = getenv('TRACKING_SECRET_SALT') ;
+    $generatedToken = hash_hmac('sha256', $rideID . $driverID, $secretSalt);
 
     if ($token !== $generatedToken) sendError("Invalid Token");