Update: 2026-06-16 01:17:28

2026-06-16 01:17:29 +03:00
parent 04943e3d52
commit fc58529b09
56 changed files with 1149 additions and 1314 deletions
--- a/backend/ride/rides/add_ride.php
+++ b/backend/ride/rides/add_ride.php
@@ -18,8 +18,7 @@ try {
 // =================================================================================
 function broadcastRideToMarket($rideId, $lat, $lng, $payloadData) {
    $url = getenv('LOCATION_SOCKET_URL'); 
-    $keyPath = getenv('INTERNAL_SOCKET_KEY_PATH');
-    $INTERNAL_KEY = $keyPath && file_exists($keyPath) ? trim(file_get_contents($keyPath)) : '';
+    $INTERNAL_KEY = function_exists('getInternalSocketKey') ? getInternalSocketKey() : '';

    $marketPayload = [
        'id'            => (string)$rideId,
@@ -138,6 +137,19 @@ if (!isset($tokenData['prices'][$carType])) {
    exit;
 }

+// ✅ FIX H-05: التحقق من distance و duration في الـ token أيضاً
+if (isset($tokenData['distance']) && $tokenData['distance'] != $distance) {
+    error_log("[add_ride] Security failed — distance mismatch.");
+    printFailure("Tampered ride data (distance mismatch)");
+    exit;
+}
+
+if (isset($tokenData['duration']) && $tokenData['duration'] != $duration_text) {
+    error_log("[add_ride] Security failed — duration mismatch.");
+    printFailure("Tampered ride data (duration mismatch)");
+    exit;
+}
+
 // Securely override pricing from the cryptographically signed token
 $price = $tokenData['prices'][$carType]['price'];
 $price_for_driver = $tokenData['prices'][$carType]['driver_price'];
--- a/backend/ride/rides/get_driver_location.php
+++ b/backend/ride/rides/get_driver_location.php
@@ -4,7 +4,7 @@
 require_once __DIR__ . '/../../get_connect.php';

 // السماح بالوصول من أي دومين (لأن الرابط سيفتح في متصفح العميل)
-header("Access-Control-Allow-Origin: *");
+header("Access-Control-Allow-Origin: https://siromove.com");
 header("Content-Type: application/json; charset=UTF-8");

    $rideID = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);
--- a/backend/ride/rides/public_track_location.php
+++ b/backend/ride/rides/public_track_location.php
@@ -13,7 +13,7 @@ while (ob_get_level()) {
 // ابدأ مخزناً جديداً ونظيفاً لهذا الملف فقط
 ob_start();

-header("Access-Control-Allow-Origin: *");
+header("Access-Control-Allow-Origin: https://siromove.com");
 header("Access-Control-Allow-Methods: GET");
 header("Content-Type: application/json; charset=UTF-8");

@@ -41,8 +41,9 @@ try {

    $driverID = $rideData['driver_id'];
    $status   = $rideData['status'];
-    $secretSalt = "Siro_Secure_Track_2025"; 
-    $generatedToken = md5(trim(strval($rideID)) . trim(strval($driverID)) . $secretSalt);
+    // ✅ FIX H-03: استبدال md5 بـ hash_hmac
+    $secretSalt = getenv('TRACKING_SECRET_SALT') ;
+    $generatedToken = hash_hmac('sha256', $rideID . $driverID, $secretSalt);

    if ($token !== $generatedToken) sendError("Invalid Token");