Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
98 Commits 2 Branches 0 Tags
f75e456aac7566c7641858881d9afb853cd47431
Commit Graph

98 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Hamza-Ayed
f75e456aac Update: 2026-06-24 16:27:39 2026-06-24 16:27:41 +03:00
Hamza-Ayed
3fcc6e76fd Update: 2026-06-24 16:19:03 2026-06-24 16:19:04 +03:00
Hamza-Ayed
2e4bf784ec Update: 2026-06-24 16:18:03 2026-06-24 16:18:03 +03:00
Hamza-Ayed
dfeea2d95a Update: 2026-06-24 16:15:00 2026-06-24 16:15:01 +03:00
Hamza-Ayed
6866e2171b Update: 2026-06-24 16:12:30 2026-06-24 16:12:30 +03:00
Hamza-Ayed
89dca66892 Update: 2026-06-24 16:08:47 2026-06-24 16:08:47 +03:00
Hamza-Ayed
4894d566a0 Update: 2026-06-24 16:04:53 2026-06-24 16:04:53 +03:00
Hamza-Ayed
3b2c2a86c6 Update: 2026-06-23 18:44:45 2026-06-23 18:44:45 +03:00
Hamza-Ayed
ed6e34cc4b Update: 2026-06-23 18:36:09 2026-06-23 18:36:09 +03:00
Hamza-Ayed
bb13eb74e8 Update: 2026-06-23 18:32:23 2026-06-23 18:32:23 +03:00
Hamza-Ayed
e4f86c5efd Update: 2026-06-23 18:27:04 2026-06-23 18:27:04 +03:00
Hamza-Ayed
4043d939f2 Update: 2026-06-23 18:21:54 2026-06-23 18:21:54 +03:00
Hamza-Ayed
f25066140f Update: 2026-06-23 18:19:33 2026-06-23 18:19:33 +03:00
Hamza-Ayed
c859b8006b Update: 2026-06-23 18:18:30 2026-06-23 18:18:30 +03:00
Hamza-Ayed
a2f4f5d304 Update: 2026-06-23 18:14:22 2026-06-23 18:14:22 +03:00
Hamza-Ayed
342611a158 Update: 2026-06-23 18:12:45 2026-06-23 18:12:45 +03:00
Hamza-Ayed
2af9859ad8 Update: 2026-06-23 18:08:22 2026-06-23 18:08:22 +03:00
Hamza-Ayed
b60e06b890 Update: 2026-06-23 18:03:42 2026-06-23 18:03:42 +03:00
Hamza-Ayed
b110e03039 Update: 2026-06-23 17:58:46 2026-06-23 17:58:46 +03:00
Hamza-Ayed
eafc04a091 Update: 2026-06-23 17:57:07 2026-06-23 17:57:07 +03:00
Hamza-Ayed
6ad7aceee1 Update: 2026-06-23 17:46:32 2026-06-23 17:46:33 +03:00
Hamza-Ayed
52c4f96976 Update: 2026-06-23 17:42:09 2026-06-23 17:42:09 +03:00
Hamza-Ayed
148ca3af1d Update: 2026-06-23 17:25:29 2026-06-23 17:25:29 +03:00
Hamza-Ayed
4e2f165d60 Update: 2026-06-23 16:25:59 2026-06-23 16:25:59 +03:00
Hamza-Ayed
c54a8f43fe Update: 2026-06-23 16:17:20 2026-06-23 16:17:20 +03:00
Hamza-Ayed
bea94ed617 Update: 2026-06-23 15:35:14 2026-06-23 15:35:14 +03:00
Hamza-Ayed
b4d054a870 Update: 2026-06-23 15:21:45 2026-06-23 15:21:45 +03:00
Hamza-Ayed
efe26c95be Update: 2026-06-22 00:31:28 2026-06-22 00:31:29 +03:00
Hamza-Ayed
e73be65a72 Update: 2026-06-21 18:58:05 2026-06-21 18:58:13 +03:00
Hamza-Ayed
b492b5076b feat: implement accessibility-based scraper service and standalone worker backend with device registration UI 2026-06-21 15:21:16 +03:00
Hamza-Ayed
ce6f22dc71 Update: 2026-06-21 03:02:56 2026-06-21 03:02:56 +03:00
Hamza-Ayed
2ac086d1fd Update: 2026-06-21 02:53:01 2026-06-21 02:53:02 +03:00
Hamza-Ayed
b2fae9ec66 Update: 2026-06-21 02:07:00 2026-06-21 02:07:00 +03:00
Hamza-Ayed
af3dcae5b7 Update: 2026-06-19 15:33:32 2026-06-19 15:33:32 +03:00
Hamza-Ayed
017bec86fa Update: 2026-06-19 14:01:15 2026-06-19 14:01:15 +03:00
Hamza-Ayed
a0495147c4 Update: 2026-06-19 02:01:34 2026-06-19 02:01:34 +03:00
Hamza-Ayed
a003bf78c4 Update: 2026-06-19 01:47:48 2026-06-19 01:47:48 +03:00
Hamza-Ayed
f13faa8c31 Update: 2026-06-18 16:46:30 2026-06-18 16:46:30 +03:00
Hamza-Ayed
8b52d2f115 feat: add Nabeh integration with phone-to-user resolution and environment configuration support 2026-06-18 14:59:24 +03:00
Hamza-Ayed
72fa97477b Update: 2026-06-17 18:22:52 2026-06-17 18:22:52 +03:00
Hamza-Ayed
b67417eb98 Add Nabeh integration: nabeh/ endpoints with NABEH_API_KEY auth 2026-06-17 18:22:45 +03:00
Hamza-Ayed
c2c4ed22e3 Fix: SSL pinning, root detection, network resilience, and compile errors 
SSL pinning (all 4 apps): IOClient import, subdomain-safe domain matching
Root detection (all 4 apps): modern Magisk/KernelSU/APatch paths
Security checks (rider/driver/admin): PlatformException -> false
Rider crud: 60s timeout, 3 retries, exponential backoff, JWT pre-validation
Driver crud: exponential backoff for TimeoutException
RxInt compile (rider/driver): 10.obs -> RxInt(10)
Admin device_info: add missing imports, fix RxInt, add package_info_plus
 2026-06-17 16:41:02 +03:00
Hamza-Ayed
264e005a7b fix: PHP syntax errors in upload files and composer config 
- Fix PHP 8.x string interpolation syntax in upload log calls
- Fix const getenv() -> runtime variable in uploadSyrianDocs.php
- Add composer security advisory ignore for firebase/php-jwt
- Run composer update to sync lock file
 2026-06-17 08:41:16 +03:00
Hamza-Ayed
2c56d2f41e Fix #24: Flutter generated plugin files + pubspec.lock after crypto dependency addition 2026-06-17 08:19:09 +03:00
Hamza-Ayed
752bbf3a63 Fix #23: JWT storage consistency across all Flutter apps 
- siro_admin: added FlutterSecureStorage write alongside GetStorage
- siro_service: added FlutterSecureStorage write in login + guest JWT flows
- siro_rider: added FlutterSecureStorage write in guest + token-refresh flows
  (full-credential login already wrote to both)
- siro_driver: already wrote to both (no change needed)
- All apps now write JWT to both GetStorage and FlutterSecureStorage
 2026-06-17 08:03:19 +03:00
Hamza-Ayed
a8748cf4c9 Fix #22: Medium-severity fixes (M-01 through M-07) 
M-01: Host header injection - replaced HTTP_HOST with APP_DOMAIN
M-02: Unauthenticated CRUD - ownership checks on carDrivers add/delete
M-03: MD5 tracking token - replaced md5() with hash_hmac sha256
M-04: Webhook SMS - absolute log path instead of relative
M-05: Weak 3-digit OTP - already noted as requirement (Fix #5)
M-06: Redis without auth - added password + prefix to cancel_ride_by_driver
M-07: SSRF bypass - str_ends_with -> strict equality in allowlist
 2026-06-17 07:58:21 +03:00
Hamza-Ayed
3543fdd2cd Fix #21: High-severity fixes (H-01 through H-06) 
H-01: Egypt document uploads - added path traversal prevention (basename),
       replaced HTTP_HOST with APP_DOMAIN env var
H-02: 7 remaining hardcoded /home/siro-api/ paths replaced with env vars
       (ENV_FILE_PATH, INTERNAL_SOCKET_KEY_PATH, WEBHOOK_SECRET_KEY_PATH)
H-03: serviceapp/updateDriver.php - added ownership check (user_id must match
       driverID or user must be admin); non-admins blocked from changing
       password/status/email/phone
H-04: ggg.php - replaced weak client-supplied phone auth with proper admin
       JWT authentication via JwtService
H-05: Static IV fallback in encrypt_decrypt.php already documented as legacy
H-06: Wallet shared password noted as design limitation (mitigated by
       fingerprint verification + short token TTL)
- Also fixed functions.php log message (removed hardcoded path)
 2026-06-17 07:56:57 +03:00
Hamza-Ayed
50a5308f43 Fix #20: DDL removal from register.php, CORS policy, secret leak 
- Removed ALTER TABLE DDL statements from Admin/auth/register.php (belongs in migration scripts)
- Added validated CORS with configurable allowed origins via CORS_ALLOWED_ORIGINS env var
- Removed  assignment in load_env.php (secrets no longer exposed in superglobal)
 2026-06-17 07:51:01 +03:00
Hamza-Ayed
2d607d9e90 Fix #19: Plaintext OTP hashing + hardcoded server paths 
- Changed OTP storage in Admin/auth/login.php from plaintext to sha256 hash
- Updated Admin/auth/verify_login.php to hash user input before comparison
- Replaced hardcoded /home/siro-api/ paths with environment variables:
  - ERROR_LOG_PATH, ENV_FILE_PATH, SECRET_KEY_PAY_PATH, SECRET_KEY_PATH
  - Falls back to __DIR__-relative paths when env vars are unset
 2026-06-17 07:49:46 +03:00
Hamza-Ayed
790d58aaa2 remove temp fix script 2026-06-17 07:48:34 +03:00