142 lines
4.8 KiB
PHP
Executable File
142 lines
4.8 KiB
PHP
Executable File
<?php
|
|
|
|
require_once realpath(__DIR__ . '/../vendor/autoload.php');
|
|
require_once 'load_env.php';
|
|
$env_file = '/home/intaleq-wallet/env/.env';
|
|
loadEnvironment($env_file);
|
|
use Firebase\JWT\JWT;
|
|
use Firebase\JWT\Key;
|
|
|
|
// Retrieve environment variables - Check for existence
|
|
//$secretKey = getenv('SECRET_KEY');
|
|
$secretKey = trim(file_get_contents('/home/intaleq-wallet/.secret_key'));
|
|
$allowed1 = getenv('allowed1');
|
|
$allowed2 = getenv('allowed2');
|
|
|
|
// $allowed1 = getenv('allowedWallet1');
|
|
// $allowed2 = getenv('allowedWallet2');
|
|
|
|
$issuer = 'Tripz-Wallet'; // You might want to put this in the .env file too
|
|
$allowedAudiences = [$allowed1, $allowed2];
|
|
$passwordnewpassenger = getenv('passwordnewpassenger'); // Hashed password
|
|
|
|
// include "connect.php";
|
|
include "functions.php";
|
|
|
|
|
|
// Validate that required environment variables are set
|
|
if (!$secretKey || !$passwordnewpassenger || empty($allowedAudiences)) {
|
|
error_log("Missing required environment variables.");
|
|
http_response_code(500);
|
|
exit(json_encode(['error' => 'Server configuration error: Missing environment variables.']));
|
|
}
|
|
|
|
// CORS Headers - Be specific in production
|
|
header('Content-Type: application/json');
|
|
header("Access-Control-Allow-Origin: https://wallet.sefer.live"); // Replace * with your Flutter app's origin
|
|
header("Access-Control-Allow-Methods: POST, OPTIONS");
|
|
header("Access-Control-Allow-Headers: Content-Type, Authorization");
|
|
// MED FIX: إضافة Security Headers
|
|
header('X-Content-Type-Options: nosniff');
|
|
header('X-Frame-Options: DENY');
|
|
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
|
|
header("Referrer-Policy: strict-origin-when-cross-origin");
|
|
header("X-XSS-Protection: 1; mode=block");
|
|
|
|
// Handle preflight OPTIONS requests
|
|
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
|
|
http_response_code(200);
|
|
exit;
|
|
}
|
|
|
|
try {
|
|
$id = filterRequest('id') ?? '';
|
|
$password = filterRequest('password') ?? '';
|
|
$audience = filterRequest('aud') ?? '';
|
|
$dbname = getenv('dbname');
|
|
// Input validation - More specific
|
|
if (empty($id)) {
|
|
throw new InvalidArgumentException("ID is required.");
|
|
}
|
|
if (empty($password)) {
|
|
throw new InvalidArgumentException("Password is required.");
|
|
}
|
|
if (empty($audience)) {
|
|
throw new InvalidArgumentException("Audience is required.");
|
|
}
|
|
if (!in_array($audience, $allowedAudiences)) {
|
|
http_response_code(400); // Bad Request
|
|
exit(json_encode(['error' => 'Invalid audience']));
|
|
}
|
|
|
|
$fingerPrint = filterRequest('fingerPrint') ?? '';
|
|
|
|
if (empty($fingerPrint)) {
|
|
throw new InvalidArgumentException("Device fingerprint is required.");
|
|
}
|
|
$dbuser = getenv('USER'); // Get DB user here, consistent naming
|
|
$dbpass = getenv('PASS'); // Get DB password here
|
|
if (password_verify($password, $passwordnewpassenger)) {
|
|
// Fetch token data from the database
|
|
$dsn = "mysql:host=localhost;dbname=$dbname;charset=utf8mb4";
|
|
$options = [
|
|
PDO::ATTR_EMULATE_PREPARES => false,
|
|
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
|
|
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
|
|
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES UTF8"
|
|
];
|
|
$con = new PDO($dsn, $dbuser, $dbpass, $options);
|
|
$sql = "SELECT `id`, `token`, `passengerID`, `fingerPrint` FROM `tokens` WHERE `passengerID` = :passengerID";
|
|
$stmt = $con->prepare($sql);
|
|
$stmt->bindParam(':passengerID', $id, PDO::PARAM_STR);
|
|
$stmt->execute();
|
|
$tokenData = $stmt->fetch(PDO::FETCH_ASSOC);
|
|
|
|
|
|
|
|
/*
|
|
|
|
// Verify fingerprint
|
|
if (!$tokenData) { //|| !hash_equals($tokenData['fingerPrint'], $fingerPrint)) {
|
|
http_response_code(403); // Forbidden
|
|
exit(json_encode(['error' => 'Device fingerprint verification failed']));
|
|
}
|
|
|
|
*/
|
|
$payload = [
|
|
'user_id' => $id,
|
|
'fingerPrint' => $fingerPrint,
|
|
'exp' => time() + 60,
|
|
'iat' => time(),
|
|
'iss' => $issuer,
|
|
'aud' => $audience
|
|
];
|
|
|
|
$jwt = JWT::encode($payload, $secretKey, 'HS256');
|
|
$hmac = hash_hmac('sha256', $id, getenv('SECRET_KEY_HMAC'));
|
|
|
|
echo json_encode([
|
|
'status' => 'success',
|
|
'jwt' => $jwt,
|
|
'hmac' => $hmac,
|
|
// 'refresh_token' => $refreshToken,
|
|
'expires_in' => 300
|
|
]);
|
|
http_response_code(200);
|
|
|
|
}else{
|
|
echo 'fffff';
|
|
}
|
|
|
|
} catch (InvalidArgumentException $e) {
|
|
// HIGH-05 FIX: لا تكشف رسائل الخطأ من الاستثناءات مباشرة
|
|
error_log("Input validation error: " . $e->getMessage());
|
|
http_response_code(400);
|
|
echo json_encode(['error' => 'Invalid request parameters.']);
|
|
} catch (Exception $e) {
|
|
// HIGH-05 FIX: لا تكشف رسائل الخطأ الداخلية
|
|
error_log("Server error: " . $e->getMessage());
|
|
http_response_code(500);
|
|
echo json_encode(['error' => 'An unexpected error occurred.']);
|
|
}
|