241 lines
10 KiB
PHP
241 lines
10 KiB
PHP
<?php
|
|
// File: backend/auth/otp/verify.php
|
|
// Unified OTP verification endpoint
|
|
|
|
require_once __DIR__ . '/../../core/bootstrap.php';
|
|
require_once __DIR__ . '/../../functions.php';
|
|
|
|
// 0. Rate Limiting: 3 محاولات OTP كل 5 دقائق لكل IP
|
|
$rateLimiter = new RateLimiter($redis);
|
|
$rateLimiter->enforce(RateLimiter::identifier(), 'otp_verify');
|
|
|
|
// 1. Fetch input parameters
|
|
$phone_number = filterRequest("phone_number");
|
|
if (empty($phone_number)) {
|
|
$phone_number = filterRequest("receiver");
|
|
}
|
|
|
|
$token_code = filterRequest("token_code");
|
|
if (empty($token_code)) {
|
|
$token_code = filterRequest("token");
|
|
}
|
|
|
|
$user_type = filterRequest("user_type");
|
|
$context = filterRequest("context"); // token_change | login (default)
|
|
|
|
// user_type is taken from request only (JWT not trusted without signature verification)
|
|
|
|
if (empty($phone_number)) {
|
|
jsonError("Phone number is required.");
|
|
exit;
|
|
}
|
|
|
|
if (empty($token_code)) {
|
|
jsonError("Verification token code is required.");
|
|
exit;
|
|
}
|
|
|
|
if (empty($user_type)) {
|
|
if (strpos($_SERVER['REQUEST_URI'], 'driver') !== false) {
|
|
$user_type = 'driver';
|
|
} else {
|
|
$user_type = 'passenger';
|
|
}
|
|
}
|
|
|
|
if (empty($user_type) || !in_array($user_type, ['passenger', 'driver', 'admin', 'service'])) {
|
|
jsonError("User type must be 'passenger', 'driver', 'admin', or 'service'.");
|
|
exit;
|
|
}
|
|
|
|
// 2. Establish DB Connection
|
|
try {
|
|
$con = Database::get('main');
|
|
} catch (Exception $e) {
|
|
http_response_code(500);
|
|
exit(json_encode(['error' => 'Database connection failed']));
|
|
}
|
|
|
|
// 3. Encrypt data to query
|
|
// 4. Verify based on user type
|
|
try {
|
|
if ($user_type === 'admin') {
|
|
$sql = "SELECT * FROM token_verification_admin
|
|
WHERE expiration_time >= NOW() AND verified = 0";
|
|
$stmt = $con->prepare($sql);
|
|
$stmt->execute();
|
|
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
|
|
|
$matchedRow = null;
|
|
foreach ($rows as $row) {
|
|
$decryptedPhone = $encryptionHelper->decryptData($row['phone_number']);
|
|
$decryptedToken = $encryptionHelper->decryptData($row['token']);
|
|
if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) {
|
|
$matchedRow = $row;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if ($matchedRow) {
|
|
$deviceNumber = filterRequest("device_number") ?? '';
|
|
// adminUser stores unencrypted phone
|
|
$checkAdmin = $con->prepare("SELECT * FROM adminUser WHERE name = ?");
|
|
$checkAdmin->execute([$phone_number]);
|
|
$now = date("Y-m-d H:i:s");
|
|
|
|
// Mark token as verified
|
|
$updateToken = $con->prepare("UPDATE token_verification_admin SET verified = 1 WHERE phone_number = ? AND token = ?");
|
|
$updateToken->execute([$matchedRow['phone_number'], $matchedRow['token']]);
|
|
|
|
if ($checkAdmin->rowCount() > 0) {
|
|
$update = $con->prepare("UPDATE adminUser SET device_number = ?, updated_at = ? WHERE name = ?");
|
|
$update->execute([$deviceNumber, $now, $phone_number]);
|
|
jsonSuccess(["message" => "verified and updated existing admin"]);
|
|
} else {
|
|
$insert = $con->prepare("INSERT INTO adminUser (device_number, name, created_at, updated_at) VALUES (?, ?, ?, ?)");
|
|
$insert->execute([$deviceNumber, $phone_number, $now, $now]);
|
|
jsonSuccess(["message" => "verified and new admin created"]);
|
|
}
|
|
} else {
|
|
jsonError("Your phone number could not be verified or the code is expired. Please try again.");
|
|
}
|
|
} elseif ($user_type === 'service') {
|
|
$sql = "SELECT `id`, `phone_number`, `token_code` FROM `phone_verification_service`
|
|
WHERE `expiration_time` > NOW() AND `is_verified` = 0";
|
|
$stmt = $con->prepare($sql);
|
|
$stmt->execute();
|
|
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
|
|
|
$matchedRowId = null;
|
|
foreach ($rows as $row) {
|
|
$decryptedPhone = $encryptionHelper->decryptData($row['phone_number']);
|
|
$decryptedToken = $encryptionHelper->decryptData($row['token_code']);
|
|
if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) {
|
|
$matchedRowId = $row['id'];
|
|
break;
|
|
}
|
|
}
|
|
|
|
if ($matchedRowId) {
|
|
$sqlUpdate = "UPDATE `phone_verification_service` SET `is_verified` = 1 WHERE `id` = :id";
|
|
$stmtUpd = $con->prepare($sqlUpdate);
|
|
$stmtUpd->bindParam(':id', $matchedRowId, PDO::PARAM_INT);
|
|
$stmtUpd->execute();
|
|
jsonSuccess(null, "Your phone number has been verified.");
|
|
} else {
|
|
jsonError("Your phone number could not be verified or the code is expired. Please try again.");
|
|
}
|
|
} elseif ($user_type === 'driver') {
|
|
if ($context === 'token_change') {
|
|
$sql = "SELECT `id`, `phone_number`, `token` FROM `token_verification_driver`
|
|
WHERE `expiration_time` > NOW() AND `verified` = 0";
|
|
$stmt = $con->prepare($sql);
|
|
$stmt->execute();
|
|
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
|
|
|
$matchedRowId = null;
|
|
foreach ($rows as $row) {
|
|
$decryptedPhone = $encryptionHelper->decryptData($row['phone_number']);
|
|
$decryptedToken = $encryptionHelper->decryptData($row['token']);
|
|
if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) {
|
|
$matchedRowId = $row['id'];
|
|
break;
|
|
}
|
|
}
|
|
|
|
if ($matchedRowId) {
|
|
$sqlUpdate = "UPDATE `token_verification_driver` SET `verified` = 1 WHERE `id` = :id";
|
|
$stmtUpd = $con->prepare($sqlUpdate);
|
|
$stmtUpd->bindParam(':id', $matchedRowId, PDO::PARAM_INT);
|
|
$stmtUpd->execute();
|
|
jsonSuccess(null, "Your phone number has been verified.");
|
|
} else {
|
|
jsonError("Your phone number could not be verified or the code is expired. Please try again.");
|
|
}
|
|
} else {
|
|
$sql = "SELECT `id`, `phone_number`, `token_code` FROM `phone_verification`
|
|
WHERE `expiration_time` > NOW() AND `is_verified` = 0";
|
|
$stmt = $con->prepare($sql);
|
|
$stmt->execute();
|
|
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
|
|
|
$matchedRowId = null;
|
|
foreach ($rows as $row) {
|
|
$decryptedPhone = $encryptionHelper->decryptData($row['phone_number']);
|
|
$decryptedToken = $encryptionHelper->decryptData($row['token_code']);
|
|
if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) {
|
|
$matchedRowId = $row['id'];
|
|
break;
|
|
}
|
|
}
|
|
|
|
if ($matchedRowId) {
|
|
$sqlUpdate = "UPDATE `phone_verification` SET `is_verified` = 1 WHERE `id` = :id";
|
|
$stmtUpd = $con->prepare($sqlUpdate);
|
|
$stmtUpd->bindParam(':id', $matchedRowId, PDO::PARAM_INT);
|
|
$stmtUpd->execute();
|
|
jsonSuccess(null, "Your phone number has been verified.");
|
|
} else {
|
|
jsonError("Your phone number could not be verified or the code is expired. Please try again.");
|
|
}
|
|
}
|
|
} else {
|
|
if ($context === 'token_change') {
|
|
$sql = "SELECT `id`, `phone_number`, `token` FROM `token_verification`
|
|
WHERE `expiration_time` > NOW() AND `verified` = 0";
|
|
$stmt = $con->prepare($sql);
|
|
$stmt->execute();
|
|
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
|
|
|
$matchedRowId = null;
|
|
foreach ($rows as $row) {
|
|
$decryptedPhone = $encryptionHelper->decryptData($row['phone_number']);
|
|
$decryptedToken = $encryptionHelper->decryptData($row['token']);
|
|
if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) {
|
|
$matchedRowId = $row['id'];
|
|
break;
|
|
}
|
|
}
|
|
|
|
if ($matchedRowId) {
|
|
$sqlUpdate = "UPDATE `token_verification` SET `verified` = 1 WHERE `id` = :id";
|
|
$stmtUpd = $con->prepare($sqlUpdate);
|
|
$stmtUpd->bindParam(':id', $matchedRowId, PDO::PARAM_INT);
|
|
$stmtUpd->execute();
|
|
jsonSuccess(null, "Your phone number has been verified.");
|
|
} else {
|
|
jsonError("Your phone number could not be verified or the code is expired. Please try again.");
|
|
}
|
|
} else {
|
|
$sql = "SELECT `id`, `phone_number`, `token` FROM `phone_verification_passenger`
|
|
WHERE `expiration_time` > NOW() AND `verified` = 0";
|
|
$stmt = $con->prepare($sql);
|
|
$stmt->execute();
|
|
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
|
|
|
$matchedRowId = null;
|
|
foreach ($rows as $row) {
|
|
$decryptedPhone = $encryptionHelper->decryptData($row['phone_number']);
|
|
$decryptedToken = $encryptionHelper->decryptData($row['token']);
|
|
if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) {
|
|
$matchedRowId = $row['id'];
|
|
break;
|
|
}
|
|
}
|
|
|
|
if ($matchedRowId) {
|
|
$sqlUpdate = "UPDATE `phone_verification_passenger` SET `verified` = 1 WHERE `id` = :id";
|
|
$stmtUpd = $con->prepare($sqlUpdate);
|
|
$stmtUpd->bindParam(':id', $matchedRowId, PDO::PARAM_INT);
|
|
$stmtUpd->execute();
|
|
jsonSuccess(null, "Your phone number has been verified.");
|
|
} else {
|
|
jsonError("Your phone number could not be verified or the code is expired. Please try again.");
|
|
}
|
|
}
|
|
}
|
|
} catch (PDOException $e) {
|
|
error_log("⚠️ [OTP DB Verify] Error: " . $e->getMessage());
|
|
jsonError("An error occurred during verification. Please try again.");
|
|
}
|