96 lines
3.2 KiB
PHP
96 lines
3.2 KiB
PHP
<?php
|
|
// ============================================================
|
|
// loginAdmin.php — تسجيل دخول الإدارة
|
|
// ============================================================
|
|
|
|
require_once __DIR__ . '/core/bootstrap.php';
|
|
|
|
header('Content-Type: application/json');
|
|
// ✅ FIX H-03: allowlist صارم للـ Admin Origins
|
|
$allowedOrigins = array_filter([
|
|
getenv('ALLOWED_ORIGIN') ?: 'https://siromove.com',
|
|
'http://localhost',
|
|
'http://127.0.0.1',
|
|
]);
|
|
|
|
$requestOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
|
|
if (!empty($requestOrigin)) {
|
|
if (in_array($requestOrigin, $allowedOrigins, true)) {
|
|
header("Access-Control-Allow-Origin: " . $requestOrigin);
|
|
} else {
|
|
header("Access-Control-Allow-Origin: https://siromove.com");
|
|
}
|
|
}
|
|
header("Access-Control-Allow-Credentials: true");
|
|
header("Access-Control-Allow-Methods: POST, OPTIONS");
|
|
header("Access-Control-Allow-Headers: Content-Type, Authorization");
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
|
|
http_response_code(200);
|
|
exit;
|
|
}
|
|
|
|
// ── Rate Limiting ───────────────────────────────────────────
|
|
$limiter = new RateLimiter($redis);
|
|
$limiter->enforce(RateLimiter::identifier(), 'login');
|
|
|
|
try {
|
|
$id = filterRequest('id') ?? '';
|
|
$password = filterRequest('password') ?? '';
|
|
$audience = filterRequest('aud') ?? '';
|
|
|
|
$allowed1 = getenv('allowedDriver1');
|
|
$allowed2 = getenv('allowedDriver2');
|
|
$allowedAudiences = array_values(array_filter([$allowed1, $allowed2]));
|
|
|
|
if (empty($id) || empty($password) || empty($audience)) {
|
|
jsonError('ID and password are required.', 400);
|
|
}
|
|
|
|
if (!in_array($audience, $allowedAudiences, true)) {
|
|
jsonError('Invalid audience.', 400);
|
|
}
|
|
|
|
$con = Database::get('main');
|
|
|
|
// ── جلب بيانات المشرف من جدول adminUser الموحد ──────────
|
|
$stmt = $con->prepare("SELECT id, password, email, role FROM adminUser WHERE id = :id OR email = :id LIMIT 1");
|
|
$stmt->execute([':id' => $id]);
|
|
$admin = $stmt->fetch();
|
|
|
|
$startTime = microtime(true);
|
|
|
|
if ($admin && password_verify($password, $admin['password'])) {
|
|
|
|
$limiter->reset(RateLimiter::identifier(), 'login');
|
|
|
|
$jwtService = new JwtService($redis);
|
|
|
|
// استخدام Role المخصص أو 'admin'
|
|
$role = $admin['role'] ?? 'admin';
|
|
|
|
$jwt = $jwtService->generateAccessToken($admin['id'], $role, $audience);
|
|
$refresh = $jwtService->generateRefreshToken($admin['id']);
|
|
|
|
jsonSuccess([
|
|
'jwt' => $jwt,
|
|
'refresh_token' => $refresh['token'],
|
|
'expires_in' => 900
|
|
]);
|
|
|
|
} else {
|
|
// حماية من Timing Attack
|
|
$elapsed = microtime(true) - $startTime;
|
|
if ($elapsed < 0.1) usleep((int)((0.1 - $elapsed) * 1000000));
|
|
|
|
jsonError('Invalid ID or password.', 401);
|
|
}
|
|
|
|
} catch (PDOException $e) {
|
|
error_log("[Admin Login PDO Error] " . $e->getMessage());
|
|
jsonError('Login failed: Database error', 500);
|
|
} catch (Exception $e) {
|
|
error_log("[Admin Login Error] " . $e->getMessage());
|
|
jsonError('Login failed: Server error', 500);
|
|
}
|