From 2745b307a9bd6dc24b526d65ae4db0034a4bc559 Mon Sep 17 00:00:00 2001
From: Hamza-Ayed <hamzaayedflutter@gmail.com>
Date: Fri, 24 Apr 2026 01:30:10 +0300
Subject: [PATCH] Fix: Applied correct V1 secret keys for passenger vs driver
 wallet tokens

---
 app/Http/Controllers/AuthController.php | 17 ++++++++++++-----
 config/intaleq.php                      |  2 +-
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/app/Http/Controllers/AuthController.php b/app/Http/Controllers/AuthController.php
index 32ca311..fa948f1 100644
--- a/app/Http/Controllers/AuthController.php
+++ b/app/Http/Controllers/AuthController.php
@@ -472,7 +472,9 @@ class AuthController extends Controller
         }
 
         // ── 3. Success -> Generate Token ────────────────────────
-        $jwt = $this->createWalletJwt($request->input('id'), $fingerprint, $audience, 300);
+        // V1 Note: Passenger wallet used .secret_key (jwt_secret)
+        $secret = config('intaleq.jwt_secret');
+        $jwt = $this->createWalletJwt($request->input('id'), $fingerprint, $audience, 300, $secret);
         $hmac = hash_hmac('sha256', $request->input('id'), config('intaleq.wallet_hmac_secret'));
 
         return $this->success([
@@ -540,7 +542,9 @@ class AuthController extends Controller
         }
 
         // ── 3. Success -> Generate Token ────────────────────────
-        $jwt = $this->createWalletJwt($request->input('id'), $fingerprint, $audience, 300);
+        // V1 Note: Driver wallet used .secret_key_pay (wallet_jwt_secret)
+        $secret = config('intaleq.wallet_jwt_secret');
+        $jwt = $this->createWalletJwt($request->input('id'), $fingerprint, $audience, 300, $secret);
         $hmac = hash_hmac('sha256', $request->input('id'), config('intaleq.wallet_hmac_secret'));
 
         return $this->success([
@@ -761,7 +765,7 @@ class AuthController extends Controller
     // HELPERS
     // ══════════════════════════════════════════════
 
-    private function createWalletJwt(string $userId, string $fingerprint, string $audience, int $expiry = 60): string
+    private function createWalletJwt(string $userId, string $fingerprint, string $audience, int $expiry = 300, ?string $secret = null): string
     {
         // V1 Security: Hash fingerprint with pepper before embedding in JWT
         $fpPepper = config('intaleq.fp_pepper', '');
@@ -769,14 +773,17 @@ class AuthController extends Controller
 
         $payload = [
             'user_id' => $userId,
+            'sub' => $userId,
             'fingerPrint' => $hashedFp,
             'exp' => time() + $expiry,
             'iat' => time(),
             'iss' => 'Tripz-Wallet',
-            'aud' => $audience
+            'aud' => $audience,
+            'jti' => bin2hex(random_bytes(16)),
         ];
 
-        return JWT::encode($payload, config('intaleq.wallet_jwt_secret'), 'HS256');
+        $key = $secret ?? config('intaleq.wallet_jwt_secret');
+        return JWT::encode($payload, $key, 'HS256');
     }
 
     private function createJwt(string $userId, string $userType, string $fingerprint, int $expiry, string $audience = 'Tripz'): string
diff --git a/config/intaleq.php b/config/intaleq.php
index d15ae24..58dcefa 100644
--- a/config/intaleq.php
+++ b/config/intaleq.php
@@ -60,7 +60,7 @@ return [
 
     // Wallet Security
     // 'wallet_jwt_secret' => env('WALLET_JWT_SECRET'),
-    'wallet_hmac_secret' => env('WALLET_HMAC_SECRET'),
+    'wallet_hmac_secret' => env('SECRET_KEY_HMAC'),
     'wallet_allowed_audiences' => [
         'Tripz-Wallet',
         'TripzWallet:android',