Fix: Applied correct V1 secret keys for passenger vs driver wallet tokens

2026-04-24 01:30:10 +03:00
parent d9039aaf14
commit 2745b307a9
2 changed files with 13 additions and 6 deletions
--- a/app/Http/Controllers/AuthController.php
+++ b/app/Http/Controllers/AuthController.php
@@ -472,7 +472,9 @@ class AuthController extends Controller
        }

        // ── 3. Success -> Generate Token ────────────────────────
-        $jwt = $this->createWalletJwt($request->input('id'), $fingerprint, $audience, 300);
+        // V1 Note: Passenger wallet used .secret_key (jwt_secret)
+        $secret = config('intaleq.jwt_secret');
+        $jwt = $this->createWalletJwt($request->input('id'), $fingerprint, $audience, 300, $secret);
        $hmac = hash_hmac('sha256', $request->input('id'), config('intaleq.wallet_hmac_secret'));

        return $this->success([
@@ -540,7 +542,9 @@ class AuthController extends Controller
        }

        // ── 3. Success -> Generate Token ────────────────────────
-        $jwt = $this->createWalletJwt($request->input('id'), $fingerprint, $audience, 300);
+        // V1 Note: Driver wallet used .secret_key_pay (wallet_jwt_secret)
+        $secret = config('intaleq.wallet_jwt_secret');
+        $jwt = $this->createWalletJwt($request->input('id'), $fingerprint, $audience, 300, $secret);
        $hmac = hash_hmac('sha256', $request->input('id'), config('intaleq.wallet_hmac_secret'));

        return $this->success([
@@ -761,7 +765,7 @@ class AuthController extends Controller
    // HELPERS
    // ══════════════════════════════════════════════

-    private function createWalletJwt(string $userId, string $fingerprint, string $audience, int $expiry = 60): string
+    private function createWalletJwt(string $userId, string $fingerprint, string $audience, int $expiry = 300, ?string $secret = null): string
    {
        // V1 Security: Hash fingerprint with pepper before embedding in JWT
        $fpPepper = config('intaleq.fp_pepper', '');
@@ -769,14 +773,17 @@ class AuthController extends Controller

        $payload = [
            'user_id' => $userId,
+            'sub' => $userId,
            'fingerPrint' => $hashedFp,
            'exp' => time() + $expiry,
            'iat' => time(),
            'iss' => 'Tripz-Wallet',
-            'aud' => $audience
+            'aud' => $audience,
+            'jti' => bin2hex(random_bytes(16)),
        ];

-        return JWT::encode($payload, config('intaleq.wallet_jwt_secret'), 'HS256');
+        $key = $secret ?? config('intaleq.wallet_jwt_secret');
+        return JWT::encode($payload, $key, 'HS256');
    }

    private function createJwt(string $userId, string $userType, string $fingerprint, int $expiry, string $audience = 'Tripz'): string