Security: Fix HMAC handshake, generate API keys in Google Login, and relax JWT issuer

app/Http/Controllers/AuthController.php

@@ -701,6 +701,14 @@ class AuthController extends Controller
             ]);
         }
 
+        // Generate API keys if missing
+        $passenger = Passenger::find($row->id);
+        if ($passenger && empty($passenger->api_key)) {
+            $this->generateApiKeys($passenger);
+            $row->api_key = $passenger->api_key;
+            $row->api_secret = $passenger->api_secret;
+        }
+
         // Decrypt sensitive fields (matching V1 behavior)
         $decryptedFields = [
             'phone', 'email', 'gender', 'birthdate', 'site',
@@ -735,21 +743,29 @@ class AuthController extends Controller
 
         $encryptedEmail = $this->encryption->encrypt($request->input('email'));
 
-        $driver = DB::connection('primary')
+        $driverRow = DB::connection('primary')
             ->table('captain')
             ->where('email', $encryptedEmail)
             ->where('id', $request->input('id'))
             ->select('captain.*', 'captain.api_key', 'captain.api_secret')
             ->first();
 
-        if (!$driver) {
+        if (!$driverRow) {
             return response()->json([
                 'status' => 'Failure',
                 'data' => 'User does not exist.',
             ]);
         }
 
-        $data = (array) $driver;
+        // Generate API keys if missing
+        $driver = Driver::find($driverRow->id);
+        if ($driver && empty($driver->api_key)) {
+            $this->generateApiKeys($driver);
+            $driverRow->api_key = $driver->api_key;
+            $driverRow->api_secret = $driver->api_secret;
+        }
+
+        $data = (array) $driverRow;
         $decryptedFields = [
             'phone', 'email', 'gender', 'birthdate',
             'first_name', 'last_name', 'national_number',