Update authentication logic and SDK fixes

2026-04-24 15:12:12 +03:00
parent 2745b307a9
commit 4534e8769b
18 changed files with 198 additions and 78 deletions
--- a/app/Http/Middleware/JwtAuthMiddleware.php
+++ b/app/Http/Middleware/JwtAuthMiddleware.php
@@ -38,12 +38,19 @@ class JwtAuthMiddleware
        try {
            $decoded = JWT::decode($token, new Key(config('intaleq.jwt_secret'), 'HS256'));

-            // Attach JWT claims to request
-            $request->merge([
-                '_jwt_user_id' => $decoded->user_id ?? null,
-                '_jwt_user_type' => $decoded->user_type ?? null,
-                '_jwt_fingerprint' => $decoded->fingerprint ?? null,
-            ]);
+            // Verify issuer (defense in depth)
+            $iss = $decoded->iss ?? '';
+            if (!in_array($iss, ['Tripz', 'Tripz-Wallet'])) {
+                return response()->json([
+                    'status' => 'failure',
+                    'message' => 'Invalid token issuer'
+                ], 401);
+            }
+
+            // Attach JWT claims to request attributes (internal, not spoofable via POST/GET)
+            $request->attributes->set('_jwt_user_id', $decoded->user_id ?? null);
+            $request->attributes->set('_jwt_user_type', $decoded->user_type ?? null);
+            $request->attributes->set('_jwt_fingerprint', $decoded->fingerprint ?? null);

            return $next($request);