Security hardening: fixed 13 vulnerabilities, added AI-powered SupportController (Gemini), and stabilized Flutter Complaint logic

app/Http/Controllers/PromoController.php

@@ -24,8 +24,10 @@ class PromoController extends Controller
         $passengerId = $request->attributes->get('_jwt_user_id');
 
         $promos = DB::connection('primary')->table('promos')
-            ->where('passengerID', $passengerId)
-            ->orWhere('passengerID', 'none')
+            ->where(function ($q) use ($passengerId) {
+                $q->where('passengerID', $passengerId)
+                  ->orWhere('passengerID', 'none');
+            })
             ->where(function ($q) {
                 $q->whereNull('validity_end_date')
                   ->orWhere('validity_end_date', '>=', now()->toDateString());
@@ -93,8 +95,11 @@ class PromoController extends Controller
     /** PUT /v2/promos/{id} */
     public function update(Request $request, int $id): JsonResponse
     {
+        $passengerId = $request->attributes->get('_jwt_user_id');
+
         DB::connection('primary')->table('promos')
             ->where('id', $id)
+            ->where('passengerID', $passengerId)
             ->update(array_filter([
                 'promo_code' => $request->input('promo_code'),
                 'amount' => $request->input('amount'),
@@ -106,9 +111,13 @@ class PromoController extends Controller
     }
 
     /** DELETE /v2/promos/{id} */
-    public function destroy(int $id): JsonResponse
+    public function destroy(Request $request, int $id): JsonResponse
     {
-        DB::connection('primary')->table('promos')->where('id', $id)->delete();
+        $passengerId = $request->attributes->get('_jwt_user_id');
+        DB::connection('primary')->table('promos')
+            ->where('id', $id)
+            ->where('passengerID', $passengerId)
+            ->delete();
         return response()->json(['status' => 'success']);
     }
 }