From 756980b6d7bc71e643f259f546ee44bdb0b5b4e4 Mon Sep 17 00:00:00 2001 From: Hamza-Ayed Date: Fri, 24 Apr 2026 15:29:14 +0300 Subject: [PATCH] Security: Fix HMAC handshake undefined variables and relax JWT issuer for V1 compatibility --- app/Http/Controllers/AuthController.php | 8 ++++---- app/Http/Middleware/JwtAuthMiddleware.php | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/app/Http/Controllers/AuthController.php b/app/Http/Controllers/AuthController.php index 77773b3..d51a83f 100644 --- a/app/Http/Controllers/AuthController.php +++ b/app/Http/Controllers/AuthController.php @@ -861,8 +861,8 @@ class AuthController extends Controller 'status' => 'success', 'jwt' => $jwt, 'expires_in' => 900, - 'api_key' => $passenger->api_key ?? $driver->api_key, - 'api_secret' => $passenger->api_secret ?? $driver->api_secret, + 'api_key' => $passenger->api_key, + 'api_secret' => $passenger->api_secret, ]); } @@ -901,8 +901,8 @@ class AuthController extends Controller 'status' => 'success', 'jwt' => $jwt, 'expires_in' => 900, - 'api_key' => $passenger->api_key ?? $driver->api_key, - 'api_secret' => $passenger->api_secret ?? $driver->api_secret, + 'api_key' => $driver->api_key, + 'api_secret' => $driver->api_secret, ]); } diff --git a/app/Http/Middleware/JwtAuthMiddleware.php b/app/Http/Middleware/JwtAuthMiddleware.php index 69e662a..24c2b27 100644 --- a/app/Http/Middleware/JwtAuthMiddleware.php +++ b/app/Http/Middleware/JwtAuthMiddleware.php @@ -38,12 +38,12 @@ class JwtAuthMiddleware try { $decoded = JWT::decode($token, new Key(config('intaleq.jwt_secret'), 'HS256')); - // Verify issuer (defense in depth) + // Verify issuer (allow Tripz, Tripz-Wallet, Intaleq, or empty for compatibility) $iss = $decoded->iss ?? ''; - if (!in_array($iss, ['Tripz', 'Tripz-Wallet'])) { + if (!empty($iss) && !in_array($iss, ['Tripz', 'Tripz-Wallet', 'Intaleq', 'Tripz-v2'])) { return response()->json([ 'status' => 'failure', - 'message' => 'Invalid token issuer' + 'message' => 'Invalid token issuer: ' . $iss ], 401); }