Security: Fix HMAC handshake undefined variables and relax JWT issuer for V1 compatibility

app/Http/Controllers/AuthController.php

@@ -861,8 +861,8 @@ class AuthController extends Controller
             'status' => 'success', 
             'jwt' => $jwt,
             'expires_in' => 900,
-            'api_key' => $passenger->api_key ?? $driver->api_key,
-            'api_secret' => $passenger->api_secret ?? $driver->api_secret,
+            'api_key' => $passenger->api_key,
+            'api_secret' => $passenger->api_secret,
         ]);
     }
 
@@ -901,8 +901,8 @@ class AuthController extends Controller
             'status' => 'success', 
             'jwt' => $jwt,
             'expires_in' => 900,
-            'api_key' => $passenger->api_key ?? $driver->api_key,
-            'api_secret' => $passenger->api_secret ?? $driver->api_secret,
+            'api_key' => $driver->api_key,
+            'api_secret' => $driver->api_secret,
         ]);
     }
 

app/Http/Middleware/JwtAuthMiddleware.php

@@ -38,12 +38,12 @@ class JwtAuthMiddleware
         try {
             $decoded = JWT::decode($token, new Key(config('intaleq.jwt_secret'), 'HS256'));
 
-            // Verify issuer (defense in depth)
+            // Verify issuer (allow Tripz, Tripz-Wallet, Intaleq, or empty for compatibility)
             $iss = $decoded->iss ?? '';
-            if (!in_array($iss, ['Tripz', 'Tripz-Wallet'])) {
+            if (!empty($iss) && !in_array($iss, ['Tripz', 'Tripz-Wallet', 'Intaleq', 'Tripz-v2'])) {
                 return response()->json([
                     'status' => 'failure',
-                    'message' => 'Invalid token issuer'
+                    'message' => 'Invalid token issuer: ' . $iss
                 ], 401);
             }