Security: Fix HMAC handshake undefined variables and relax JWT issuer for V1 compatibility
This commit is contained in:
Hamza-Ayed
@@ -861,8 +861,8 @@ class AuthController extends Controller
|
|||||||
'status' => 'success',
|
'status' => 'success',
|
||||||
'jwt' => $jwt,
|
'jwt' => $jwt,
|
||||||
'expires_in' => 900,
|
'expires_in' => 900,
|
||||||
'api_key' => $passenger->api_key ?? $driver->api_key,
|
'api_key' => $passenger->api_key,
|
||||||
'api_secret' => $passenger->api_secret ?? $driver->api_secret,
|
'api_secret' => $passenger->api_secret,
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -901,8 +901,8 @@ class AuthController extends Controller
|
|||||||
'status' => 'success',
|
'status' => 'success',
|
||||||
'jwt' => $jwt,
|
'jwt' => $jwt,
|
||||||
'expires_in' => 900,
|
'expires_in' => 900,
|
||||||
'api_key' => $passenger->api_key ?? $driver->api_key,
|
'api_key' => $driver->api_key,
|
||||||
'api_secret' => $passenger->api_secret ?? $driver->api_secret,
|
'api_secret' => $driver->api_secret,
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -38,12 +38,12 @@ class JwtAuthMiddleware
|
|||||||
try {
|
try {
|
||||||
$decoded = JWT::decode($token, new Key(config('intaleq.jwt_secret'), 'HS256'));
|
$decoded = JWT::decode($token, new Key(config('intaleq.jwt_secret'), 'HS256'));
|
||||||
|
|
||||||
// Verify issuer (defense in depth)
|
// Verify issuer (allow Tripz, Tripz-Wallet, Intaleq, or empty for compatibility)
|
||||||
$iss = $decoded->iss ?? '';
|
$iss = $decoded->iss ?? '';
|
||||||
if (!in_array($iss, ['Tripz', 'Tripz-Wallet'])) {
|
if (!empty($iss) && !in_array($iss, ['Tripz', 'Tripz-Wallet', 'Intaleq', 'Tripz-v2'])) {
|
||||||
return response()->json([
|
return response()->json([
|
||||||
'status' => 'failure',
|
'status' => 'failure',
|
||||||
'message' => 'Invalid token issuer'
|
'message' => 'Invalid token issuer: ' . $iss
|
||||||
], 401);
|
], 401);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user