From 761254ab3cf5b15b78ca8f4926030497fddf0cfc Mon Sep 17 00:00:00 2001 From: Hamza-Ayed Date: Sat, 25 Apr 2026 11:57:41 +0300 Subject: [PATCH] Fix driver JWT handshake password checking logic --- app/Http/Controllers/AuthController.php | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/app/Http/Controllers/AuthController.php b/app/Http/Controllers/AuthController.php index c5b3fa2..a570ab2 100644 --- a/app/Http/Controllers/AuthController.php +++ b/app/Http/Controllers/AuthController.php @@ -549,15 +549,20 @@ class AuthController extends Controller $driver = Driver::where('id', $request->input('id'))->first(); if (!$driver) return $this->failure('User not found'); - // Verify the email (sent as password from Flutter) matches - $decryptedEmail = $this->encryption->decrypt($driver->email); - if (!$decryptedEmail) { - // Fallback if decryption fails (e.g. invalid IV) - if ($driver->email !== $request->input('password')) { - return $this->failure('Security mismatch: Invalid email verification (Decryption Failed)', 403); - } - } elseif ($decryptedEmail !== $request->input('password') && $driver->email !== $request->input('password')) { - return $this->failure('Security mismatch: Invalid email verification', 403); + // The Flutter app sends the app-level secret (passnpassenger) in the 'password' field + $appSecret = config('intaleq.wallet_app_password', ''); + if ($appSecret !== '') { + if ($request->input('password') !== $appSecret) { + // Try email as fallback for old app versions + if ($request->input('password') !== $this->encryption->decrypt($driver->email)) { + return $this->failure('Security mismatch: Invalid app verification', 403); + } + } + } else { + // If app secret is not configured, fallback strictly to email + if ($request->input('password') !== $this->encryption->decrypt($driver->email)) { + return $this->failure('Security mismatch: Invalid email verification (Secret missing)', 403); + } } // Security Check: Verify fingerprint matches stored token