Fix driver JWT handshake password checking logic
This commit is contained in:
Hamza-Ayed
@@ -549,15 +549,20 @@ class AuthController extends Controller
|
||||
$driver = Driver::where('id', $request->input('id'))->first();
|
||||
if (!$driver) return $this->failure('User not found');
|
||||
|
||||
// Verify the email (sent as password from Flutter) matches
|
||||
$decryptedEmail = $this->encryption->decrypt($driver->email);
|
||||
if (!$decryptedEmail) {
|
||||
// Fallback if decryption fails (e.g. invalid IV)
|
||||
if ($driver->email !== $request->input('password')) {
|
||||
return $this->failure('Security mismatch: Invalid email verification (Decryption Failed)', 403);
|
||||
}
|
||||
} elseif ($decryptedEmail !== $request->input('password') && $driver->email !== $request->input('password')) {
|
||||
return $this->failure('Security mismatch: Invalid email verification', 403);
|
||||
// The Flutter app sends the app-level secret (passnpassenger) in the 'password' field
|
||||
$appSecret = config('intaleq.wallet_app_password', '');
|
||||
if ($appSecret !== '') {
|
||||
if ($request->input('password') !== $appSecret) {
|
||||
// Try email as fallback for old app versions
|
||||
if ($request->input('password') !== $this->encryption->decrypt($driver->email)) {
|
||||
return $this->failure('Security mismatch: Invalid app verification', 403);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// If app secret is not configured, fallback strictly to email
|
||||
if ($request->input('password') !== $this->encryption->decrypt($driver->email)) {
|
||||
return $this->failure('Security mismatch: Invalid email verification (Secret missing)', 403);
|
||||
}
|
||||
}
|
||||
|
||||
// Security Check: Verify fingerprint matches stored token
|
||||
|
||||
Reference in New Issue
Block a user