From 8ac07c4b3faff0e6740f3f6aa438c8c4dffdd710 Mon Sep 17 00:00:00 2001
From: Hamza-Ayed <hamzaayedflutter@gmail.com>
Date: Fri, 24 Apr 2026 20:03:03 +0300
Subject: [PATCH] 1Scurity:6 \Fix HMAC handshake, generate API keys in Google
 Login, and relax JWT issuer

---
 app/Http/Controllers/AuthController.php | 57 +++++++++++++++++++++++--
 routes/api.php                          |  4 +-
 2 files changed, 56 insertions(+), 5 deletions(-)

diff --git a/app/Http/Controllers/AuthController.php b/app/Http/Controllers/AuthController.php
index 7f33135..c6d21e6 100644
--- a/app/Http/Controllers/AuthController.php
+++ b/app/Http/Controllers/AuthController.php
@@ -189,8 +189,18 @@ class AuthController extends Controller
         $passenger = Passenger::find($request->input('id'));
         if (!$passenger) return $this->failure('User not found');
 
+        if (empty($passenger->api_key)) {
+            $this->generateApiKeys($passenger);
+        }
+
         $jwt = $this->createJwt($passenger->id, 'passenger', $request->input('fingerPrint'), 3600);
-        return response()->json(['status' => 'success', 'jwt' => $jwt, 'expires_in' => 3600]);
+        return response()->json([
+            'status' => 'success', 
+            'jwt' => $jwt, 
+            'expires_in' => 3600,
+            'api_key' => $passenger->api_key,
+            'api_secret' => $passenger->api_secret
+        ]);
     }
 
     public function driverJwtHandshake(Request $request): JsonResponse
@@ -200,8 +210,18 @@ class AuthController extends Controller
         $driver = Driver::find($request->input('id'));
         if (!$driver) return $this->failure('User not found');
 
+        if (empty($driver->api_key)) {
+            $this->generateApiKeys($driver);
+        }
+
         $jwt = $this->createJwt($driver->id, 'driver', $request->input('fingerPrint'), 14400);
-        return response()->json(['status' => 'success', 'jwt' => $jwt, 'expires_in' => 14400]);
+        return response()->json([
+            'status' => 'success', 
+            'jwt' => $jwt, 
+            'expires_in' => 14400,
+            'api_key' => $driver->api_key,
+            'api_secret' => $driver->api_secret
+        ]);
     }
 
     // ══════════════════════════════════════════════
@@ -288,6 +308,16 @@ class AuthController extends Controller
         $data = (array) $row;
         $data['package'] = $data['package'] ?? '1.1.33'; // Default to avoid Null error in Flutter
 
+        // Ensure API keys exist
+        if (empty($data['api_key'])) {
+            $passenger = Passenger::find($data['id']);
+            if ($passenger) {
+                $this->generateApiKeys($passenger);
+                $data['api_key'] = $passenger->api_key;
+                $data['api_secret'] = $passenger->api_secret;
+            }
+        }
+
         foreach ($data as $key => $value) {
             if (is_string($value) && !in_array($key, ['id', 'status', 'created_at', 'updated_at', 'verified', 'isInstall', 'isGiftToken', 'api_key', 'api_secret', 'package'])) {
                 $dec = $this->encryption->decrypt($value);
@@ -295,7 +325,28 @@ class AuthController extends Controller
             }
         }
 
-        return response()->json(['status' => 'success', 'count' => 1, 'data' => [$data]]);
+        // Fetch Notification Token & Fingerprint
+        $tokenRow = DB::connection('primary')->table('passengerToken')->where('passengerID', $data['id'])->first();
+        if ($tokenRow) {
+            $data['fcm_token'] = $this->encryption->decrypt($tokenRow->token);
+            $data['fingerprint'] = $tokenRow->fingerPrint;
+        } else {
+            $data['fcm_token'] = null;
+            $data['fingerprint'] = null;
+        }
+
+        // Generate JWT using the header fingerprint, or fallback to the stored one
+        $clientFp = $request->header('X-Device-FP');
+        $jwtFp = !empty($clientFp) ? $clientFp : ($data['fingerprint'] ?? 'unknown');
+        $jwt = $this->createJwt($data['id'], 'passenger', $jwtFp, 3600);
+
+        return response()->json([
+            'status' => 'success', 
+            'count' => 1, 
+            'data' => [$data],
+            'jwt' => $jwt,
+            'expires_in' => 3600
+        ]);
     }
 
     // ══════════════════════════════════════════════
diff --git a/routes/api.php b/routes/api.php
index e6a72c4..e4aba26 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -68,8 +68,8 @@ Route::prefix('v2/auth')->group(function () {
 // Admin Error Logging (public — accepts error reports from Flutter apps)
 Route::post('v2/admin/errors', [MiscController::class, 'logClientError']);
 
-// Notification Tokens (Common for both)
-Route::match(['get', 'post'], 'v2/notifications/token', [NotificationController::class, 'updateToken']);
+Route::post('v2/notifications/token', [NotificationController::class, 'updateToken']);
+Route::get('v2/notifications/token', [NotificationController::class, 'getToken']);
 
 // OTP (public, but rate-limited)
 Route::prefix('v2/otp')->middleware('throttle:10,1')->group(function () {