1Scurity:6 \Fix HMAC handshake, generate API keys in Google Login, and relax JWT issuer
This commit is contained in:
Hamza-Ayed
@@ -189,8 +189,18 @@ class AuthController extends Controller
|
|||||||
$passenger = Passenger::find($request->input('id'));
|
$passenger = Passenger::find($request->input('id'));
|
||||||
if (!$passenger) return $this->failure('User not found');
|
if (!$passenger) return $this->failure('User not found');
|
||||||
|
|
||||||
|
if (empty($passenger->api_key)) {
|
||||||
|
$this->generateApiKeys($passenger);
|
||||||
|
}
|
||||||
|
|
||||||
$jwt = $this->createJwt($passenger->id, 'passenger', $request->input('fingerPrint'), 3600);
|
$jwt = $this->createJwt($passenger->id, 'passenger', $request->input('fingerPrint'), 3600);
|
||||||
return response()->json(['status' => 'success', 'jwt' => $jwt, 'expires_in' => 3600]);
|
return response()->json([
|
||||||
|
'status' => 'success',
|
||||||
|
'jwt' => $jwt,
|
||||||
|
'expires_in' => 3600,
|
||||||
|
'api_key' => $passenger->api_key,
|
||||||
|
'api_secret' => $passenger->api_secret
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function driverJwtHandshake(Request $request): JsonResponse
|
public function driverJwtHandshake(Request $request): JsonResponse
|
||||||
@@ -200,8 +210,18 @@ class AuthController extends Controller
|
|||||||
$driver = Driver::find($request->input('id'));
|
$driver = Driver::find($request->input('id'));
|
||||||
if (!$driver) return $this->failure('User not found');
|
if (!$driver) return $this->failure('User not found');
|
||||||
|
|
||||||
|
if (empty($driver->api_key)) {
|
||||||
|
$this->generateApiKeys($driver);
|
||||||
|
}
|
||||||
|
|
||||||
$jwt = $this->createJwt($driver->id, 'driver', $request->input('fingerPrint'), 14400);
|
$jwt = $this->createJwt($driver->id, 'driver', $request->input('fingerPrint'), 14400);
|
||||||
return response()->json(['status' => 'success', 'jwt' => $jwt, 'expires_in' => 14400]);
|
return response()->json([
|
||||||
|
'status' => 'success',
|
||||||
|
'jwt' => $jwt,
|
||||||
|
'expires_in' => 14400,
|
||||||
|
'api_key' => $driver->api_key,
|
||||||
|
'api_secret' => $driver->api_secret
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
// ══════════════════════════════════════════════
|
// ══════════════════════════════════════════════
|
||||||
@@ -288,6 +308,16 @@ class AuthController extends Controller
|
|||||||
$data = (array) $row;
|
$data = (array) $row;
|
||||||
$data['package'] = $data['package'] ?? '1.1.33'; // Default to avoid Null error in Flutter
|
$data['package'] = $data['package'] ?? '1.1.33'; // Default to avoid Null error in Flutter
|
||||||
|
|
||||||
|
// Ensure API keys exist
|
||||||
|
if (empty($data['api_key'])) {
|
||||||
|
$passenger = Passenger::find($data['id']);
|
||||||
|
if ($passenger) {
|
||||||
|
$this->generateApiKeys($passenger);
|
||||||
|
$data['api_key'] = $passenger->api_key;
|
||||||
|
$data['api_secret'] = $passenger->api_secret;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
foreach ($data as $key => $value) {
|
foreach ($data as $key => $value) {
|
||||||
if (is_string($value) && !in_array($key, ['id', 'status', 'created_at', 'updated_at', 'verified', 'isInstall', 'isGiftToken', 'api_key', 'api_secret', 'package'])) {
|
if (is_string($value) && !in_array($key, ['id', 'status', 'created_at', 'updated_at', 'verified', 'isInstall', 'isGiftToken', 'api_key', 'api_secret', 'package'])) {
|
||||||
$dec = $this->encryption->decrypt($value);
|
$dec = $this->encryption->decrypt($value);
|
||||||
@@ -295,7 +325,28 @@ class AuthController extends Controller
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return response()->json(['status' => 'success', 'count' => 1, 'data' => [$data]]);
|
// Fetch Notification Token & Fingerprint
|
||||||
|
$tokenRow = DB::connection('primary')->table('passengerToken')->where('passengerID', $data['id'])->first();
|
||||||
|
if ($tokenRow) {
|
||||||
|
$data['fcm_token'] = $this->encryption->decrypt($tokenRow->token);
|
||||||
|
$data['fingerprint'] = $tokenRow->fingerPrint;
|
||||||
|
} else {
|
||||||
|
$data['fcm_token'] = null;
|
||||||
|
$data['fingerprint'] = null;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate JWT using the header fingerprint, or fallback to the stored one
|
||||||
|
$clientFp = $request->header('X-Device-FP');
|
||||||
|
$jwtFp = !empty($clientFp) ? $clientFp : ($data['fingerprint'] ?? 'unknown');
|
||||||
|
$jwt = $this->createJwt($data['id'], 'passenger', $jwtFp, 3600);
|
||||||
|
|
||||||
|
return response()->json([
|
||||||
|
'status' => 'success',
|
||||||
|
'count' => 1,
|
||||||
|
'data' => [$data],
|
||||||
|
'jwt' => $jwt,
|
||||||
|
'expires_in' => 3600
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
// ══════════════════════════════════════════════
|
// ══════════════════════════════════════════════
|
||||||
|
|||||||
@@ -68,8 +68,8 @@ Route::prefix('v2/auth')->group(function () {
|
|||||||
// Admin Error Logging (public — accepts error reports from Flutter apps)
|
// Admin Error Logging (public — accepts error reports from Flutter apps)
|
||||||
Route::post('v2/admin/errors', [MiscController::class, 'logClientError']);
|
Route::post('v2/admin/errors', [MiscController::class, 'logClientError']);
|
||||||
|
|
||||||
// Notification Tokens (Common for both)
|
Route::post('v2/notifications/token', [NotificationController::class, 'updateToken']);
|
||||||
Route::match(['get', 'post'], 'v2/notifications/token', [NotificationController::class, 'updateToken']);
|
Route::get('v2/notifications/token', [NotificationController::class, 'getToken']);
|
||||||
|
|
||||||
// OTP (public, but rate-limited)
|
// OTP (public, but rate-limited)
|
||||||
Route::prefix('v2/otp')->middleware('throttle:10,1')->group(function () {
|
Route::prefix('v2/otp')->middleware('throttle:10,1')->group(function () {
|
||||||
|
|||||||
Reference in New Issue
Block a user