Relax app verification check
This commit is contained in:
Hamza-Ayed
@@ -549,19 +549,16 @@ class AuthController extends Controller
|
||||
$driver = Driver::where('id', $request->input('id'))->first();
|
||||
if (!$driver) return $this->failure('User not found');
|
||||
|
||||
// The Flutter app sends the app-level secret (passnpassenger) in the 'password' field
|
||||
// The Flutter app sends the app-level secret (passnpassenger) in the 'password' field.
|
||||
// Since the Flutter app modifies this string locally (e.g., split(Env.addd)[0]),
|
||||
// it may not match the raw env('passwordnewpassenger') on the server exactly.
|
||||
// We will rely on the fingerprint check below for security, as done in passengerJwtHandshake.
|
||||
$appSecret = config('intaleq.wallet_app_password', '');
|
||||
if ($appSecret !== '') {
|
||||
if ($request->input('password') !== $appSecret) {
|
||||
// Try email as fallback for old app versions
|
||||
if ($request->input('password') !== $this->encryption->decrypt($driver->email)) {
|
||||
return $this->failure('Security mismatch: Invalid app verification', 403);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// If app secret is not configured, fallback strictly to email
|
||||
if ($request->input('password') !== $this->encryption->decrypt($driver->email)) {
|
||||
return $this->failure('Security mismatch: Invalid email verification (Secret missing)', 403);
|
||||
if ($request->input('password') !== $appSecret && $request->input('password') !== $this->encryption->decrypt($driver->email)) {
|
||||
\Log::warning('App verification mismatch, proceeding to fingerprint check', [
|
||||
'driver_id' => $driver->id,
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user