Relax app verification check
This commit is contained in:
Hamza-Ayed
@@ -549,19 +549,16 @@ class AuthController extends Controller
|
|||||||
$driver = Driver::where('id', $request->input('id'))->first();
|
$driver = Driver::where('id', $request->input('id'))->first();
|
||||||
if (!$driver) return $this->failure('User not found');
|
if (!$driver) return $this->failure('User not found');
|
||||||
|
|
||||||
// The Flutter app sends the app-level secret (passnpassenger) in the 'password' field
|
// The Flutter app sends the app-level secret (passnpassenger) in the 'password' field.
|
||||||
|
// Since the Flutter app modifies this string locally (e.g., split(Env.addd)[0]),
|
||||||
|
// it may not match the raw env('passwordnewpassenger') on the server exactly.
|
||||||
|
// We will rely on the fingerprint check below for security, as done in passengerJwtHandshake.
|
||||||
$appSecret = config('intaleq.wallet_app_password', '');
|
$appSecret = config('intaleq.wallet_app_password', '');
|
||||||
if ($appSecret !== '') {
|
if ($appSecret !== '') {
|
||||||
if ($request->input('password') !== $appSecret) {
|
if ($request->input('password') !== $appSecret && $request->input('password') !== $this->encryption->decrypt($driver->email)) {
|
||||||
// Try email as fallback for old app versions
|
\Log::warning('App verification mismatch, proceeding to fingerprint check', [
|
||||||
if ($request->input('password') !== $this->encryption->decrypt($driver->email)) {
|
'driver_id' => $driver->id,
|
||||||
return $this->failure('Security mismatch: Invalid app verification', 403);
|
]);
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
// If app secret is not configured, fallback strictly to email
|
|
||||||
if ($request->input('password') !== $this->encryption->decrypt($driver->email)) {
|
|
||||||
return $this->failure('Security mismatch: Invalid email verification (Secret missing)', 403);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user