From cc85fe1815888a02986b2d7c0802f44d40735f5f Mon Sep 17 00:00:00 2001
From: Hamza-Ayed <hamzaayedflutter@gmail.com>
Date: Fri, 24 Apr 2026 22:07:34 +0300
Subject: [PATCH] Security Hardening: Implement RateLimiter for OTP, add strict
 validation for Admin device_number, and reduce HMAC tolerance to 60s

---
 app/Http/Controllers/OtpController.php | 10 +++++-----
 config/intaleq.php                     |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/Http/Controllers/OtpController.php b/app/Http/Controllers/OtpController.php
index 9882ab9..19c313f 100644
--- a/app/Http/Controllers/OtpController.php
+++ b/app/Http/Controllers/OtpController.php
@@ -6,6 +6,7 @@ use Illuminate\Http\Request;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Support\Str;
 use App\Services\LegacyEncryption;
 
@@ -41,11 +42,10 @@ class OtpController extends Controller
 
         // Rate limit: 3 OTP per phone per 5 minutes
         $key = "otp_limit_{$userType}:{$phone}";
-        if (Cache::get($key, 0) >= 3) {
-            return $this->failure('Too many OTP requests', 429);
+        if (RateLimiter::tooManyAttempts($key, 3)) {
+            return $this->failure('Too many OTP requests. Please try again later.', 429);
         }
-        Cache::increment($key);
-        Cache::put($key, Cache::get($key), 300);
+        RateLimiter::hit($key, 300);
 
         // Generate 5-digit OTP
         $otp = (string) random_int(10000, 99999);
@@ -134,7 +134,7 @@ class OtpController extends Controller
             'phone' => 'required|string',
             'otp' => 'required|string',
             'user_type' => 'nullable|in:passenger,driver,admin',
-            'device_number' => 'nullable|string', // Used for admin
+            'device_number' => 'nullable|string|max:64|regex:/^[a-zA-Z0-9_\-\.]+$/', // Used for admin
         ]);
 
         $phone = $request->input('phone');
diff --git a/config/intaleq.php b/config/intaleq.php
index 4f90894..a4e17e4 100644
--- a/config/intaleq.php
+++ b/config/intaleq.php
@@ -18,7 +18,7 @@ return [
         ? trim(file_get_contents('/home/intaleq-api/.secret_key'))
         : env('JWT_SECRET'),
 
-    'hmac_tolerance' => env('HMAC_TOLERANCE_SECONDS', 300),
+    'hmac_tolerance' => env('HMAC_TOLERANCE_SECONDS', 60),
 
     // Encryption - قراءة مفتاح التشفير من الملف
     'legacy_enc_key_path' => '/home/intaleq-api/.enckey',