Security Hardening: Implement RateLimiter for OTP, add strict validation for Admin device_number, and reduce HMAC tolerance to 60s

app/Http/Controllers/OtpController.php

@@ -6,6 +6,7 @@ use Illuminate\Http\Request;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Support\Str;
 use App\Services\LegacyEncryption;
 
@@ -41,11 +42,10 @@ class OtpController extends Controller
 
         // Rate limit: 3 OTP per phone per 5 minutes
         $key = "otp_limit_{$userType}:{$phone}";
-        if (Cache::get($key, 0) >= 3) {
-            return $this->failure('Too many OTP requests', 429);
+        if (RateLimiter::tooManyAttempts($key, 3)) {
+            return $this->failure('Too many OTP requests. Please try again later.', 429);
         }
-        Cache::increment($key);
-        Cache::put($key, Cache::get($key), 300);
+        RateLimiter::hit($key, 300);
 
         // Generate 5-digit OTP
         $otp = (string) random_int(10000, 99999);
@@ -134,7 +134,7 @@ class OtpController extends Controller
             'phone' => 'required|string',
             'otp' => 'required|string',
             'user_type' => 'nullable|in:passenger,driver,admin',
-            'device_number' => 'nullable|string', // Used for admin
+            'device_number' => 'nullable|string|max:64|regex:/^[a-zA-Z0-9_\-\.]+$/', // Used for admin
         ]);
 
         $phone = $request->input('phone');

config/intaleq.php

@@ -18,7 +18,7 @@ return [
         ? trim(file_get_contents('/home/intaleq-api/.secret_key'))
         : env('JWT_SECRET'),
 
-    'hmac_tolerance' => env('HMAC_TOLERANCE_SECONDS', 300),
+    'hmac_tolerance' => env('HMAC_TOLERANCE_SECONDS', 60),
 
     // Encryption - قراءة مفتاح التشفير من الملف
     'legacy_enc_key_path' => '/home/intaleq-api/.enckey',