From e8f9c8bd05184d3e410690ededc6bc74af7d970e Mon Sep 17 00:00:00 2001
From: Hamza-Ayed <hamzaayedflutter@gmail.com>
Date: Fri, 24 Apr 2026 16:56:57 +0300
Subject: [PATCH] Security:6 Fix HMAC handshake, generate API keys in Google
 Login, and relax JWT issuer

---
 app/Http/Controllers/OtpController.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/OtpController.php b/app/Http/Controllers/OtpController.php
index 074ef92..ac90560 100644
--- a/app/Http/Controllers/OtpController.php
+++ b/app/Http/Controllers/OtpController.php
@@ -108,10 +108,15 @@ class OtpController extends Controller
         // TODO: Send SMS/WhatsApp via external provider
 
         // Check if passenger exists to allow immediate login (V1 style)
-        // Note: Phone is stored ENCRYPTED in passengers table in V1
-        $encPhone = $this->encryption->encrypt($phone);
+        // We check both encrypted and raw phone with multiple formats (963... and 0...)
+        $rawPhone = $phone;
+        $localPhone = '0' . substr($phone, 3); // Convert 9639... to 09...
+        
+        $encRawPhone = $this->encryption->encrypt($rawPhone);
+        $encLocalPhone = $this->encryption->encrypt($localPhone);
+        
         $passenger = DB::connection('primary')->table('passengers')
-            ->where('phone', $encPhone)
+            ->whereIn('phone', [$rawPhone, $localPhone, $encRawPhone, $encLocalPhone])
             ->first();
 
         return $this->success([