166 lines
6.1 KiB
PHP
166 lines
6.1 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use Closure;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\DB;
|
|
use Illuminate\Support\Facades\Cache;
|
|
|
|
use App\Services\PayloadCrypto;
|
|
|
|
/**
|
|
* وسيط التحقق من التوقيع الرقمي (HMAC Validation Middleware)
|
|
*
|
|
* الغرض من الملف:
|
|
* توفير طبقة أمان إضافية لجميع الطلبات لضمان عدم التلاعب بالبيانات أثناء انتقالها بين التطبيق والخادم.
|
|
*
|
|
* كيفية العمل:
|
|
* 1. يتطلب وجود "توقيع" (Signature) في رأس الطلب (Headers).
|
|
* 2. يقوم الخادم بإعادة حساب التوقيع باستخدام مفتاح سري (API Secret) ومقارنته بالتوقيع المرسل.
|
|
* 3. حماية البيانات: إذا كانت البيانات مشفرة، يقوم بفك تشفيرها باستخدام نفس المفتاح السري (API Secret).
|
|
* 4. يضمن أن البيانات لم تتغير في الطريق (Data Integrity).
|
|
*/
|
|
class HmacAuthMiddleware
|
|
{
|
|
private const ALGORITHM = 'sha256';
|
|
private PayloadCrypto $crypto;
|
|
|
|
public function __construct(PayloadCrypto $crypto)
|
|
{
|
|
$this->crypto = $crypto;
|
|
}
|
|
|
|
public function handle(Request $request, Closure $next)
|
|
{
|
|
$apiKey = $request->header('X-API-Key');
|
|
$timestamp = $request->header('X-Timestamp');
|
|
$signature = $request->header('X-Signature');
|
|
$nonce = $request->header('X-Nonce');
|
|
|
|
// 1. Check required headers
|
|
if (!$apiKey || !$timestamp || !$signature) {
|
|
return response()->json([
|
|
'status' => 'failure',
|
|
'message' => 'Missing authentication headers'
|
|
], 401);
|
|
}
|
|
|
|
// 2. Validate timestamp (prevent replay attacks)
|
|
$tolerance = (int) config('intaleq.hmac_tolerance', 300);
|
|
$timeDiff = abs(time() - (int) $timestamp);
|
|
|
|
if ($timeDiff > $tolerance) {
|
|
return response()->json([
|
|
'status' => 'failure',
|
|
'message' => 'Request expired'
|
|
], 401);
|
|
}
|
|
|
|
// 3. Check nonce uniqueness
|
|
if ($nonce) {
|
|
$nonceKey = "nonce:{$nonce}";
|
|
if (Cache::has($nonceKey)) {
|
|
return response()->json(['status' => 'failure', 'message' => 'Duplicate request'], 401);
|
|
}
|
|
Cache::put($nonceKey, true, $tolerance * 2);
|
|
}
|
|
|
|
// 4. Lookup API secret from database
|
|
$credentials = $this->getApiCredentials($apiKey);
|
|
|
|
if (!$credentials) {
|
|
return response()->json(['status' => 'failure', 'message' => 'Invalid API key'], 401);
|
|
}
|
|
|
|
// 5. Reconstruct and verify HMAC signature
|
|
$payload = $request->getContent();
|
|
$message = "{$timestamp}|{$apiKey}|{$payload}";
|
|
$expectedSignature = hash_hmac(self::ALGORITHM, $message, $credentials->api_secret);
|
|
|
|
if (!hash_equals($expectedSignature, $signature)) {
|
|
return response()->json(['status' => 'failure', 'message' => 'Invalid signature'], 401);
|
|
}
|
|
|
|
// 6. Optional: Auto-Decrypt Payload if it's encrypted
|
|
// We assume if it's a non-JSON string, it might be encrypted
|
|
if (!empty($payload) && !str_starts_with(trim($payload), '{')) {
|
|
try {
|
|
$this->crypto->setKeyFromSecret($credentials->api_secret);
|
|
$decrypted = $this->crypto->decrypt($payload);
|
|
|
|
if ($decrypted) {
|
|
// Replace request content with decrypted data
|
|
$request->initialize(
|
|
$request->query->all(),
|
|
$request->request->all(),
|
|
$request->attributes->all(),
|
|
$request->cookies->all(),
|
|
$request->files->all(),
|
|
$request->server->all(),
|
|
$decrypted
|
|
);
|
|
|
|
// Also merge decrypted JSON into request data
|
|
$jsonData = json_decode($decrypted, true);
|
|
if (is_array($jsonData)) {
|
|
$request->merge($jsonData);
|
|
}
|
|
}
|
|
} catch (\Exception $e) {
|
|
// If decryption fails, we might still want to proceed if it wasn't meant to be encrypted
|
|
// but usually, a failed signature check (above) would have caught tampering.
|
|
}
|
|
}
|
|
|
|
// 7. Attach user info to request for controllers
|
|
$request->merge([
|
|
'_auth_user_id' => $credentials->user_id,
|
|
'_auth_user_type' => $credentials->user_type,
|
|
]);
|
|
|
|
return $next($request);
|
|
}
|
|
|
|
/**
|
|
* Get API credentials with Redis caching (5 min)
|
|
*/
|
|
private function getApiCredentials(string $apiKey): ?object
|
|
{
|
|
$cacheKey = "api_cred:{$apiKey}";
|
|
|
|
return Cache::remember($cacheKey, 300, function () use ($apiKey) {
|
|
// Check both driver and passenger tables for API keys
|
|
$driver = DB::connection('primary')
|
|
->table('driver')
|
|
->select('id as user_id', 'api_secret')
|
|
->selectRaw("'driver' as user_type")
|
|
->where('api_key', $apiKey)
|
|
->where('status', 'notDeleted')
|
|
->first();
|
|
|
|
if ($driver) return $driver;
|
|
|
|
$passenger = DB::connection('primary')
|
|
->table('passengers')
|
|
->select('id as user_id', 'api_secret')
|
|
->selectRaw("'passenger' as user_type")
|
|
->where('api_key', $apiKey)
|
|
->where('status', 'notDeleted')
|
|
->first();
|
|
|
|
if ($passenger) return $passenger;
|
|
|
|
// Check admin users
|
|
$admin = DB::connection('primary')
|
|
->table('adminUser')
|
|
->select('id as user_id', 'api_secret')
|
|
->selectRaw("'admin' as user_type")
|
|
->where('api_key', $apiKey)
|
|
->first();
|
|
|
|
return $admin;
|
|
});
|
|
}
|
|
}
|