From f23c81536b2ee5b63876f543d7121a2da8fb075c Mon Sep 17 00:00:00 2001
From: Hamza-Ayed <hamzaayedflutter@gmail.com>
Date: Sat, 2 May 2026 16:19:07 +0300
Subject: [PATCH] service  add APP_SIGNATURE_SERVICE 2

---
 core/Auth/JwtService.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/core/Auth/JwtService.php b/core/Auth/JwtService.php
index 11e980b..36a0f40 100644
--- a/core/Auth/JwtService.php
+++ b/core/Auth/JwtService.php
@@ -259,9 +259,13 @@ class JwtService
             $nonce     = $_SERVER['HTTP_X_NONCE'] ?? '';
             $body      = file_get_contents('php://input') ?: '';
 
+            // نشتق مفتاح الـ HMAC الخاص بهذا المستخدم (نفس المعادلة في login.php)
+            $derivedSecret = hash_hmac('sha256', (string)$userId, $this->hmacSecret);
+
             // التوقيع يضم الـ Body + Timestamp + Nonce لمنع التكرار والتلاعب
             $payloadToSign = $body . $timestamp . $nonce;
-            $expectedHmac  = hash_hmac('sha256', $payloadToSign, $this->hmacSecret);
+            $expectedHmac  = hash_hmac('sha256', $payloadToSign, $derivedSecret);
+
 
             if (!hash_equals($expectedHmac, $hmacHeader)) {
                 error_log("[SECURITY] HMAC mismatch | user: $userId | IP: " . ($_SERVER['REMOTE_ADDR'] ?? '?'));