Hamza/intaleq_v3_pure_php
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

service add APP_SIGNATURE_SERVICE 2

Browse Source
This commit is contained in:
Hamza-Ayed
2026-05-02 16:19:07 +03:00
parent 070fca9891
commit f23c81536b
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
core/Auth/JwtService.php
View File

@@ -259,9 +259,13 @@ class JwtService
$nonce = $_SERVER['HTTP_X_NONCE'] ?? '';
$body = file_get_contents('php://input') ?: '';
// نشتق مفتاح الـ HMAC الخاص بهذا المستخدم (نفس المعادلة في login.php)
$derivedSecret = hash_hmac('sha256', (string)$userId, $this->hmacSecret);
// التوقيع يضم الـ Body + Timestamp + Nonce لمنع التكرار والتلاعب
$payloadToSign = $body . $timestamp . $nonce;
$expectedHmac = hash_hmac('sha256', $payloadToSign, $this->hmacSecret);
$expectedHmac = hash_hmac('sha256', $payloadToSign, $derivedSecret);
if (!hash_equals($expectedHmac, $hmacHeader)) {
error_log("[SECURITY] HMAC mismatch | user: $userId | IP: " . ($_SERVER['REMOTE_ADDR'] ?? '?'));