🚀 مُصادَق: تحديث برمجي جديد 2026-05-03 16:43

2026-05-03 16:43:46 +03:00
parent 3aeb3220f1
commit 0488c17107
26 changed files with 1282 additions and 1153 deletions
--- a/app/Services/Security/EncryptionService.php
+++ b/app/Services/Security/EncryptionService.php
@@ -13,50 +13,36 @@ final class EncryptionService

    public function __construct()
    {
-        // Load encryption key from secrets config
-        $secrets = require __DIR__ . '/../../../config/secrets.php';
-        $this->key = $secrets['encryption_key'] ?? '';
+        // Load from config/secrets.php — NEVER from .env directly
+        $secrets = require dirname(__DIR__, 3) . '/config/secrets.php';
+        $key = $secrets['encryption_key'] ?? '';
        
-        // Ensure key is hexadecimal and convert to binary (32 bytes)
-        if (strlen($this->key) === 64) {
-            $this->key = hex2bin($this->key);
-        }
-
-        if (strlen($this->key) !== 32) {
-             throw new Exception("Security Error: Invalid ENCRYPTION_KEY length. Must be 32 bytes.");
+        if (strlen($key) !== 32) {
+            throw new \RuntimeException(
+                'ENCRYPTION_KEY_B64 not set or invalid. ' .
+                'Generate: php -r "echo base64_encode(random_bytes(32));"'
+            );
        }
+        $this->key = $key;
    }

    public function encrypt(string $plaintext): string
    {
-        $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length(self::METHOD));
-        $ciphertext = openssl_encrypt($plaintext, self::METHOD, $this->key, 0, $iv, $tag);
-        
-        if ($ciphertext === false) {
-            throw new Exception("Encryption failed.");
-        }
-
+        $iv = random_bytes(12); // 12 bytes for GCM
+        $tag = '';
+        $ciphertext = openssl_encrypt($plaintext, self::METHOD, $this->key, OPENSSL_RAW_DATA, $iv, $tag, '', 16);
+        if ($ciphertext === false) throw new \RuntimeException('Encryption failed');
        return base64_encode($iv) . ':' . base64_encode($ciphertext) . ':' . base64_encode($tag);
    }

-    public function decrypt(string $encryptedData): string
+    public function decrypt(string $data): string
    {
-        $parts = explode(':', $encryptedData);
-        if (count($parts) !== 3) {
-            throw new Exception("Invalid encrypted data format.");
-        }
-
-        [$ivBase64, $ciphertextBase64, $tagBase64] = $parts;
-        $iv = base64_decode($ivBase64);
-        $ciphertext = base64_decode($ciphertextBase64);
-        $tag = base64_decode($tagBase64);
-
-        $plaintext = openssl_decrypt($ciphertext, self::METHOD, $this->key, 0, $iv, $tag);
-        
-        if ($plaintext === false) {
-            throw new Exception("Decryption failed.");
-        }
-
+        [$iv64, $ct64, $tag64] = explode(':', $data);
+        $plaintext = openssl_decrypt(
+            base64_decode($ct64), self::METHOD, $this->key,
+            OPENSSL_RAW_DATA, base64_decode($iv64), base64_decode($tag64)
+        );
+        if ($plaintext === false) throw new \RuntimeException('Decryption failed');
        return $plaintext;
    }
 }
--- a/app/Services/Security/HmacService.php
+++ b/app/Services/Security/HmacService.php
@@ -11,35 +11,29 @@ final class HmacService
    /**
     * Verify HMAC signature for external API requests (Flutter)
     */
-    public function verify(
-        string $secret,
-        string $method,
-        string $path,
-        string $timestamp,
-        string $nonce,
-        string $body,
-        string $providedSignature
-    ): bool {
-        // 1. Check timestamp (within 5 minutes)
-        if (abs(time() - (int)$timestamp) > 300) {
-            return false;
+    public function verify(string $secret, string $method, string $path,
+        string $timestamp, string $nonce, string $body, string $signature): bool
+    {
+        // 1. Timestamp window (±5 minutes)
+        if (abs(time() - (int)$timestamp) > 300) return false;
+
+        // 2. Nonce replay protection
+        try {
+            $redis = \App\Core\Redis::getInstance();
+            $nonceKey = 'hmac_nonce:' . $nonce;
+            if ($redis->exists($nonceKey)) return false; // Replay attack
+            $redis->setex($nonceKey, 600, '1'); // TTL 10 minutes
+        } catch (\Throwable $e) {
+            // Redis unavailable — log but don't fail (degrade gracefully)
+            error_log('[HMAC] Redis unavailable for nonce check: ' . $e->getMessage());
        }

-        // 2. Replay protection using Nonce in Redis
-        // Note: Redis::getInstance() would be used here
-        // If nonce exists, reject
-        
-        // 3. Calculate Signature
+        // 3. Build & compare signature
        $bodyHash = hash('sha256', $body);
-        $stringToSign = strtoupper($method) . "\n" . 
-                       $path . "\n" . 
-                       $timestamp . "\n" . 
-                       $nonce . "\n" . 
-                       $bodyHash;
+        $stringToSign = strtoupper($method) . "\n" . $path . "\n" . $timestamp . "\n" . $nonce . "\n" . $bodyHash;
+        $calculated = hash_hmac('sha256', $stringToSign, $secret);

-        $calculatedSignature = hash_hmac('sha256', $stringToSign, $secret);
-
-        return hash_equals($calculatedSignature, $providedSignature);
+        return hash_equals($calculated, $signature);
    }

    public function sign(string $secret, string $method, string $path, string $timestamp, string $nonce, string $body): string