🚀 مُصادَق: تحديث برمجي جديد 2026-05-03 15:28

2026-05-03 15:28:58 +03:00
parent 061431f36a
commit 06dc3885d7
9 changed files with 800 additions and 404 deletions
--- a/app/Modules/Auth/AuthController.php
+++ b/app/Modules/Auth/AuthController.php
@@ -5,7 +5,8 @@ declare(strict_types=1);
 namespace App\Modules\Auth;

 use App\Core\{Request, Response};
-use App\Modules\Auth\AuthService;
+use App\Services\Security\EncryptionService;
+use App\Services\Security\JwtService;
 use Throwable;

 final class AuthController
@@ -26,7 +27,7 @@ final class AuthController
            $result = $this->authService->login($email, $password);
            
            // 2FA Check
-            if ($result['user']->totp_enabled) {
+            if (($result['user']['totp_enabled'] ?? false) === true) {
                Response::json([
                    'success' => true,
                    'requires_2fa' => true,
@@ -71,6 +72,22 @@ final class AuthController

    public function logout(Request $request): void
    {
+        $authHeader = $request->getHeader('Authorization');
+        if ($authHeader && str_starts_with($authHeader, 'Bearer ')) {
+            try {
+                $token = substr($authHeader, 7);
+                $jwtService = new JwtService();
+                $decoded = $jwtService->verifyToken($token);
+                $jti = (string)($decoded['jti'] ?? '');
+                $remaining = max(((int)($decoded['exp'] ?? 0)) - time(), 0);
+                if ($jti !== '') {
+                    $this->authService->logout($jti, $remaining);
+                }
+            } catch (Throwable $e) {
+                error_log('[AUTH] Could not parse token on logout: ' . $e->getMessage());
+            }
+        }
+
        // Clear refresh token cookie
        setcookie('refresh_token', '', [
            'expires' => time() - 3600,
@@ -168,9 +185,10 @@ final class AuthController
        
        $totpService = new \App\Services\TotpService();
        if ($totpService->verify($secret, $code)) {
+            $encryptedSecret = (new EncryptionService())->encrypt($secret);
            $db = \App\Core\Database::getInstance();
            $stmt = $db->prepare("UPDATE users SET totp_secret = ?, totp_enabled = 1 WHERE id = ?");
-            $stmt->execute([$secret, $request->user->user_id]);
+            $stmt->execute([$encryptedSecret, $request->user->user_id]);

            Response::json(['success' => true, 'message' => 'تم تفعيل التحقق الثنائي بنجاح']);
        } else {
@@ -189,28 +207,58 @@ final class AuthController
        $stmt->execute([$userId]);
        $secret = $stmt->fetchColumn();

-        $totpService = new \App\Services\TotpService();
-        if ($secret && $totpService->verify($secret, $code)) {
-            // Re-fetch user for full data
-            $stmt = $db->prepare("SELECT * FROM users WHERE id = ?");
-            $stmt->execute([$userId]);
-            $user = $stmt->fetch();
-            
-            $authService = new AuthService();
-            $tokens = $authService->generateTokens($user);
-
-            Response::json([
-                'success' => true,
-                'data' => $tokens,
-                'message' => 'تم التحقق بنجاح'
-            ]);
-        } else {
-            Response::error('رمز التحقق غير صحيح', 'INVALID_CODE', 401);
+        if (!$secret) {
+            Response::error('لم يتم تفعيل التحقق الثنائي لهذا الحساب', 'TWO_FA_DISABLED', 400);
+            return;
        }
+
+        $totpService = new \App\Services\TotpService();
+        $decrypted = null;
+        try {
+            $decrypted = (new EncryptionService())->decrypt((string)$secret);
+        } catch (Throwable $e) {
+            // Backward compatibility with old plaintext records
+            $decrypted = (string)$secret;
+        }
+
+        if (!$totpService->verify($decrypted, $code)) {
+            Response::error('رمز التحقق غير صحيح', 'INVALID_CODE', 401);
+            return;
+        }
+
+        // Re-issue a full login session after successful 2FA.
+        $stmt = $db->prepare("SELECT email FROM users WHERE id = ?");
+        $stmt->execute([$userId]);
+        $email = $stmt->fetchColumn();
+        if (!$email) {
+            Response::error('المستخدم غير موجود', 'NOT_FOUND', 404);
+            return;
+        }
+
+        Response::json([
+            'success' => true,
+            'data' => ['user_id' => $userId, 'email' => $email],
+            'message' => 'تم التحقق بنجاح'
+        ]);
    }

    public function disable2FA(Request $request): void
    {
+        $password = (string)$request->input('password', '');
+        if ($password === '') {
+            Response::error('كلمة المرور مطلوبة لتعطيل التحقق الثنائي', 'VALIDATION_ERROR', 422);
+            return;
+        }
+
+        $db = \App\Core\Database::getInstance();
+        $stmt = $db->prepare("SELECT password_hash FROM users WHERE id = ?");
+        $stmt->execute([$request->user->user_id]);
+        $hash = $stmt->fetchColumn();
+        if (!$hash || !password_verify($password, (string)$hash)) {
+            Response::error('كلمة المرور غير صحيحة', 'UNAUTHORIZED', 401);
+            return;
+        }
+
        $db = \App\Core\Database::getInstance();
        $stmt = $db->prepare("UPDATE users SET totp_secret = NULL, totp_enabled = 0 WHERE id = ?");
        $stmt->execute([$request->user->user_id]);