Security Hardening: Phase 1-3 complete

- C1: Hash refresh tokens before DB storage (sha256)
- C2: Remove JWT_SECRET fallback, fail hard if missing
- H1: Enforce HTTP methods per route (405 on mismatch)
- H2: CORS with origin whitelist from CORS_ORIGIN env var
- H3: Redact sensitive fields (tokens, passwords) from logs
- M1: Build HmacMiddleware with replay attack prevention
- M2: Fix rate limiter race condition with flock LOCK_EX
- M3: Guard dd() — suppressed in production
- M4: Remove .env from git tracking, strengthen .gitignore
- I1: Add HSTS header (max-age=31536000)

app/modules_app/auth/login.php

@@ -39,7 +39,11 @@ if (!$user || !password_verify($password, $user['password_hash'])) {
 }
 
 // 3. Issue Token
-$secret = env('JWT_SECRET', 'super-secret-key');
+$secret = env('JWT_SECRET');
+if (!$secret || strlen($secret) < 32) {
+    error_log('FATAL: JWT_SECRET is missing or too short in .env');
+    json_error('Server configuration error', 500);
+}
 $payload = [
     'user_id' => $user['id'],
     'role'    => $user['role'],
@@ -48,10 +52,11 @@ $payload = [
 
 $token = JWT::encode($payload, $secret);
 
-// 4. Update Refresh Token (Simple stored in DB as requested)
+// 4. Update Refresh Token (Hashed before storage for security)
 $refreshToken = bin2hex(random_bytes(32));
+$refreshTokenHash = hash('sha256', $refreshToken);
 $stmt = $db->prepare("UPDATE users SET refresh_token_hash = ? WHERE id = ?");
-$stmt->execute([$refreshToken, $user['id']]);
+$stmt->execute([$refreshTokenHash, $user['id']]);
 
 json_success([
     'access_token'  => $token,