Hamza/musadaq-saas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🚀 مُصادَق: تحديث برمجي جديد 2026-05-03 15:11

Browse Source
This commit is contained in:
Hamza-Ayed
2026-05-03 15:11:34 +03:00
parent 3aeb3220f1
commit 7cd2d91576
23 changed files with 1418 additions and 879 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.env
View File

@@ -17,7 +17,7 @@ REDIS_PORT=6379
REDIS_PASSWORD=
# JWT
JWT_SECRET=super-secret-change-me-in-production
JWT_SECRET=d1351a319dd1843036095c632daee0a44f620355e3b1407cade0614fdcbd7c4c
JWT_ACCESS_EXPIRY=900
JWT_REFRESH_EXPIRY=604800
@@ -42,3 +42,6 @@ MAIL_FROM_NAME="مُصادَق"
# Storage
STORAGE_PATH=/Users/hamzaaleghwairyeen/development/App/musadeq/storage
UPLOAD_MAX_SIZE=20971520
# Encryption
ENCRYPTION_KEY_B64=b++0FeJhnogqslt5OnOq633gduJzDb3itankz/UH++E=

8
.gitignore vendored
View File

@@ -0,0 +1,8 @@
.env
config/secrets.php
storage/invoices/
storage/logs/
storage/exports/
vendor/
scratch.js
describe.php

16
app/Middleware/AuthMiddleware.php
View File

@@ -25,6 +25,22 @@ final class AuthMiddleware
try {
$decoded = $this->jwtService->verifyToken($token);
// Check if JTI is blacklisted
$jti = $decoded['jti'] ?? null;
if ($jti) {
try {
$redis = \App\Core\Redis::getInstance();
if ($redis->exists('jwt_blacklist:' . $jti)) {
Response::error('الجلسة منتهية، يرجى تسجيل الدخول من جديد', 'TOKEN_REVOKED', 401);
return null;
}
} catch (\Throwable $e) {
// Redis down — allow (fail open, log security event)
error_log('[AUTH] JWT blacklist check failed: ' . $e->getMessage());
}
}
$request->user = (object) $decoded;
$request->tenantId = $decoded['tenant_id'] ?? null;
} catch (Exception $e) {

134
app/Modules/Admin/AdminController.php
View File

@@ -1,49 +1,131 @@
<?php
declare(strict_types=1);
namespace App\Modules\Admin;
use App\Core\{Request, Response, Database};
final class AdminController
{
public function getSystemStats(Request $request): void
public function listTenants(Request $request): void
{
// Must be super_admin
if (($request->user->role ?? '') !== 'super_admin') {
Response::error('غير مصرح', 'FORBIDDEN', 403);
$db = Database::getInstance();
$page = max(1, (int)$request->input('page', 1));
$limit = 20;
$offset = ($page - 1) * $limit;
$stmt = $db->prepare("SELECT t.*,
(SELECT COUNT(*) FROM invoices i WHERE i.tenant_id = t.id) as invoices_count,
(SELECT COUNT(*) FROM users u WHERE u.tenant_id = t.id) as users_count
FROM tenants t ORDER BY t.created_at DESC LIMIT {$limit} OFFSET {$offset}");
$stmt->execute();
$tenants = $stmt->fetchAll();
$total = (int)$db->query("SELECT COUNT(*) FROM tenants")->fetchColumn();
Response::json([
'success' => true,
'data' => $tenants,
'meta' => ['total' => $total, 'page' => $page, 'per_page' => $limit]
]);
}
public function getTenant(Request $request, string $id): void
{
$db = Database::getInstance();
$stmt = $db->prepare("SELECT t.*, s.plan, s.max_invoices_per_month, s.invoices_used_this_month
FROM tenants t
LEFT JOIN subscriptions s ON t.id = s.tenant_id
WHERE t.id = ?");
$stmt->execute([$id]);
$tenant = $stmt->fetch();
if (!$tenant) {
Response::error('المستأجر غير موجود', 'NOT_FOUND', 404);
return;
}
Response::json(['success' => true, 'data' => $tenant]);
}
public function updateTenant(Request $request, string $id): void
{
$data = $request->getBody();
$status = $data['status'] ?? null;
if (!in_array($status, ['active', 'suspended', 'trial'])) {
Response::error('حالة غير صالحة', 'VALIDATION_ERROR', 422);
return;
}
$db = Database::getInstance();
$stmt = $db->prepare("UPDATE tenants SET status = ? WHERE id = ?");
$stmt->execute([$status, $id]);
Response::json(['success' => true, 'message' => 'تم تحديث حالة المستأجر بنجاح']);
}
public function getSystemStats(Request $request): void
{
$db = Database::getInstance();
$stmt = $db->prepare("SELECT COUNT(*) as count FROM tenants");
$stmt->execute();
$totalTenants = $stmt->fetch()['count'];
$stats = [
'tenants' => (int)$db->query("SELECT COUNT(*) FROM tenants")->fetchColumn(),
'invoices' => (int)$db->query("SELECT COUNT(*) FROM invoices")->fetchColumn(),
'users' => (int)$db->query("SELECT COUNT(*) FROM users")->fetchColumn(),
'queue_depth' => (int)$db->query("SELECT COUNT(*) FROM queue_jobs WHERE status = 'pending'")->fetchColumn()
];
$stmt = $db->prepare("SELECT COUNT(*) as count FROM invoices");
$stmt->execute();
$totalInvoices = $stmt->fetch()['count'];
Response::json(['success' => true, 'data' => $stats]);
}
// Simple Health Check
$redisHealth = 'ok';
try {
$redis = \App\Core\Redis::getInstance();
$redis->ping();
} catch (\Throwable $e) {
$redisHealth = 'failed';
}
public function getQueueStatus(Request $request): void
{
$db = Database::getInstance();
$stmt = $db->prepare("SELECT status, COUNT(*) as count FROM queue_jobs GROUP BY status");
$stmt->execute();
$counts = $stmt->fetchAll();
$stmt = $db->prepare("SELECT * FROM queue_jobs WHERE status IN ('failed', 'dead') ORDER BY created_at DESC LIMIT 50");
$stmt->execute();
$failedJobs = $stmt->fetchAll();
Response::json([
'success' => true,
'data' => [
'counts' => $counts,
'failed_jobs' => $failedJobs
]
]);
}
public function retryJob(Request $request, string $id): void
{
$db = Database::getInstance();
$stmt = $db->prepare("UPDATE queue_jobs SET status = 'pending', attempts = 0 WHERE id = ? AND status = 'dead'");
$stmt->execute([$id]);
Response::json(['success' => true, 'message' => 'تم إعادة محاولة الوظيفة بنجاح']);
}
public function health(Request $request): void
{
$dbStatus = 'ok';
try { Database::getInstance()->query("SELECT 1"); } catch (\Throwable $e) { $dbStatus = 'error'; }
$redisStatus = 'ok';
try { \App\Core\Redis::getInstance()->ping(); } catch (\Throwable $e) { $redisStatus = 'error'; }
$db = Database::getInstance();
$queuePending = (int)$db->query("SELECT COUNT(*) FROM queue_jobs WHERE status = 'pending'")->fetchColumn();
$queueDead = (int)$db->query("SELECT COUNT(*) FROM queue_jobs WHERE status = 'dead'")->fetchColumn();
Response::json([
'success' => true,
'data' => [
'total_tenants' => $totalTenants,
'total_invoices' => $totalInvoices,
'system_health' => [
'database' => 'ok',
'redis' => $redisHealth
]
'db' => $dbStatus,
'redis' => $redisStatus,
'queue_pending' => $queuePending,
'queue_dead' => $queueDead
]
]);
}

33
app/Modules/ApiKeys/ApiKeyController.php
View File

@@ -1,7 +1,5 @@
<?php
declare(strict_types=1);
namespace App\Modules\ApiKeys;
use App\Core\{Request, Response, Database};
@@ -9,7 +7,7 @@ use Ramsey\Uuid\Uuid;
final class ApiKeyController
{
public function list(Request $request): void
public function index(Request $request): void
{
$tenantId = $request->tenantId;
$db = Database::getInstance();
@@ -25,18 +23,13 @@ final class ApiKeyController
public function create(Request $request): void
{
$tenantId = $request->tenantId;
$userId = $request->user->user_id;
$name = $request->input('name');
if (!$name) {
Response::error('يرجى إدخال اسم المفتاح', 'VALIDATION_ERROR', 422);
return;
}
$userId = $request->user->user_id ?? $request->user->id;
$name = $request->input('name') ?: 'Default Key';
$id = Uuid::uuid4()->toString();
$publicKey = bin2hex(random_bytes(16));
$secretKey = bin2hex(random_bytes(32));
$secretHash = password_hash($secretKey, PASSWORD_BCRYPT);
$secret = bin2hex(random_bytes(32));
$secretHash = password_hash($secret, PASSWORD_BCRYPT);
$db = Database::getInstance();
$stmt = $db->prepare("INSERT INTO api_keys (id, tenant_id, user_id, name, public_key, secret_hash, is_active) VALUES (?, ?, ?, ?, ?, ?, 1)");
@@ -47,8 +40,22 @@ final class ApiKeyController
'message' => 'تم إنشاء مفتاح API بنجاح. يرجى حفظ السر لأنه لن يظهر مرة أخرى.',
'data' => [
'id' => $id,
'key' => "msq_{$publicKey}.{$secretKey}"
'public_key' => $publicKey,
'secret' => $secret
]
], 201);
}
public function revoke(Request $request, string $id): void
{
$tenantId = $request->tenantId;
$db = Database::getInstance();
$stmt = $db->prepare("UPDATE api_keys SET is_active = 0 WHERE id = ? AND tenant_id = ?");
$stmt->execute([$id, $tenantId]);
Response::json([
'success' => true,
'message' => 'تم إلغاء مفتاح API بنجاح'
]);
}
}

10
app/Modules/Auth/AuthService.php
View File

@@ -144,4 +144,14 @@ final class AuthService
return $this->login($data['email'], $data['password']);
}
public function logout(string $jti, int $remaining): void
{
// Blacklist the JTI for its remaining lifetime
try {
$redis = \App\Core\Redis::getInstance();
$redis->setex('jwt_blacklist:' . $jti, max($remaining, 1), '1');
} catch (\Throwable $e) {
error_log('[AUTH] Could not blacklist JTI: ' . $e->getMessage());
}
}
}

52
app/Modules/Dashboard/DashboardController.php
View File

@@ -1,7 +1,5 @@
<?php
declare(strict_types=1);
namespace App\Modules\Dashboard;
use App\Core\{Request, Response, Database};
@@ -15,45 +13,55 @@ final class DashboardController
$assignedCompanyId = $request->user->assigned_company_id ?? null;
$db = Database::getInstance();
$where = "WHERE tenant_id = ?";
$companyScope = '';
$params = [$tenantId];
// Fix: Only accountants should be restricted to a single company if assigned.
// Admins and Super Admins should see all companies in their tenant.
if ($role === 'accountant' && $assignedCompanyId) {
$where .= " AND company_id = ?";
$companyScope = ' AND i.company_id = ?';
$params[] = $assignedCompanyId;
}
// 1. Total Invoices this month
$stmt = $db->prepare("SELECT COUNT(*) as count FROM invoices {$where} AND MONTH(created_at) = MONTH(CURRENT_DATE)");
// Total this month
$stmt = $db->prepare("SELECT COUNT(*) FROM invoices i
WHERE i.tenant_id = ? {$companyScope} AND MONTH(i.created_at) = MONTH(CURDATE()) AND YEAR(i.created_at) = YEAR(CURDATE()) AND i.deleted_at IS NULL");
$stmt->execute($params);
$thisMonth = (int) $stmt->fetch()['count'];
$thisMonth = (int)$stmt->fetchColumn();
// 2. Approved vs Rejected
$stmt = $db->prepare("SELECT status, COUNT(*) as count FROM invoices {$where} GROUP BY status");
// Status distribution
$stmt = $db->prepare("SELECT status, COUNT(*) as count FROM invoices i
WHERE i.tenant_id = ? {$companyScope} AND i.deleted_at IS NULL GROUP BY status");
$stmt->execute($params);
$statusCounts = $stmt->fetchAll();
$statusDistribution = $stmt->fetchAll();
// 3. Recent Activity - Fixed ambiguity
$stmt = $db->prepare("SELECT i.*, c.name as company_name FROM invoices i JOIN companies c ON i.company_id = c.id WHERE i.tenant_id = ? " . ($role === 'accountant' && $assignedCompanyId ? " AND i.company_id = ?" : "") . " ORDER BY i.created_at DESC LIMIT 5");
// Subscription usage
$stmt = $db->prepare("SELECT max_invoices_per_month, invoices_used_this_month FROM subscriptions WHERE tenant_id = ?");
$stmt->execute([$tenantId]);
$sub = $stmt->fetch();
$usagePct = $sub && $sub['max_invoices_per_month'] > 0
? round(($sub['invoices_used_this_month'] / $sub['max_invoices_per_month']) * 100)
: 0;
// Recent invoices
$stmt = $db->prepare("SELECT i.id, i.invoice_number, i.invoice_date, i.grand_total, i.status, i.created_at, c.name as company_name, i.ai_confidence_score
FROM invoices i
JOIN companies c ON i.company_id = c.id
WHERE i.tenant_id = ? {$companyScope} AND i.deleted_at IS NULL
ORDER BY i.created_at DESC LIMIT 10");
$stmt->execute($params);
$recent = $stmt->fetchAll();
// 4. Calculate Subscription Usage
$stmt = $db->prepare("SELECT max_invoices_per_month FROM subscriptions WHERE tenant_id = ?");
// Pending extraction (from queue)
$stmt = $db->prepare("SELECT COUNT(*) FROM queue_jobs WHERE tenant_id = ? AND status = 'pending' AND job_type = 'ExtractInvoiceJob'");
$stmt->execute([$tenantId]);
$sub = $stmt->fetch();
$maxInvoices = (int) ($sub['max_invoices_per_month'] ?? 100);
$usage = $maxInvoices > 0 ? round(($thisMonth / $maxInvoices) * 100, 1) : 0;
$pendingExtraction = (int)$stmt->fetchColumn();
Response::json([
'success' => true,
'data' => [
'total_this_month' => $thisMonth,
'status_distribution' => $statusCounts,
'subscription_usage' => $usagePct,
'status_distribution' => $statusDistribution,
'recent_invoices' => $recent,
'subscription_usage' => $usage
'pending_extraction' => $pendingExtraction
]
]);
}

224
app/Modules/Invoices/InvoiceController.php
View File

@@ -1,19 +1,9 @@
<?php
declare(strict_types=1);
namespace App\Modules\Invoices;
use App\Core\{Request, Response};
use App\Core\{Request, Response, Database};
use App\Services\FileStorageService;
use App\Modules\Invoices\InvoiceModel;
use App\Modules\Invoices\Actions\{
ListInvoicesAction,
UploadInvoiceAction,
GetInvoiceDetailAction,
SubmitInvoiceAction,
DownloadInvoiceFileAction
};
use Throwable;
final class InvoiceController
@@ -23,27 +13,84 @@ final class InvoiceController
private readonly FileStorageService $storage
) {}
public function list(Request $request): void
public function index(Request $request): void
{
try {
$action = new ListInvoicesAction();
$invoices = $action->execute($request->tenantId, $request->user);
Response::json(['success' => true, 'data' => $invoices]);
} catch (Throwable $e) {
Response::error($e->getMessage(), 'LIST_ERROR', (int)($e->getCode() ?: 500));
$tenantId = $request->tenantId;
$role = $request->user->role ?? 'viewer';
$assignedCompanyId = $request->user->assigned_company_id ?? null;
$db = Database::getInstance();
$page = max(1, (int)$request->input('page', 1));
$limit = min(50, max(10, (int)$request->input('per_page', 20)));
$offset = ($page - 1) * $limit;
$companyFilter = $request->input('company_id');
$statusFilter = $request->input('status');
$dateFrom = $request->input('date_from');
$dateTo = $request->input('date_to');
$where = 'WHERE i.tenant_id = ? AND i.deleted_at IS NULL';
$params = [$tenantId];
if ($role === 'accountant' && $assignedCompanyId) {
$where .= ' AND i.company_id = ?';
$params[] = $assignedCompanyId;
} elseif ($companyFilter) {
$where .= ' AND i.company_id = ?';
$params[] = $companyFilter;
}
if ($statusFilter) { $where .= ' AND i.status = ?'; $params[] = $statusFilter; }
if ($dateFrom) { $where .= ' AND i.invoice_date >= ?'; $params[] = $dateFrom; }
if ($dateTo) { $where .= ' AND i.invoice_date <= ?'; $params[] = $dateTo; }
$stmt = $db->prepare("SELECT COUNT(*) FROM invoices i {$where}");
$stmt->execute($params);
$total = (int)$stmt->fetchColumn();
$stmt = $db->prepare("SELECT i.id, i.invoice_number, i.invoice_date, i.grand_total, i.tax_amount,
i.status, i.ai_confidence_score, i.created_at, c.name as company_name
FROM invoices i JOIN companies c ON i.company_id = c.id
{$where} ORDER BY i.created_at DESC LIMIT {$limit} OFFSET {$offset}");
$stmt->execute($params);
$invoices = $stmt->fetchAll();
Response::json([
'success' => true,
'data' => $invoices,
'meta' => ['total' => $total, 'page' => $page, 'per_page' => $limit, 'last_page' => ceil($total / $limit)]
]);
}
public function upload(Request $request): void
{
try {
$action = new UploadInvoiceAction($this->storage, $this->invoiceModel);
$invoiceId = $action->execute(
$request->getFiles(),
(string)$request->input('company_id'),
$request->tenantId,
$request->user
);
$files = $request->getFiles();
if (empty($files['file'])) {
throw new \Exception('يرجى اختيار ملف للفاتورة');
}
$companyId = (string)$request->input('company_id');
if (empty($companyId)) {
throw new \Exception('يرجى اختيار الشركة');
}
$file = $files['file'];
$invoiceId = \Ramsey\Uuid\Uuid::uuid4()->toString();
// Store file
$path = $this->storage->store($file, "invoices/{$request->tenantId}/{$invoiceId}");
// Create record
$this->invoiceModel->create([
'id' => $invoiceId,
'tenant_id' => $request->tenantId,
'company_id' => $companyId,
'original_file_path' => $path,
'status' => 'uploaded'
]);
// Queue extraction and risk analysis
\App\Services\QueueService::push(\queue\Jobs\ExtractInvoiceJob::class, ['invoice_id' => $invoiceId]);
Response::json([
'success' => true,
@@ -55,41 +102,124 @@ final class InvoiceController
}
}
public function detail(Request $request, string $id): void
public function show(Request $request, string $id): void
{
try {
$action = new GetInvoiceDetailAction();
$invoice = $action->execute($id, $request->tenantId, $request->user);
Response::json(['success' => true, 'data' => $invoice]);
} catch (Throwable $e) {
Response::error($e->getMessage(), 'DETAIL_ERROR', (int)($e->getCode() ?: 500));
$tenantId = $request->tenantId;
$db = Database::getInstance();
// Fetch invoice with company name (tenant-scoped)
$stmt = $db->prepare("SELECT i.*, c.name as company_name, c.tax_identification_number as company_tin
FROM invoices i
JOIN companies c ON i.company_id = c.id
WHERE i.id = ? AND i.tenant_id = ? AND i.deleted_at IS NULL");
$stmt->execute([$id, $tenantId]);
$invoice = $stmt->fetch();
if (!$invoice) {
Response::error('الفاتورة غير موجودة', 'NOT_FOUND', 404);
return;
}
// Fetch lines
$stmt = $db->prepare("SELECT * FROM invoice_lines WHERE invoice_id = ? ORDER BY line_number ASC");
$stmt->execute([$id]);
$invoice['lines'] = $stmt->fetchAll();
// Parse JSON fields
if ($invoice['validation_errors']) {
$invoice['validation_errors'] = json_decode($invoice['validation_errors'], true);
}
if ($invoice['jofotara_response']) {
$invoice['jofotara_response'] = json_decode($invoice['jofotara_response'], true);
}
Response::json(['success' => true, 'data' => $invoice]);
}
public function submit(Request $request, string $id): void
{
try {
$action = new SubmitInvoiceAction();
$action->execute($id, $request->tenantId);
Response::json(['success' => true, 'message' => 'Invoice submission queued.']);
$db = Database::getInstance();
$stmt = $db->prepare("SELECT status FROM invoices WHERE id = ? AND tenant_id = ?");
$stmt->execute([$id, $request->tenantId]);
$invoice = $stmt->fetch();
if (!$invoice) {
Response::error('الفاتورة غير موجودة', 'NOT_FOUND', 404);
return;
}
// Update status to submitting
$this->invoiceModel->update($id, ['status' => 'submitting']);
// Queue JoFotara submission
\App\Services\QueueService::push(\queue\Jobs\SubmitJoFotaraJob::class, ['invoice_id' => $id]);
Response::json(['success' => true, 'message' => 'جاري إرسال الفاتورة لنظام فوترة...']);
} catch (Throwable $e) {
Response::error($e->getMessage(), 'SUBMIT_ERROR', (int)($e->getCode() ?: 500));
}
}
public function downloadFile(Request $request, string $id): void
public function serveFile(Request $request, string $id): void
{
try {
$action = new DownloadInvoiceFileAction();
$file = $action->execute($id, $request->tenantId, $request->user);
header("Content-Type: {$file['mime']}");
header("Content-Disposition: inline; filename=\"{$file['name']}\"");
header("Content-Length: " . filesize($file['path']));
readfile($file['path']);
exit;
} catch (Throwable $e) {
Response::error($e->getMessage(), 'DOWNLOAD_ERROR', (int)($e->getCode() ?: 500));
$tenantId = $request->tenantId;
$db = Database::getInstance();
$stmt = $db->prepare("SELECT original_file_path FROM invoices WHERE id = ? AND tenant_id = ? AND deleted_at IS NULL");
$stmt->execute([$id, $tenantId]);
$invoice = $stmt->fetch();
if (!$invoice || !$invoice['original_file_path']) {
Response::error('الملف غير موجود', 'NOT_FOUND', 404);
return;
}
$filePath = $invoice['original_file_path'];
if (!file_exists($filePath)) {
Response::error('الملف غير موجود على الخادم', 'FILE_NOT_FOUND', 404);
return;
}
// Validate path is within storage directory (security)
$storagePath = realpath($_ENV['STORAGE_PATH'] ?? '/home/intaleqapp-musadeq/storage');
$realPath = realpath($filePath);
if (!$realPath || !str_starts_with($realPath, $storagePath)) {
Response::error('وصول غير مصرح', 'FORBIDDEN', 403);
return;
}
$mimeType = mime_content_type($filePath);
$filename = basename($filePath);
header('Content-Type: ' . $mimeType);
header('Content-Length: ' . filesize($filePath));
header('Content-Disposition: inline; filename="' . $filename . '"');
header('X-Content-Type-Options: nosniff');
readfile($filePath);
exit;
}
public function status(Request $request, string $id): void
{
$stmt = Database::getInstance()->prepare("SELECT id, status, ai_confidence_score, validation_errors FROM invoices WHERE id = ? AND tenant_id = ?");
$stmt->execute([$id, $request->tenantId]);
$invoice = $stmt->fetch();
Response::json(['success' => true, 'data' => $invoice]);
}
public function update(Request $request, string $id): void
{
// Implementation for PUT /api/v1/invoices/{id}
$data = $request->getBody();
$this->invoiceModel->update($id, $data);
Response::json(['success' => true, 'message' => 'تم تحديث الفاتورة بنجاح']);
}
public function destroy(Request $request, string $id): void
{
$this->invoiceModel->delete($id);
Response::json(['success' => true, 'message' => 'تم حذف الفاتورة بنجاح']);
}
}

75
app/Modules/Users/UserController.php
View File

@@ -1,75 +0,0 @@
<?php
declare(strict_types=1);
namespace App\Modules\Users;
use App\Core\{Request, Response};
use App\Modules\Users\UserModel;
final class UserController
{
public function __construct(private readonly UserModel $userModel) {}
public function index(Request $request): void
{
$tenantId = $request->tenantId;
$users = $this->userModel->findAllByTenant($tenantId);
Response::json([
'success' => true,
'data' => $users
]);
}
public function detail(Request $request, string $id): void
{
$tenantId = $request->tenantId;
$user = $this->userModel->findById($id, $tenantId);
if (!$user) {
Response::error('المستخدم غير موجود', 'NOT_FOUND', 404);
return;
}
Response::json([
'success' => true,
'data' => $user
]);
}
public function create(Request $request): void
{
$tenantId = $request->tenantId;
$data = $request->getBody();
if (empty($data['email']) || empty($data['password']) || empty($data['name']) || empty($data['role'])) {
Response::error('جميع الحقول مطلوبة', 'VALIDATION_ERROR', 422);
return;
}
if ($this->userModel->findByEmail($data['email'])) {
Response::error('البريد الإلكتروني مستخدم مسبقاً', 'DUPLICATE_EMAIL', 409);
return;
}
$userId = \Ramsey\Uuid\Uuid::uuid4()->toString();
$this->userModel->create([
'id' => $userId,
'tenant_id' => $tenantId,
'name' => $data['name'],
'email' => $data['email'],
'password_hash' => password_hash($data['password'], PASSWORD_ARGON2ID),
'role' => $data['role'],
'assigned_company_id' => $data['assigned_company_id'] ?? null,
'is_active' => 1
]);
Response::json([
'success' => true,
'message' => 'تم إضافة المستخدم بنجاح',
'data' => ['id' => $userId]
], 201);
}
}

154
app/Modules/Users/UsersController.php Normal file
View File

@@ -0,0 +1,154 @@
<?php
declare(strict_types=1);
namespace App\Modules\Users;
use App\Core\{Request, Response, Database};
use Ramsey\Uuid\Uuid;
final class UsersController
{
public function __construct(private readonly UserModel $userModel) {}
public function list(Request $request): void
{
$tenantId = $request->tenantId;
$users = $this->userModel->findAllByTenant($tenantId);
Response::json([
'success' => true,
'data' => $users
]);
}
public function create(Request $request): void
{
$tenantId = $request->tenantId;
$data = $request->getBody();
if (empty($data['email']) || empty($data['password']) || empty($data['name']) || empty($data['role'])) {
Response::error('جميع الحقول مطلوبة', 'VALIDATION_ERROR', 422);
return;
}
if ($this->userModel->findByEmail($data['email'])) {
Response::error('البريد الإلكتروني مستخدم مسبقاً', 'DUPLICATE_EMAIL', 409);
return;
}
$userId = Uuid::uuid4()->toString();
$this->userModel->create([
'id' => $userId,
'tenant_id' => $tenantId,
'name' => $data['name'],
'email' => $data['email'],
'password_hash' => password_hash($data['password'], PASSWORD_ARGON2ID),
'role' => $data['role'],
'assigned_company_id' => $data['assigned_company_id'] ?? null,
'is_active' => 1
]);
Response::json([
'success' => true,
'message' => 'تم إضافة المستخدم بنجاح',
'data' => ['id' => $userId]
], 201);
}
public function update(Request $request, string $id): void
{
$tenantId = $request->tenantId;
$user = $this->userModel->findById($id, $tenantId);
if (!$user) {
Response::error('المستخدم غير موجود', 'NOT_FOUND', 404);
return;
}
$data = $request->getBody();
$updateData = [];
if (isset($data['name'])) $updateData['name'] = $data['name'];
if (isset($data['role'])) $updateData['role'] = $data['role'];
if (isset($data['is_active'])) $updateData['is_active'] = $data['is_active'];
if (isset($data['assigned_company_id'])) $updateData['assigned_company_id'] = $data['assigned_company_id'];
if (empty($updateData)) {
Response::error('لا توجد بيانات لتحديثها', 'VALIDATION_ERROR', 422);
return;
}
$this->userModel->update($id, $updateData);
Response::json([
'success' => true,
'message' => 'تم تحديث بيانات المستخدم بنجاح'
]);
}
public function destroy(Request $request, string $id): void
{
$tenantId = $request->tenantId;
$user = $this->userModel->findById($id, $tenantId);
if (!$user) {
Response::error('المستخدم غير موجود', 'NOT_FOUND', 404);
return;
}
if ($user['id'] === $request->user->user_id) {
Response::error('لا يمكنك حذف حسابك الشخصي', 'FORBIDDEN', 403);
return;
}
$this->userModel->delete($id);
Response::json([
'success' => true,
'message' => 'تم حذف المستخدم بنجاح'
]);
}
public function updateProfile(Request $request): void
{
$userId = $request->user->user_id;
$data = $request->getBody();
if (empty($data['name'])) {
Response::error('الاسم مطلوب', 'VALIDATION_ERROR', 422);
return;
}
$this->userModel->update($userId, [
'name' => $data['name']
]);
Response::json([
'success' => true,
'message' => 'تم تحديث الملف الشخصي بنجاح'
]);
}
public function changePassword(Request $request): void
{
$userId = $request->user->user_id;
$data = $request->getBody();
if (empty($data['current_password']) || empty($data['new_password'])) {
Response::error('كلمة المرور الحالية والجديدة مطلوبة', 'VALIDATION_ERROR', 422);
return;
}
$user = $this->userModel->find($userId);
if (!password_verify($data['current_password'], $user['password_hash'])) {
Response::error('كلمة المرور الحالية غير صحيحة', 'UNAUTHORIZED', 401);
return;
}
$this->userModel->update($userId, [
'password_hash' => password_hash($data['new_password'], PASSWORD_ARGON2ID)
]);
Response::json([
'success' => true,
'message' => 'تم تغيير كلمة المرور بنجاح'
]);
}
}

43
app/Services/AuditService.php
View File

@@ -1,7 +1,5 @@
<?php
declare(strict_types=1);
namespace App\Services;
use App\Core\Database;
@@ -10,30 +8,33 @@ final class AuditService
{
public static function log(
string $action,
?string $tenantId = null,
?string $userId = null,
?string $entityType = null,
?string $entityId = null,
?array $oldData = null,
?array $newData = null,
?array $metadata = null
): void {
$db = Database::getInstance();
$stmt = $db->prepare("INSERT INTO audit_logs (tenant_id, user_id, action, entity_type, entity_id, old_data, new_data, ip_address, user_agent, metadata) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
// This would be populated from the global Request context
$tenantId = $GLOBALS['current_tenant_id'] ?? null;
$userId = $GLOBALS['current_user_id'] ?? null;
$stmt->execute([
$tenantId,
$userId,
$action,
$entityType,
$entityId,
$oldData ? json_encode($oldData) : null,
$newData ? json_encode($newData) : null,
$_SERVER['REMOTE_ADDR'] ?? null,
$_SERVER['HTTP_USER_AGENT'] ?? null,
$metadata ? json_encode($metadata) : null
]);
try {
$db = Database::getInstance();
$stmt = $db->prepare("INSERT INTO audit_logs
(tenant_id, user_id, action, entity_type, entity_id, old_data, new_data, ip_address, user_agent, metadata, created_at)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW())");
$stmt->execute([
$tenantId,
$userId,
$action,
$entityType,
$entityId,
$oldData ? json_encode($oldData, JSON_UNESCAPED_UNICODE) : null,
$newData ? json_encode($newData, JSON_UNESCAPED_UNICODE) : null,
$_SERVER['REMOTE_ADDR'] ?? null,
$_SERVER['HTTP_USER_AGENT'] ?? null,
$metadata ? json_encode($metadata, JSON_UNESCAPED_UNICODE) : null,
]);
} catch (\Throwable $e) {
error_log('[Audit] Failed: ' . $e->getMessage());
}
}
}

263
app/Services/JoFotara/UBLGeneratorService.php
View File

@@ -1,112 +1,201 @@
<?php
declare(strict_types=1);
namespace App\Services\JoFotara;
/**
* UBLGeneratorService
*
* Generates UBL 2.1 compliant XML for the Jordanian Income and Sales Tax Department (ISTD).
* Based on the JoFotara Technical Specifications.
*/
use DOMDocument;
use DOMElement;
final class UBLGeneratorService
{
public function generate(array $invoice, array $lines, array $company): string
{
$xml = new \SimpleXMLElement('<?xml version="1.0" encoding="UTF-8"?><Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2" xmlns:cac="urn:oasis:names:specification:ubl:schema:xsd:CommonAggregateComponents-2" xmlns:cbc="urn:oasis:names:specification:ubl:schema:xsd:CommonBasicComponents-2"></Invoice>');
$dom = new DOMDocument('1.0', 'UTF-8');
$dom->formatOutput = true;
$root = $dom->createElementNS('urn:oasis:names:specification:ubl:schema:xsd:Invoice-2', 'Invoice');
$root->setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:cac', 'urn:oasis:names:specification:ubl:schema:xsd:CommonAggregateComponents-2');
$root->setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:cbc', 'urn:oasis:names:specification:ubl:schema:xsd:CommonBasicComponents-2');
$dom->appendChild($root);
// 1. Basic Information
$xml->addChild('cbc:UBLVersionID', '2.1');
$xml->addChild('cbc:CustomizationID', 'TRADACO-2.1');
$xml->addChild('cbc:ProfileID', 'reporting:1.0');
$xml->addChild('cbc:ID', $invoice['invoice_number']);
$xml->addChild('cbc:IssueDate', $invoice['invoice_date']);
$xml->addChild('cbc:InvoiceTypeCode', $invoice['ubl_type_code'] ?? '388')->addAttribute('name', $invoice['invoice_category'] ?? '01');
$xml->addChild('cbc:DocumentCurrencyCode', 'JOD');
$xml->addChild('cbc:TaxCurrencyCode', 'JOD');
// 2. AccountingSupplierParty (The Seller/Company)
$supplier = $xml->addChild('cac:AccountingSupplierParty');
$sParty = $supplier->addChild('cac:Party');
$sParty->addChild('cac:PartyIdentification')->addChild('cbc:ID', $company['tax_identification_number'])->addAttribute('schemeID', 'TN');
$sName = $sParty->addChild('cac:PartyName');
$sName->addChild('cbc:Name', $company['name']);
$root->appendChild($dom->createElement('cbc:UBLVersionID', '2.1'));
$root->appendChild($dom->createElement('cbc:CustomizationID', 'TRADACO-2.1'));
$root->appendChild($dom->createElement('cbc:ProfileID', 'reporting:1.0'));
$root->appendChild($dom->createElement('cbc:ID', $invoice['invoice_number']));
$root->appendChild($dom->createElement('cbc:IssueDate', $invoice['invoice_date']));
$sAddr = $sParty->addChild('cac:PostalAddress');
$sAddr->addChild('cbc:CityName', $company['city'] ?? 'Amman');
$sAddr->addChild('cac:Country')->addChild('cbc:IdentificationCode', 'JO');
$sTaxScheme = $sParty->addChild('cac:PartyTaxScheme');
$sTaxScheme->addChild('cbc:RegistrationName', $company['name']);
$sTaxScheme->addChild('cbc:CompanyID', $company['tax_identification_number']);
$sTaxScheme->addChild('cac:TaxScheme')->addChild('cbc:ID', 'VAT');
$sLegalEntity = $sParty->addChild('cac:PartyLegalEntity');
$sLegalEntity->addChild('cbc:RegistrationName', $company['name']);
$sLegalEntity->addChild('cbc:CompanyID', $company['tax_identification_number']);
// 3. AccountingCustomerParty (The Buyer)
$customer = $xml->addChild('cac:AccountingCustomerParty');
$cParty = $customer->addChild('cac:Party');
$typeCode = $dom->createElement('cbc:InvoiceTypeCode', $invoice['ubl_type_code'] ?? '388');
$typeCode->setAttribute('name', $invoice['invoice_category'] ?? '01');
$root->appendChild($typeCode);
if (!empty($invoice['buyer_tin'])) {
$cParty->addChild('cac:PartyIdentification')->addChild('cbc:ID', $invoice['buyer_tin'])->addAttribute('schemeID', 'TN');
} elseif (!empty($invoice['buyer_national_id'])) {
$cParty->addChild('cac:PartyIdentification')->addChild('cbc:ID', $invoice['buyer_national_id'])->addAttribute('schemeID', 'NID');
$root->appendChild($dom->createElement('cbc:DocumentCurrencyCode', 'JOD'));
$root->appendChild($dom->createElement('cbc:TaxCurrencyCode', 'JOD'));
// 2. AccountingSupplierParty
$supplierParty = $dom->createElement('cac:AccountingSupplierParty');
$party = $dom->createElement('cac:Party');
$partyId = $dom->createElement('cac:PartyIdentification');
$id = $dom->createElement('cbc:ID', $company['tax_identification_number']);
$id->setAttribute('schemeID', 'TN');
$partyId->appendChild($id);
$party->appendChild($partyId);
$partyName = $dom->createElement('cac:PartyName');
$partyName->appendChild($dom->createElement('cbc:Name', $company['name']));
$party->appendChild($partyName);
$postalAddr = $dom->createElement('cac:PostalAddress');
$postalAddr->appendChild($dom->createElement('cbc:CityName', $company['city'] ?? 'Amman'));
$country = $dom->createElement('cac:Country');
$country->appendChild($dom->createElement('cbc:IdentificationCode', 'JO'));
$postalAddr->appendChild($country);
$party->appendChild($postalAddr);
$taxScheme = $dom->createElement('cac:PartyTaxScheme');
$taxScheme->appendChild($dom->createElement('cbc:RegistrationName', $company['name']));
$taxScheme->appendChild($dom->createElement('cbc:CompanyID', $company['tax_identification_number']));
$ts = $dom->createElement('cac:TaxScheme');
$ts->appendChild($dom->createElement('cbc:ID', 'VAT'));
$taxScheme->appendChild($ts);
$party->appendChild($taxScheme);
$legalEntity = $dom->createElement('cac:PartyLegalEntity');
$legalEntity->appendChild($dom->createElement('cbc:RegistrationName', $company['name']));
$legalEntity->appendChild($dom->createElement('cbc:CompanyID', $company['tax_identification_number']));
$party->appendChild($legalEntity);
$supplierParty->appendChild($party);
$root->appendChild($supplierParty);
// 3. AccountingCustomerParty
$customerParty = $dom->createElement('cac:AccountingCustomerParty');
$cparty = $dom->createElement('cac:Party');
if (!empty($invoice['buyer_tin']) || !empty($invoice['buyer_national_id'])) {
$cpartyId = $dom->createElement('cac:PartyIdentification');
$cid = $dom->createElement('cbc:ID', $invoice['buyer_tin'] ?: $invoice['buyer_national_id']);
$cid->setAttribute('schemeID', $invoice['buyer_tin'] ? 'TN' : 'NID');
$cpartyId->appendChild($cid);
$cparty->appendChild($cpartyId);
}
$cName = $cParty->addChild('cac:PartyName');
$cName->addChild('cbc:Name', $invoice['buyer_name'] ?? 'General Customer');
$cTaxScheme = $cParty->addChild('cac:PartyTaxScheme');
$cTaxScheme->addChild('cac:TaxScheme')->addChild('cbc:ID', 'VAT');
$cpartyName = $dom->createElement('cac:PartyName');
$cpartyName->appendChild($dom->createElement('cbc:Name', $invoice['buyer_name'] ?? 'General Customer'));
$cparty->appendChild($cpartyName);
$ctaxScheme = $dom->createElement('cac:PartyTaxScheme');
$cts = $dom->createElement('cac:TaxScheme');
$cts->appendChild($dom->createElement('cbc:ID', 'VAT'));
$ctaxScheme->appendChild($cts);
$cparty->appendChild($ctaxScheme);
$customerParty->appendChild($cparty);
$root->appendChild($customerParty);
// 4. PaymentMeans
$payment = $xml->addChild('cac:PaymentMeans');
$payment->addChild('cbc:PaymentMeansCode', $invoice['payment_method_code'] ?? '10');
$paymentMeans = $dom->createElement('cac:PaymentMeans');
$paymentMeans->appendChild($dom->createElement('cbc:PaymentMeansCode', $invoice['payment_method_code'] ?? '013'));
$root->appendChild($paymentMeans);
// 5. TaxTotal
$taxTotal = $xml->addChild('cac:TaxTotal');
$taxTotal->addChild('cbc:TaxAmount', number_format((float)$invoice['tax_amount'], 3, '.', ''))->addAttribute('currencyID', 'JOD');
$taxTotal = $dom->createElement('cac:TaxTotal');
$taxAmt = $dom->createElement('cbc:TaxAmount', number_format((float)$invoice['tax_amount'], 3, '.', ''));
$taxAmt->setAttribute('currencyID', 'JOD');
$taxTotal->appendChild($taxAmt);
$taxSubtotal = $taxTotal->addChild('cac:TaxSubtotal');
$taxSubtotal->addChild('cbc:TaxableAmount', number_format((float)$invoice['subtotal'], 3, '.', ''))->addAttribute('currencyID', 'JOD');
$taxSubtotal->addChild('cbc:TaxAmount', number_format((float)$invoice['tax_amount'], 3, '.', ''))->addAttribute('currencyID', 'JOD');
$taxCategory = $taxSubtotal->addChild('cac:TaxCategory');
$taxCategory->addChild('cbc:ID', 'S');
$taxCategory->addChild('cbc:Percent', '16.00'); // Default Jordan VAT
$taxCategory->addChild('cac:TaxScheme')->addChild('cbc:ID', 'VAT');
// 6. LegalMonetaryTotal
$legalMonetaryTotal = $xml->addChild('cac:LegalMonetaryTotal');
$legalMonetaryTotal->addChild('cbc:LineExtensionAmount', number_format((float)$invoice['subtotal'], 3, '.', ''))->addAttribute('currencyID', 'JOD');
$legalMonetaryTotal->addChild('cbc:TaxExclusiveAmount', number_format((float)$invoice['subtotal'], 3, '.', ''))->addAttribute('currencyID', 'JOD');
$legalMonetaryTotal->addChild('cbc:TaxInclusiveAmount', number_format((float)$invoice['grand_total'], 3, '.', ''))->addAttribute('currencyID', 'JOD');
$legalMonetaryTotal->addChild('cbc:AllowanceTotalAmount', number_format((float)($invoice['discount_total'] ?? 0), 3, '.', ''))->addAttribute('currencyID', 'JOD');
$legalMonetaryTotal->addChild('cbc:PayableAmount', number_format((float)$invoice['grand_total'], 3, '.', ''))->addAttribute('currencyID', 'JOD');
// 7. Invoice Lines
// Group lines by tax rate
$taxGroups = [];
foreach ($lines as $line) {
$invoiceLine = $xml->addChild('cac:InvoiceLine');
$invoiceLine->addChild('cbc:ID', (string)$line['line_number']);
$invoiceLine->addChild('cbc:InvoicedQuantity', number_format((float)$line['quantity'], 3, '.', ''))->addAttribute('unitCode', 'PCE');
$invoiceLine->addChild('cbc:LineExtensionAmount', number_format((float)$line['line_total'], 3, '.', ''))->addAttribute('currencyID', 'JOD');
$item = $invoiceLine->addChild('cac:Item');
$item->addChild('cbc:Description', $line['description']);
$itemTaxCategory = $item->addChild('cac:TaxCategory');
$itemTaxCategory->addChild('cbc:ID', 'S');
$itemTaxCategory->addChild('cbc:Percent', '16.00');
$itemTaxCategory->addChild('cac:TaxScheme')->addChild('cbc:ID', 'VAT');
$price = $invoiceLine->addChild('cac:Price');
$price->addChild('cbc:PriceAmount', number_format((float)$line['unit_price'], 3, '.', ''))->addAttribute('currencyID', 'JOD');
$rate = number_format((float)$line['tax_rate'], 2, '.', '');
if (!isset($taxGroups[$rate])) {
$taxGroups[$rate] = ['taxable' => 0, 'tax' => 0];
}
$taxGroups[$rate]['taxable'] += ($line['quantity'] * $line['unit_price']) - $line['discount'];
$taxGroups[$rate]['tax'] += $line['tax_amount'];
}
foreach ($taxGroups as $rate => $data) {
$taxSubtotal = $dom->createElement('cac:TaxSubtotal');
$subtaxable = $dom->createElement('cbc:TaxableAmount', number_format($data['taxable'], 3, '.', ''));
$subtaxable->setAttribute('currencyID', 'JOD');
$taxSubtotal->appendChild($subtaxable);
$subtaxamt = $dom->createElement('cbc:TaxAmount', number_format($data['tax'], 3, '.', ''));
$subtaxamt->setAttribute('currencyID', 'JOD');
$taxSubtotal->appendChild($subtaxamt);
$taxCategory = $dom->createElement('cac:TaxCategory');
$taxCategory->appendChild($dom->createElement('cbc:ID', 'S'));
$taxCategory->appendChild($dom->createElement('cbc:Percent', number_format((float)$rate * 100, 2, '.', '')));
$tcs = $dom->createElement('cac:TaxScheme');
$tcs->appendChild($dom->createElement('cbc:ID', 'VAT'));
$taxCategory->appendChild($tcs);
$taxSubtotal->appendChild($taxCategory);
$taxTotal->appendChild($taxSubtotal);
}
$root->appendChild($taxTotal);
// 6. LegalMonetaryTotal
$lmt = $dom->createElement('cac:LegalMonetaryTotal');
$fields = [
'LineExtensionAmount' => $invoice['subtotal'] - $invoice['discount_total'],
'TaxExclusiveAmount' => $invoice['subtotal'] - $invoice['discount_total'],
'TaxInclusiveAmount' => $invoice['grand_total'],
'AllowanceTotalAmount' => $invoice['discount_total'],
'PayableAmount' => $invoice['grand_total']
];
foreach ($fields as $field => $value) {
$f = $dom->createElement('cbc:' . $field, number_format((float)$value, 3, '.', ''));
$f->setAttribute('currencyID', 'JOD');
$lmt->appendChild($f);
}
$root->appendChild($lmt);
// 7. InvoiceLine
foreach ($lines as $line) {
$invLine = $dom->createElement('cac:InvoiceLine');
$invLine->appendChild($dom->createElement('cbc:ID', (string)$line['line_number']));
$qty = $dom->createElement('cbc:InvoicedQuantity', number_format((float)$line['quantity'], 3, '.', ''));
$qty->setAttribute('unitCode', 'PCE');
$invLine->appendChild($qty);
$lineExt = $dom->createElement('cbc:LineExtensionAmount', number_format($line['line_total'], 3, '.', ''));
$lineExt->setAttribute('currencyID', 'JOD');
$invLine->appendChild($lineExt);
// Line Tax
$lineTax = $dom->createElement('cac:TaxTotal');
$ltaxAmt = $dom->createElement('cbc:TaxAmount', number_format((float)$line['tax_amount'], 3, '.', ''));
$ltaxAmt->setAttribute('currencyID', 'JOD');
$lineTax->appendChild($ltaxAmt);
$invLine->appendChild($lineTax);
$item = $dom->createElement('cac:Item');
$item->appendChild($dom->createElement('cbc:Description', $line['description']));
$itc = $dom->createElement('cac:TaxCategory');
$itc->appendChild($dom->createElement('cbc:ID', 'S'));
$itc->appendChild($dom->createElement('cbc:Percent', number_format((float)$line['tax_rate'] * 100, 2, '.', '')));
$its = $dom->createElement('cac:TaxScheme');
$its->appendChild($dom->createElement('cbc:ID', 'VAT'));
$itc->appendChild($its);
$item->appendChild($itc);
$invLine->appendChild($item);
$price = $dom->createElement('cac:Price');
$pamt = $dom->createElement('cbc:PriceAmount', number_format((float)$line['unit_price'], 3, '.', ''));
$pamt->setAttribute('currencyID', 'JOD');
$price->appendChild($pamt);
$invLine->appendChild($price);
$root->appendChild($invLine);
}
// Return formatted XML
$dom = dom_import_simplexml($xml)->ownerDocument;
$dom->formatOutput = true;
return $dom->saveXML();
}
}

58
app/Services/Security/EncryptionService.php
View File

@@ -1,10 +1,8 @@
<?php
declare(strict_types=1);
namespace App\Services\Security;
use Exception;
use RuntimeException;
final class EncryptionService
{
@@ -13,50 +11,36 @@ final class EncryptionService
public function __construct()
{
// Load encryption key from secrets config
$secrets = require __DIR__ . '/../../../config/secrets.php';
$this->key = $secrets['encryption_key'] ?? '';
// Load from config/secrets.php — NEVER from .env directly
$secrets = require dirname(__DIR__, 3) . '/config/secrets.php';
$key = $secrets['encryption_key'] ?? '';
// Ensure key is hexadecimal and convert to binary (32 bytes)
if (strlen($this->key) === 64) {
$this->key = hex2bin($this->key);
}
if (strlen($this->key) !== 32) {
throw new Exception("Security Error: Invalid ENCRYPTION_KEY length. Must be 32 bytes.");
if (strlen($key) !== 32) {
throw new RuntimeException(
'ENCRYPTION_KEY_B64 not set or invalid. ' .
'Generate: php -r "echo base64_encode(random_bytes(32));"'
);
}
$this->key = $key;
}
public function encrypt(string $plaintext): string
{
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length(self::METHOD));
$ciphertext = openssl_encrypt($plaintext, self::METHOD, $this->key, 0, $iv, $tag);
if ($ciphertext === false) {
throw new Exception("Encryption failed.");
}
$iv = random_bytes(12); // 12 bytes for GCM
$tag = '';
$ciphertext = openssl_encrypt($plaintext, self::METHOD, $this->key, OPENSSL_RAW_DATA, $iv, $tag, '', 16);
if ($ciphertext === false) throw new RuntimeException('Encryption failed');
return base64_encode($iv) . ':' . base64_encode($ciphertext) . ':' . base64_encode($tag);
}
public function decrypt(string $encryptedData): string
public function decrypt(string $data): string
{
$parts = explode(':', $encryptedData);
if (count($parts) !== 3) {
throw new Exception("Invalid encrypted data format.");
}
[$ivBase64, $ciphertextBase64, $tagBase64] = $parts;
$iv = base64_decode($ivBase64);
$ciphertext = base64_decode($ciphertextBase64);
$tag = base64_decode($tagBase64);
$plaintext = openssl_decrypt($ciphertext, self::METHOD, $this->key, 0, $iv, $tag);
if ($plaintext === false) {
throw new Exception("Decryption failed.");
}
[$iv64, $ct64, $tag64] = explode(':', $data);
$plaintext = openssl_decrypt(
base64_decode($ct64), self::METHOD, $this->key,
OPENSSL_RAW_DATA, base64_decode($iv64), base64_decode($tag64)
);
if ($plaintext === false) throw new RuntimeException('Decryption failed');
return $plaintext;
}
}

44
app/Services/Security/HmacService.php
View File

@@ -11,35 +11,29 @@ final class HmacService
/**
* Verify HMAC signature for external API requests (Flutter)
*/
public function verify(
string $secret,
string $method,
string $path,
string $timestamp,
string $nonce,
string $body,
string $providedSignature
): bool {
// 1. Check timestamp (within 5 minutes)
if (abs(time() - (int)$timestamp) > 300) {
return false;
public function verify(string $secret, string $method, string $path,
string $timestamp, string $nonce, string $body, string $signature): bool
{
// 1. Timestamp window (±5 minutes)
if (abs(time() - (int)$timestamp) > 300) return false;
// 2. Nonce replay protection
try {
$redis = \App\Core\Redis::getInstance();
$nonceKey = 'hmac_nonce:' . $nonce;
if ($redis->exists($nonceKey)) return false; // Replay attack
$redis->setex($nonceKey, 600, '1'); // TTL 10 minutes
} catch (\Throwable $e) {
// Redis unavailable — log but don't fail (degrade gracefully)
error_log('[HMAC] Redis unavailable for nonce check: ' . $e->getMessage());
}
// 2. Replay protection using Nonce in Redis
// Note: Redis::getInstance() would be used here
// If nonce exists, reject
// 3. Calculate Signature
// 3. Build & compare signature
$bodyHash = hash('sha256', $body);
$stringToSign = strtoupper($method) . "\n" .
$path . "\n" .
$timestamp . "\n" .
$nonce . "\n" .
$bodyHash;
$stringToSign = strtoupper($method) . "\n" . $path . "\n" . $timestamp . "\n" . $nonce . "\n" . $bodyHash;
$calculated = hash_hmac('sha256', $stringToSign, $secret);
$calculatedSignature = hash_hmac('sha256', $stringToSign, $secret);
return hash_equals($calculatedSignature, $providedSignature);
return hash_equals($calculated, $signature);
}
public function sign(string $secret, string $method, string $path, string $timestamp, string $nonce, string $body): string

17
app/Services/TaxValidationService.php
View File

@@ -50,11 +50,18 @@ final class TaxValidationService
$errors[] = ['code' => 'RULE_006', 'message_ar' => 'يجب تزويد الرقم الضريبي أو الوطني للمشتري للفواتير التي تتجاوز 10,000 دينار'];
}
// Rule 007: Discount integrity
$expectedSubtotal = $invoice['subtotal'] - $invoice['discount_total'];
// This is a simplified check for Rule 007
if ($expectedSubtotal < 0) {
$errors[] = ['code' => 'RULE_007', 'message_ar' => 'إجمالي الخصم لا يمكن أن يتجاوز المجموع الفرعي'];
// Rule 007: Discount integrity — subtotal - discount = Σ(line totals before tax)
$lineSumBeforeTax = array_sum(array_map(
fn($l) => round(($l['quantity'] * $l['unit_price']) - ($l['discount'] ?? 0), 3),
$lines
));
$expected = round($invoice['subtotal'] - $invoice['discount_total'], 3);
if (abs($expected - $lineSumBeforeTax) > 0.01) {
$errors[] = [
'code' => 'RULE_007',
'message_ar' => "خطأ في حساب الخصومات: المتوقع {$expected} JOD، المحسوب {$lineSumBeforeTax} JOD",
'message_en' => "Discount integrity error"
];
}
return [

14
config/secrets.php
View File

@@ -1,13 +1,7 @@
<?php
// ⚠️ This file must NEVER be committed to Git
// Add to .gitignore: config/secrets.php
return [
/*
|--------------------------------------------------------------------------
| Encryption Key
|--------------------------------------------------------------------------
| This key is used by the EncryptionService to secure sensitive data like
| JoFotara credentials. It MUST be 32 bytes (256 bits) long.
|
*/
'encryption_key' => '8f9e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8', // Default for dev, should be unique per install
// Generate with: php -r "echo base64_encode(random_bytes(32));"
'encryption_key' => base64_decode($_ENV['ENCRYPTION_KEY_B64'] ?? ''),
];

12
database/migrations/005_notifications.sql Normal file
View File

@@ -0,0 +1,12 @@
CREATE TABLE IF NOT EXISTS notifications (
id CHAR(36) NOT NULL DEFAULT (UUID()),
user_id CHAR(36) NOT NULL,
title VARCHAR(255) NOT NULL,
message TEXT NOT NULL,
type ENUM('info','success','warning','error') NOT NULL DEFAULT 'info',
is_read TINYINT(1) NOT NULL DEFAULT 0,
created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (id),
INDEX idx_notif_user (user_id),
CONSTRAINT fk_notif_user FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

26
database/seed.sql
View File

@@ -1,26 +0,0 @@
-- ─── Initial Super Admin Seed ──────────────────────────────
-- Default Password: admin123 (Please change after first login)
INSERT INTO tenants (id, name, email, status)
VALUES ('d0e4e4e4-e4e4-4e4e-ae4e-e4e4e4e4e4e4', 'Musadaq Admin', 'admin@musadaq.app', 'active');
INSERT INTO users (id, tenant_id, name, email, password_hash, role, is_active)
VALUES (
'u0e4e4e4-e4e4-4e4e-ae4e-e4e4e4e4e4e4',
'd0e4e4e4-e4e4-4e4e-ae4e-e4e4e4e4e4e4',
'Super Admin',
'admin@musadaq.app',
'$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi', -- Default: 'password'
'super_admin',
1
);
INSERT INTO subscriptions (tenant_id, plan, max_companies, max_invoices_per_month, max_users, status)
VALUES (
'd0e4e4e4-e4e4-4e4e-ae4e-e4e4e4e4e4e4',
'pro',
999,
9999,
99,
'active'
);

57
public/index.php
View File

@@ -19,6 +19,10 @@ $router->addRoute('GET', '/api/v1/auth/me', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [AuthController::class, 'me']
]);
$router->addRoute('POST', '/api/v1/auth/logout', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [AuthController::class, 'logout']
]);
$router->addRoute('POST', '/api/v1/auth/2fa/enable', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [AuthController::class, 'enable2FA']
@@ -49,17 +53,21 @@ $router->addRoute('POST', '/api/v1/companies/{id}/jofotara', [
// ══ User Routes ══════════════════════════════════════════════
$router->addRoute('GET', '/api/v1/users', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Users\UserController::class, 'index']
'handler' => [\App\Modules\Users\UsersController::class, 'index']
]);
$router->addRoute('POST', '/api/v1/users', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Users\UserController::class, 'create']
'handler' => [\App\Modules\Users\UsersController::class, 'create']
]);
$router->addRoute('DELETE', '/api/v1/users/{id}', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Users\UsersController::class, 'delete']
]);
// ══ Invoice Routes ═══════════════════════════════════════════
$router->addRoute('GET', '/api/v1/invoices', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Invoices\InvoiceController::class, 'list']
'handler' => [\App\Modules\Invoices\InvoiceController::class, 'index']
]);
$router->addRoute('POST', '/api/v1/invoices/upload', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
@@ -67,38 +75,33 @@ $router->addRoute('POST', '/api/v1/invoices/upload', [
]);
$router->addRoute('GET', '/api/v1/invoices/{id}', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Invoices\InvoiceController::class, 'detail']
'handler' => [\App\Modules\Invoices\InvoiceController::class, 'show']
]);
$router->addRoute('GET', '/api/v1/invoices/{id}/status', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Invoices\InvoiceController::class, 'status']
]);
$router->addRoute('POST', '/api/v1/invoices/{id}/submit', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Invoices\InvoiceController::class, 'submit']
]);
$router->addRoute('GET', '/api/v1/invoices/{id}/file', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Invoices\InvoiceController::class, 'downloadFile']
]);
// ══ Subscriptions ═════════════════════════════════════════════════
$router->addRoute('GET', '/api/v1/subscriptions/me', [
'middleware' => [\App\Middleware\AuthMiddleware::class, \App\Middleware\TenantMiddleware::class],
'handler' => [\App\Modules\Subscriptions\SubscriptionController::class, 'me']
'handler' => [\App\Modules\Invoices\InvoiceController::class, 'serveFile']
]);
// ══ API Keys ═══════════════════════════════════════════════════
$router->addRoute('GET', '/api/v1/api-keys', [
'middleware' => [\App\Middleware\AuthMiddleware::class, \App\Middleware\TenantMiddleware::class],
'handler' => [\App\Modules\ApiKeys\ApiKeyController::class, 'list']
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\ApiKeys\ApiKeyController::class, 'index']
]);
$router->addRoute('POST', '/api/v1/api-keys', [
'middleware' => [\App\Middleware\AuthMiddleware::class, \App\Middleware\TenantMiddleware::class],
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\ApiKeys\ApiKeyController::class, 'create']
]);
// ══ External API (HMAC) ══════════════════════════════════════
$router->addRoute('POST', '/api/v1/external/invoices/upload', [
'middleware' => [\App\Middleware\HmacMiddleware::class],
'handler' => [\App\Modules\Invoices\InvoiceController::class, 'upload']
$router->addRoute('DELETE', '/api/v1/api-keys/{id}', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\ApiKeys\ApiKeyController::class, 'revoke']
]);
// ══ Dashboard ════════════════════════════════════════════════
@@ -107,11 +110,23 @@ $router->addRoute('GET', '/api/v1/dashboard', [
'handler' => [\App\Modules\Dashboard\DashboardController::class, 'getStats']
]);
// ══ Super Admin ══════════════════════════════════════════════
// ══ Admin (Super Admin only) ══════════════════════════════════
$router->addRoute('GET', '/api/v1/admin/tenants', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Admin\AdminController::class, 'listTenants']
]);
$router->addRoute('GET', '/api/v1/admin/stats', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Admin\AdminController::class, 'getSystemStats']
]);
$router->addRoute('GET', '/api/v1/admin/health', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Admin\AdminController::class, 'health']
]);
$router->addRoute('GET', '/api/v1/admin/queue', [
'middleware' => [\App\Middleware\AuthMiddleware::class],
'handler' => [\App\Modules\Admin\AdminController::class, 'getQueueStatus']
]);
// ══ Health Check ═════════════════════════════════════════════
$router->addRoute('GET', '/api/v1/health', function($request) {

966
public/shell.php
View File

File diff suppressed because it is too large Load Diff

49
queue/Jobs/ExtractInvoiceJob.php
View File

@@ -18,8 +18,17 @@ final class ExtractInvoiceJob
public function handle(array $payload): void
{
$invoiceId = $payload['invoice_id'];
$filePath = $payload['file_path'];
$mimeType = $payload['mime_type'];
// Fetch invoice details if not in payload
$db = \App\Core\Database::getInstance();
$stmt = $db->prepare("SELECT original_file_path FROM invoices WHERE id = ?");
$stmt->execute([$invoiceId]);
$invoice = $stmt->fetch();
if (!$invoice) return;
$filePath = $invoice['original_file_path'];
$mimeType = mime_content_type($filePath);
// Update status to extracting
$this->invoiceModel->update($invoiceId, ['status' => 'extracting']);
@@ -27,17 +36,43 @@ final class ExtractInvoiceJob
try {
$extractedData = $this->aiExtraction->extractInvoiceData($filePath, $mimeType);
// Map AI data to schema columns if needed, or just store in ai_raw_response
// Fix mapping:
$this->invoiceModel->update($invoiceId, [
'status' => 'extracted',
'invoice_number' => $extractedData['invoice_number'] ?? null,
'invoice_date' => $extractedData['invoice_date'] ?? null,
'grand_total' => $extractedData['total_amount'] ?? 0,
'supplier_name' => $extractedData['supplier_name'] ?? null,
'supplier_tin' => $extractedData['supplier_tin'] ?? null,
'buyer_name' => $extractedData['buyer_name'] ?? null,
'buyer_tin' => $extractedData['buyer_tin'] ?? null,
'subtotal' => $extractedData['subtotal'] ?? 0,
'tax_amount' => $extractedData['tax_amount'] ?? 0,
'supplier_name' => $extractedData['vendor_name'] ?? null,
'supplier_tin' => $extractedData['vendor_tax_number'] ?? null,
'ai_raw_response' => json_encode($extractedData, JSON_UNESCAPED_UNICODE)
'discount_total' => $extractedData['discount_total'] ?? 0,
'grand_total' => $extractedData['grand_total'] ?? 0,
'ai_confidence_score' => $extractedData['confidence'] ?? null,
'ai_provider' => $extractedData['provider'] ?? 'gemini',
'ai_raw_response' => json_encode($extractedData, JSON_UNESCAPED_UNICODE),
]);
// Also insert invoice_lines:
if (!empty($extractedData['lines'])) {
$db = \App\Core\Database::getInstance();
$db->prepare("DELETE FROM invoice_lines WHERE invoice_id = ?")->execute([$invoiceId]);
foreach ($extractedData['lines'] as $i => $line) {
$db->prepare("INSERT INTO invoice_lines (id, invoice_id, line_number, description, quantity, unit_price, discount, tax_rate, tax_amount, line_total) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")
->execute([
\Ramsey\Uuid\Uuid::uuid4()->toString(),
$invoiceId, $i + 1,
$line['description'] ?? '',
$line['quantity'] ?? 1,
$line['unit_price'] ?? 0,
$line['discount'] ?? 0,
$line['tax_rate'] ?? 0.16,
$line['tax_amount'] ?? 0,
$line['line_total'] ?? 0,
]);
}
}
} catch (Throwable $e) {
$this->invoiceModel->update($invoiceId, [
'status' => 'validation_failed'

33
queue/Jobs/RiskAnalysisJob.php
View File

@@ -25,30 +25,15 @@ final class RiskAnalysisJob
// Store or update risk score
$db = Database::getInstance();
$stmt = $db->prepare("SELECT id FROM risk_scores WHERE company_id = ? LIMIT 1");
$stmt->execute([$companyId]);
$existing = $stmt->fetch();
if ($existing) {
$stmt = $db->prepare("UPDATE risk_scores SET risk_level = ?, score = ?, factors = ?, calculated_at = NOW() WHERE company_id = ?");
$stmt->execute([
$analysis['level'],
$analysis['score'],
json_encode($analysis['factors'], JSON_UNESCAPED_UNICODE),
$companyId
]);
} else {
$stmt = $db->prepare("INSERT INTO risk_scores (id, tenant_id, company_id, risk_type, risk_level, score, factors, calculated_at) VALUES (?, ?, ?, ?, ?, ?, ?, NOW())");
$stmt->execute([
\Ramsey\Uuid\Uuid::uuid4()->toString(),
$tenantId,
$companyId,
'overall_company_risk', // risk_type is required
$analysis['level'],
$analysis['score'],
json_encode($analysis['factors'], JSON_UNESCAPED_UNICODE)
]);
}
$stmt = $db->prepare("INSERT INTO risk_scores (id, tenant_id, company_id, risk_type, score, reason) VALUES (?, ?, ?, ?, ?, ?)");
$stmt->execute([
\Ramsey\Uuid\Uuid::uuid4()->toString(),
$tenantId,
$companyId,
$analysis['level'], // risk_type = high/medium/low
$analysis['score'],
json_encode($analysis['factors'], JSON_UNESCAPED_UNICODE), // reason
]);
} catch (Throwable $e) {
echo "[!] Risk Analysis failed for company {$companyId}: " . $e->getMessage() . "\n";
throw $e;

4
queue/worker.php
View File

@@ -29,21 +29,25 @@ while ($keepRunning) {
$container = $app->getContainer();
switch($job['type']) {
case 'ExtractInvoiceJob':
case 'invoice_extraction':
$handler = $container->get(\Queue\Jobs\ExtractInvoiceJob::class);
$handler->handle($job['payload']);
break;
case 'SubmitJoFotaraJob':
case 'submit_jofotara':
$handler = $container->get(\Queue\Jobs\SubmitJoFotaraJob::class);
$handler->handle($job['payload']);
break;
case 'RiskAnalysisJob':
case 'risk_analysis':
$handler = $container->get(\Queue\Jobs\RiskAnalysisJob::class);
$handler->handle($job['payload']);
break;
case 'SendNotificationJob':
case 'send_notification':
$handler = $container->get(\Queue\Jobs\SendNotificationJob::class);
$handler->handle($job['payload']);