Hamza/musadaq-saas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update: 2026-05-06 01:38:39

Browse Source
This commit is contained in:
Hamza-Ayed
2026-05-06 01:38:39 +03:00
parent c63d9944ee
commit 97ff911751
13 changed files with 2170 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
app/modules_app/auth/mobile_request_otp.php Normal file
View File

@@ -0,0 +1,137 @@
<?php
/**
* Mobile OTP Request Endpoint
* POST /v1/auth/mobile/request-otp
*
* Sends an OTP to the user's registered phone number.
* The phone must already be registered by an admin in the web dashboard.
*/
declare(strict_types=1);
use App\Core\Database;
use App\Core\Validator;
use App\Core\Security;
use App\Middleware\RateLimitMiddleware;
// Rate limit: 3 OTP requests per minute per IP
RateLimitMiddleware::check(3, 60);
$data = Security::sanitize(input());
// 1. Validate
$errors = Validator::validate($data, [
'phone' => 'required',
]);
if ($errors) {
json_error('رقم الهاتف مطلوب', 422, $errors);
}
$phone = preg_replace('/[^0-9+]/', '', $data['phone']);
$phoneHash = hash('sha256', $phone);
// 2. Find user by phone hash
$db = Database::getInstance();
$stmt = $db->prepare("SELECT id, tenant_id, name, is_active FROM users WHERE phone_hash = ? LIMIT 1");
$stmt->execute([$phoneHash]);
$user = $stmt->fetch();
if (!$user) {
// Don't reveal if phone exists — generic message
json_success(null, 'إذا كان الرقم مسجلاً، سيتم إرسال رمز التحقق');
exit;
}
if (!$user['is_active']) {
json_error('الحساب معطّل. تواصل مع المسؤول.', 403);
}
// 3. Generate OTP (6 digits)
$otp = str_pad((string)random_int(100000, 999999), 6, '0', STR_PAD_LEFT);
$otpHash = password_hash($otp, PASSWORD_DEFAULT);
$expiresAt = date('Y-m-d H:i:s', time() + 300); // 5 minutes
// 4. Store OTP in database (or Redis if available)
// Using a simple approach: store in a cache file per phone
$cacheDir = STORAGE_PATH . '/cache/otp';
if (!is_dir($cacheDir)) {
mkdir($cacheDir, 0755, true);
}
$otpData = [
'hash' => $otpHash,
'user_id' => $user['id'],
'attempts' => 0,
'max_attempts' => 5,
'expires_at' => time() + 300,
'created_at' => time(),
];
$fp = fopen($cacheDir . '/otp_' . $phoneHash . '.json', 'w');
if ($fp) {
flock($fp, LOCK_EX);
fwrite($fp, json_encode($otpData));
flock($fp, LOCK_UN);
fclose($fp);
}
// 5. Send OTP via SMS
// TODO: Replace with your actual SMS provider
$smsSent = sendOtpSms($phone, $otp);
if (!$smsSent) {
error_log("WARN: Failed to send OTP SMS to phone hash: {$phoneHash}");
// Still return success to not reveal info, but log the issue
}
// Log for development (REMOVE IN PRODUCTION!)
if (env('APP_DEBUG', 'false') === 'true') {
error_log("DEV OTP for {$phone}: {$otp}");
}
json_success(null, 'إذا كان الرقم مسجلاً، سيتم إرسال رمز التحقق');
// ─── SMS Helper ──────────────────────────────────────────
function sendOtpSms(string $phone, string $otp): bool
{
$smsProvider = env('SMS_PROVIDER', 'log'); // 'log', 'twilio', 'jordan_sms', 'custom'
$message = "رمز التحقق لتطبيق مُصادَق: {$otp}\nصالح لمدة 5 دقائق.";
switch ($smsProvider) {
case 'custom':
// Custom SMS API (your own provider)
$apiUrl = env('SMS_API_URL');
$apiKey = env('SMS_API_KEY');
if (!$apiUrl || !$apiKey) return false;
try {
$ch = curl_init($apiUrl);
curl_setopt_array($ch, [
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => json_encode([
'to' => $phone,
'message' => $message,
'api_key' => $apiKey,
]),
CURLOPT_HTTPHEADER => ['Content-Type: application/json'],
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 10,
]);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return $httpCode >= 200 && $httpCode < 300;
} catch (\Exception $e) {
error_log("SMS send error: " . $e->getMessage());
return false;
}
case 'log':
default:
// Development: just log the OTP
error_log("SMS OTP [{$phone}]: {$otp}");
return true;
}
}

174
app/modules_app/auth/mobile_verify_otp.php Normal file
View File

@@ -0,0 +1,174 @@
<?php
/**
* Mobile OTP Verify Endpoint
* POST /v1/auth/mobile/verify-otp
*
* Verifies OTP, registers device, and returns JWT + device secret for HMAC.
*/
declare(strict_types=1);
use App\Core\Database;
use App\Core\JWT;
use App\Core\Validator;
use App\Core\Security;
use App\Middleware\RateLimitMiddleware;
// Rate limit: 10 verify attempts per minute per IP
RateLimitMiddleware::check(10, 60);
$data = Security::sanitize(input());
// 1. Validate
$errors = Validator::validate($data, [
'phone' => 'required',
'otp' => 'required',
]);
if ($errors) {
json_error('رقم الهاتف ورمز التحقق مطلوبان', 422, $errors);
}
$phone = preg_replace('/[^0-9+]/', '', $data['phone']);
$phoneHash = hash('sha256', $phone);
$deviceId = $data['device_id'] ?? '';
$deviceName = $data['device_name'] ?? 'Unknown Device';
$platform = $data['platform'] ?? 'android';
$appVersion = $data['app_version'] ?? '1.0.0';
$pushToken = $data['push_token'] ?? null;
if (empty($deviceId)) {
json_error('معرّف الجهاز مطلوب', 422);
}
// 2. Load OTP from cache
$cacheFile = STORAGE_PATH . '/cache/otp/otp_' . $phoneHash . '.json';
if (!file_exists($cacheFile)) {
json_error('رمز التحقق غير صالح أو منتهي الصلاحية', 401);
}
$fp = fopen($cacheFile, 'r+');
if (!$fp) {
json_error('خطأ في النظام', 500);
}
flock($fp, LOCK_EX);
$content = stream_get_contents($fp);
$otpData = json_decode($content, true);
if (!$otpData || $otpData['expires_at'] < time()) {
flock($fp, LOCK_UN);
fclose($fp);
@unlink($cacheFile);
json_error('رمز التحقق منتهي الصلاحية. اطلب رمزاً جديداً.', 401);
}
// Check attempts
if ($otpData['attempts'] >= $otpData['max_attempts']) {
flock($fp, LOCK_UN);
fclose($fp);
@unlink($cacheFile);
json_error('تجاوزت عدد المحاولات المسموحة. اطلب رمزاً جديداً.', 429);
}
// Verify OTP
if (!password_verify($data['otp'], $otpData['hash'])) {
$otpData['attempts']++;
ftruncate($fp, 0);
rewind($fp);
fwrite($fp, json_encode($otpData));
flock($fp, LOCK_UN);
fclose($fp);
$remaining = $otpData['max_attempts'] - $otpData['attempts'];
json_error("رمز التحقق غير صحيح. المحاولات المتبقية: {$remaining}", 401);
}
// OTP is valid — clean up
flock($fp, LOCK_UN);
fclose($fp);
@unlink($cacheFile);
// 3. Fetch user
$db = Database::getInstance();
$userId = $otpData['user_id'];
$stmt = $db->prepare("SELECT id, tenant_id, name, email, role, is_active FROM users WHERE id = ? LIMIT 1");
$stmt->execute([$userId]);
$user = $stmt->fetch();
if (!$user || !$user['is_active']) {
json_error('الحساب غير موجود أو معطّل', 403);
}
// 4. Generate device secret for HMAC
$deviceSecret = hash('sha256', $userId . $deviceId . bin2hex(random_bytes(16)));
// 5. Register/Update device
$stmt = $db->prepare("
INSERT INTO user_devices (id, user_id, device_fingerprint, device_name, platform, app_version, push_token, device_secret, is_trusted, last_seen_at)
VALUES (UUID(), ?, ?, ?, ?, ?, ?, ?, TRUE, NOW())
ON DUPLICATE KEY UPDATE
device_name = VALUES(device_name),
platform = VALUES(platform),
app_version = VALUES(app_version),
push_token = VALUES(push_token),
device_secret = VALUES(device_secret),
is_trusted = TRUE,
last_seen_at = NOW(),
updated_at = NOW()
");
$stmt->execute([
$userId,
$deviceId,
$deviceName,
$platform,
$appVersion,
$pushToken,
password_hash($deviceSecret, PASSWORD_DEFAULT), // Store hashed
]);
// 6. Generate JWT (30 days for mobile)
$secret = env('JWT_SECRET');
if (!$secret || strlen($secret) < 32) {
error_log('FATAL: JWT_SECRET is missing or too short in .env');
json_error('Server configuration error', 500);
}
$payload = [
'user_id' => $user['id'],
'tenant_id' => $user['tenant_id'],
'role' => $user['role'],
'device_id' => $deviceId,
'source' => 'mobile',
'exp' => time() + (30 * 24 * 3600), // 30 days
];
$token = JWT::encode($payload, $secret);
// 7. Generate refresh token
$refreshToken = bin2hex(random_bytes(32));
$refreshTokenHash = hash('sha256', $refreshToken);
$stmt = $db->prepare("UPDATE users SET refresh_token_hash = ?, last_login_at = NOW() WHERE id = ?");
$stmt->execute([$refreshTokenHash, $userId]);
// 8. Decrypt name for response
$userName = $user['name'];
try {
$decrypted = \App\Core\Encryption::decrypt($user['name']);
if ($decrypted !== false) $userName = $decrypted;
} catch (\Exception $e) {
// Keep encrypted name
}
json_success([
'access_token' => $token,
'refresh_token' => $refreshToken,
'device_secret' => $deviceSecret, // Client stores this securely for HMAC
'user' => [
'id' => $user['id'],
'name' => $userName,
'role' => $user['role'],
'tenant_id' => $user['tenant_id'],
],
], 'تم التحقق بنجاح. مرحباً بك في مُصادَق!');

60
app/modules_app/auth/register_device.php Normal file
View File

@@ -0,0 +1,60 @@
<?php
/**
* Register/Update Device Endpoint
* POST /v1/auth/mobile/register-device
*
* Updates push token and device info for an already-authenticated device.
*/
declare(strict_types=1);
use App\Core\Database;
use App\Middleware\AuthMiddleware;
use App\Core\Security;
$decoded = AuthMiddleware::check();
$userId = $decoded['user_id'];
$deviceId = $decoded['device_id'] ?? null;
if (!$deviceId) {
json_error('هذا الـ endpoint مخصص لتطبيق الهاتف فقط', 403);
}
$data = Security::sanitize(input());
$db = Database::getInstance();
$updateFields = [];
$params = [];
if (isset($data['push_token'])) {
$updateFields[] = 'push_token = ?';
$params[] = $data['push_token'];
}
if (isset($data['app_version'])) {
$updateFields[] = 'app_version = ?';
$params[] = $data['app_version'];
}
if (isset($data['device_name'])) {
$updateFields[] = 'device_name = ?';
$params[] = $data['device_name'];
}
// Always update last_seen
$updateFields[] = 'last_seen_at = NOW()';
if (empty($updateFields)) {
json_success(null, 'لا يوجد بيانات للتحديث');
exit;
}
$sql = "UPDATE user_devices SET " . implode(', ', $updateFields) . " WHERE user_id = ? AND device_fingerprint = ?";
$params[] = $userId;
$params[] = $deviceId;
$stmt = $db->prepare($sql);
$stmt->execute($params);
json_success(null, 'تم تحديث بيانات الجهاز');