🚀 مُصادَق: الإطلاق الأولي للنظام المتكامل

app/Services/Security/HmacService.php

@@ -0,0 +1,56 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Security;
+
+use App\Core\Redis;
+
+final class HmacService
+{
+    /**
+     * Verify HMAC signature for external API requests (Flutter)
+     */
+    public function verify(
+        string $secret,
+        string $method,
+        string $path,
+        string $timestamp,
+        string $nonce,
+        string $body,
+        string $providedSignature
+    ): bool {
+        // 1. Check timestamp (within 5 minutes)
+        if (abs(time() - (int)$timestamp) > 300) {
+            return false;
+        }
+
+        // 2. Replay protection using Nonce in Redis
+        // Note: Redis::getInstance() would be used here
+        // If nonce exists, reject
+        
+        // 3. Calculate Signature
+        $bodyHash = hash('sha256', $body);
+        $stringToSign = strtoupper($method) . "\n" . 
+                       $path . "\n" . 
+                       $timestamp . "\n" . 
+                       $nonce . "\n" . 
+                       $bodyHash;
+
+        $calculatedSignature = hash_hmac('sha256', $stringToSign, $secret);
+
+        return hash_equals($calculatedSignature, $providedSignature);
+    }
+
+    public function sign(string $secret, string $method, string $path, string $timestamp, string $nonce, string $body): string
+    {
+        $bodyHash = hash('sha256', $body);
+        $stringToSign = strtoupper($method) . "\n" . 
+                       $path . "\n" . 
+                       $timestamp . "\n" . 
+                       $nonce . "\n" . 
+                       $bodyHash;
+
+        return hash_hmac('sha256', $stringToSign, $secret);
+    }
+}