61 lines
1.8 KiB
PHP
61 lines
1.8 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Middleware;
|
|
|
|
use App\Core\{Request, Response, Redis};
|
|
use App\Services\Security\HmacService;
|
|
use App\Core\Database;
|
|
|
|
final class HmacMiddleware
|
|
{
|
|
public function __construct(private readonly HmacService $hmac) {}
|
|
|
|
public function handle(Request $request, callable $next): mixed
|
|
{
|
|
$publicKey = $request->getHeader('X-Api-Key');
|
|
$signature = $request->getHeader('X-Signature');
|
|
$timestamp = $request->getHeader('X-Timestamp');
|
|
$nonce = $request->getHeader('X-Nonce');
|
|
|
|
if (!$publicKey || !$signature || !$timestamp || !$nonce) {
|
|
Response::error('بيانات التوقيع (HMAC) ناقصة', 'HMAC_MISSING', 401);
|
|
return null;
|
|
}
|
|
|
|
// 1. Lookup Secret by Public Key
|
|
$db = Database::getInstance();
|
|
$stmt = $db->prepare("SELECT secret_hash, tenant_id FROM api_keys WHERE public_key = ? AND is_active = 1 LIMIT 1");
|
|
$stmt->execute([$publicKey]);
|
|
$apiKey = $stmt->fetch();
|
|
|
|
if (!$apiKey) {
|
|
Response::error('مفتاح API غير صالح', 'HMAC_INVALID_KEY', 401);
|
|
return null;
|
|
}
|
|
|
|
// 2. Verify Signature
|
|
// Note: secret_hash in DB is the actual secret for signing
|
|
$isValid = $this->hmac->verify(
|
|
$apiKey['secret_hash'],
|
|
$request->getMethod(),
|
|
$request->getPath(),
|
|
$timestamp,
|
|
$nonce,
|
|
json_encode($request->getBody()),
|
|
$signature
|
|
);
|
|
|
|
if (!$isValid) {
|
|
Response::error('توقيع الطلب غير صحيح', 'HMAC_INVALID_SIGNATURE', 401);
|
|
return null;
|
|
}
|
|
|
|
// 3. Set context
|
|
$request->tenantId = $apiKey['tenant_id'];
|
|
|
|
return $next($request);
|
|
}
|
|
}
|