98 lines
2.7 KiB
PHP
98 lines
2.7 KiB
PHP
<?php
|
|
/**
|
|
* Mobile OTP Request Endpoint
|
|
* POST /v1/auth/mobile/request-otp
|
|
*
|
|
* Sends an OTP to the user's registered phone number.
|
|
* The phone must already be registered by an admin in the web dashboard.
|
|
*/
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Core\Database;
|
|
use App\Core\Validator;
|
|
use App\Core\Security;
|
|
use App\Middleware\RateLimitMiddleware;
|
|
|
|
// Rate limit: 3 OTP requests per minute per IP
|
|
RateLimitMiddleware::check(3, 60);
|
|
|
|
$data = Security::sanitize(input());
|
|
|
|
// 1. Validate
|
|
$errors = Validator::validate($data, [
|
|
'phone' => 'required',
|
|
]);
|
|
|
|
if ($errors) {
|
|
json_error('رقم الهاتف مطلوب', 422, $errors);
|
|
}
|
|
|
|
$phone = preg_replace('/[^0-9+]/', '', $data['phone']);
|
|
$phoneHash = hash('sha256', $phone);
|
|
|
|
// 2. Find user by phone hash
|
|
$db = Database::getInstance();
|
|
$stmt = $db->prepare("SELECT id, tenant_id, name, is_active FROM users WHERE phone_hash = ? LIMIT 1");
|
|
$stmt->execute([$phoneHash]);
|
|
$user = $stmt->fetch();
|
|
|
|
if (!$user) {
|
|
// Don't reveal if phone exists — generic message
|
|
json_success(null, 'إذا كان الرقم مسجلاً، سيتم إرسال رمز التحقق');
|
|
exit;
|
|
}
|
|
|
|
if (!$user['is_active']) {
|
|
json_error('الحساب معطّل. تواصل مع المسؤول.', 403);
|
|
}
|
|
|
|
// 3. Generate OTP (6 digits)
|
|
$otp = str_pad((string)random_int(100000, 999999), 6, '0', STR_PAD_LEFT);
|
|
$otpHash = password_hash($otp, PASSWORD_DEFAULT);
|
|
$expiresAt = date('Y-m-d H:i:s', time() + 300); // 5 minutes
|
|
|
|
// 4. Store OTP in database (or Redis if available)
|
|
// Using a simple approach: store in a cache file per phone
|
|
$cacheDir = STORAGE_PATH . '/cache/otp';
|
|
if (!is_dir($cacheDir)) {
|
|
mkdir($cacheDir, 0755, true);
|
|
}
|
|
|
|
$otpData = [
|
|
'hash' => $otpHash,
|
|
'user_id' => $user['id'],
|
|
'attempts' => 0,
|
|
'max_attempts' => 5,
|
|
'expires_at' => time() + 300,
|
|
'created_at' => time(),
|
|
];
|
|
|
|
$fp = fopen($cacheDir . '/otp_' . $phoneHash . '.json', 'w');
|
|
if ($fp) {
|
|
flock($fp, LOCK_EX);
|
|
fwrite($fp, json_encode($otpData));
|
|
flock($fp, LOCK_UN);
|
|
fclose($fp);
|
|
}
|
|
|
|
// 5. Send OTP via WhatsApp Proxy
|
|
$whatsappService = new \App\Services\WhatsAppProxyService();
|
|
$message = "رمز التحقق لتطبيق مُصادَق:\n*{$otp}*\n\nصالح لمدة 5 دقائق.";
|
|
$smsSent = $whatsappService->sendMessage($phone, $message);
|
|
|
|
if (!$smsSent) {
|
|
error_log("WARN: Failed to send OTP WhatsApp to phone hash: {$phoneHash}");
|
|
// Still return success to not reveal info, but log the issue
|
|
}
|
|
|
|
// Log for development (REMOVE IN PRODUCTION!)
|
|
if (env('APP_DEBUG', 'false') === 'true') {
|
|
error_log("DEV OTP for {$phone}: {$otp}");
|
|
}
|
|
|
|
json_success(null, 'إذا كان الرقم مسجلاً، سيتم إرسال رمز التحقق عبر واتساب');
|
|
|
|
|
|
|