# Phase 4 Rollback — XML Auth Flow ## What Phase 4 Added **New files:** - `app/Http/Controllers/Wani/AuthController.php` - `app/Models/WaniToken.php` - `database/migrations/2026_04_21_120000_create_wani_tokens_table.php` **Modified files:** - `routes/api.php` — added AuthController import + `/auth/initiate` + `/auth/validate` routes **Database changes:** - NEW table: `wani_tokens` (stores opaque session tokens) ## How to Roll Back (Local) ```bash cd c:/xampp/htdocs/Android_App/pmwani_mobile_app_backend # 1. Roll back the migration (drops wani_tokens table) php artisan migrate:rollback --path=database/migrations/2026_04_21_120000_create_wani_tokens_table.php # 2. Restore api.php cp rollback/phase-4/api.php.before routes/api.php # 3. Delete new files rm app/Http/Controllers/Wani/AuthController.php rm app/Models/WaniToken.php rm database/migrations/2026_04_21_120000_create_wani_tokens_table.php # 4. Clear caches php artisan config:clear php artisan route:clear php artisan cache:clear ``` After rollback, back to Phase 3 state. ## Impact If NOT Rolled Back - **Zero functional impact** on existing JSON API - Existing `/api/wani/authenticate` (RSA + JWT flow) untouched - Adds two new XML routes: - `POST /api/wani/v1/auth/initiate` - `POST /api/wani/v1/auth/validate` - Creates `wani_tokens` table (new, isolated, unused by other code) ## Phase 4 Verification ### Test 1: Issue a token ```bash curl -X POST "https://flutter.pmwani.net/api/wani/v1/auth/initiate" \ -H "Content-Type: application/xml" \ -d ' 9999999999 PM-WANI 50:48:2C:30:07:33 ' ``` Expected: ```xml SUCCESS aBc...48charstring...xYz 300 1800 ``` ### Test 2: Validate the token ```bash curl -X POST "https://flutter.pmwani.net/api/wani/v1/auth/validate" \ -H "Content-Type: application/xml" \ -d ' PASTE_TOKEN_FROM_STEP_1 ' ``` Expected: ```xml AUTHORIZED 1800 42 ``` ### Test 3: Error cases **Unknown user:** ```xml USER_NOT_FOUNDUser is not registered ``` **Expired token:** (wait 5+ min, then validate) ```xml EXPIRED_TOKENToken has expired ``` **Re-use token:** ```xml TOKEN_ALREADY_USEDToken was already consumed ``` ## Server Deployment Commands ```bash cd c:/xampp/htdocs/Android_App/pmwani_mobile_app_backend # Upload new files scp -P 21212 app/Http/Controllers/Wani/AuthController.php immunity@147.93.30.127:/var/www/mobile_app_backend/app/Http/Controllers/Wani/AuthController.php scp -P 21212 app/Models/WaniToken.php immunity@147.93.30.127:/var/www/mobile_app_backend/app/Models/WaniToken.php scp -P 21212 database/migrations/2026_04_21_120000_create_wani_tokens_table.php immunity@147.93.30.127:/var/www/mobile_app_backend/database/migrations/2026_04_21_120000_create_wani_tokens_table.php # Upload updated routes scp -P 21212 routes/api.php immunity@147.93.30.127:/var/www/mobile_app_backend/routes/api.php # Run migration + clear cache ssh immunity@147.93.30.127 -p 21212 "cd /var/www/mobile_app_backend && php artisan migrate --force && php artisan config:clear && php artisan route:clear && php artisan cache:clear" ``` ## Server Rollback Commands ```bash cd c:/xampp/htdocs/Android_App/pmwani_mobile_app_backend # 1. Roll back migration on server (drops wani_tokens) ssh immunity@147.93.30.127 -p 21212 "cd /var/www/mobile_app_backend && php artisan migrate:rollback --path=database/migrations/2026_04_21_120000_create_wani_tokens_table.php" # 2. Restore api.php scp -P 21212 rollback/phase-4/api.php.before immunity@147.93.30.127:/var/www/mobile_app_backend/routes/api.php # 3. Delete new files on server ssh immunity@147.93.30.127 -p 21212 "rm /var/www/mobile_app_backend/app/Http/Controllers/Wani/AuthController.php /var/www/mobile_app_backend/app/Models/WaniToken.php /var/www/mobile_app_backend/database/migrations/2026_04_21_120000_create_wani_tokens_table.php && cd /var/www/mobile_app_backend && php artisan config:clear && php artisan route:clear" ``` ## Important Notes - **Tokens expire in 5 minutes** (PM-WANI spec recommendation) - **Each token is single-use** — once validated, cannot be reused (prevents replay) - **Session length:** 1800 seconds (30 min) default after validation - **Rate limited:** 10 requests/minute per IP on both endpoints - **User must be OTP-verified** — unverified users rejected with `USER_NOT_VERIFIED` - **All events logged** to Laravel's default log channel (masked mobile for privacy)