Fix upload paths to use Lucee webroot and accept uppercase OTP keys

Upload endpoints were saving files to PHP's DOCUMENT_ROOT instead of
the Lucee webroot where the Android app loads them from. Also fix
verifyLoginOTP and verifyOTP to accept both UUID/OTP and uuid/otp keys.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

api/auth/avatar.php

@@ -15,7 +15,10 @@ if ($userId <= 0) {
     apiAbort(['OK' => false, 'ERROR' => 'not_logged_in', 'MESSAGE' => 'Authentication required']);
 }
 
-$uploadsDir = dirname(__DIR__, 2) . '/uploads/users';
+$webroot = isDev()
+    ? '/opt/lucee/tomcat/webapps/ROOT'
+    : '/var/www/biz.payfrit.com';
+$uploadsDir = $webroot . '/uploads/users';
 $avatarUrl = baseUrl() . '/uploads/users/';
 
 // Find existing avatar (check multiple extensions)

api/auth/verifyLoginOTP.php

@@ -9,8 +9,8 @@ runAuth();
 */
 
 $data = readJsonBody();
-$userUUID = trim($data['uuid'] ?? '');
-$otp = trim($data['otp'] ?? '');
+$userUUID = trim($data['UUID'] ?? $data['uuid'] ?? '');
+$otp = trim($data['OTP'] ?? $data['otp'] ?? '');
 
 if (empty($userUUID) || empty($otp)) {
     apiAbort(['OK' => false, 'ERROR' => 'missing_fields', 'MESSAGE' => 'UUID and OTP are required']);

api/auth/verifyOTP.php

@@ -9,8 +9,8 @@ runAuth();
 */
 
 $data = readJsonBody();
-$userUUID = trim($data['uuid'] ?? '');
-$otp = trim($data['otp'] ?? '');
+$userUUID = trim($data['UUID'] ?? $data['uuid'] ?? '');
+$otp = trim($data['OTP'] ?? $data['otp'] ?? '');
 
 if (empty($userUUID) || empty($otp)) {
     apiAbort(['OK' => false, 'ERROR' => 'missing_fields', 'MESSAGE' => 'UUID and OTP are required']);

api/menu/getForBuilder.php

@@ -292,7 +292,10 @@ try {
 
     // Build items lookup by CategoryID
     $itemsByCategory = [];
-    $uploadsDir = $_SERVER['DOCUMENT_ROOT'] . '/uploads/items';
+    $webroot = isDev()
+    ? '/opt/lucee/tomcat/webapps/ROOT'
+    : '/var/www/biz.payfrit.com';
+$uploadsDir = $webroot . '/uploads/items';
     foreach ($qItemRows as $item) {
         $catID = (int) $item['CategoryItemID'];
         $itemID = (int) $item['ID'];

api/menu/uploadHeader.php

@@ -22,7 +22,10 @@ if (!isset($_FILES['header']) || $_FILES['header']['error'] !== UPLOAD_ERR_OK) {
     jsonResponse(['OK' => false, 'ERROR' => 'no_file', 'MESSAGE' => 'No file was uploaded']);
 }
 
-$headersDir = $_SERVER['DOCUMENT_ROOT'] . '/uploads/headers';
+$webroot = isDev()
+    ? '/opt/lucee/tomcat/webapps/ROOT'
+    : '/var/www/biz.payfrit.com';
+$headersDir = $webroot . '/uploads/headers';
 if (!is_dir($headersDir)) {
     mkdir($headersDir, 0755, true);
 }

api/menu/uploadItemPhoto.php

@@ -25,8 +25,11 @@ if (!in_array($ext, $allowedExtensions)) {
     jsonResponse(['OK' => false, 'ERROR' => 'invalid_type', 'MESSAGE' => "Only image files are accepted (jpg, jpeg, gif, png, webp, heic). Got: $ext"]);
 }
 
-// Determine uploads directory (server path)
-$itemsDir = $_SERVER['DOCUMENT_ROOT'] . '/uploads/items';
+// Determine uploads directory (must be in Lucee webroot, not PHP docroot)
+$webroot = isDev()
+    ? '/opt/lucee/tomcat/webapps/ROOT'
+    : '/var/www/biz.payfrit.com';
+$itemsDir = $webroot . '/uploads/items';
 if (!is_dir($itemsDir)) {
     mkdir($itemsDir, 0755, true);
 }

api/tasks/getDetails.php

@@ -68,9 +68,12 @@ try {
     $customerPhotoUrl = '';
     $customerUserID = (int) ($qTask['CustomerUserID'] ?? 0);
     if ($customerUserID > 0) {
+        $webroot = isDev()
+            ? '/opt/lucee/tomcat/webapps/ROOT'
+            : '/var/www/biz.payfrit.com';
         $baseDir = '/uploads/users/';
         foreach (['jpg', 'png', 'PNG'] as $ext) {
-            $checkPath = $_SERVER['DOCUMENT_ROOT'] . $baseDir . $customerUserID . '.' . $ext;
+            $checkPath = $webroot . $baseDir . $customerUserID . '.' . $ext;
             if (file_exists($checkPath)) {
                 $customerPhotoUrl = baseUrl() . $baseDir . $customerUserID . '.' . $ext;
                 break;