payfrit/payfrit-api
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
44 commits 3 branches 0 tags 1.1 MiB
Commit graph

2 commits

Author SHA1 Message Date
Schwifty
601245d969 fix: harden auth middleware — exact route matching, remove admin bypass, add cron secret 
1. Switch str_contains() to exact match ($path === $route) in PUBLIC_ROUTES check
   to prevent substring-based route bypass attacks.

2. Remove blanket /api/admin/ bypass that was letting all admin endpoints through
   without authentication.

3. Add requireCronSecret() — cron/scheduled task endpoints now require a valid
   X-Cron-Secret header matching the PAYFRIT_CRON_SECRET env var. Uses
   hash_equals() for timing-safe comparison. Applied to:
   - cron/expireStaleChats.php
   - cron/expireTabs.php
   - api/admin/scheduledTasks/runDue.php
 2026-03-23 01:43:43 +00:00
John Mizerek
4d806d4e1e Port admin, cron, and receipt endpoints from CFML to PHP 
- admin/quickTasks: list, create, save, delete
- admin/scheduledTasks: list, save, delete, toggle, run, runDue
- cron: expireStaleChats, expireTabs
- receipt: public order receipt page (no auth, UUID-secured)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-14 15:57:25 -07:00