payfrit/payfrit-api
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: payfrit:cc7d6f6b4f74ee9ff58db16f9673f758553e098b
Branches Tags
payfrit:main
payfrit:schwifty/fix-auth-security
payfrit:schwifty/fix-555-docs
..
compare: payfrit:b25198b3f5689a595da78bb582224fbf927dc3c7
Branches Tags
payfrit:main
payfrit:schwifty/fix-auth-security
payfrit:schwifty/fix-555-docs

No commits in common. "cc7d6f6b4f74ee9ff58db16f9673f758553e098b" and "b25198b3f5689a595da78bb582224fbf927dc3c7" have entirely different histories.
cc7d6f6b4f ... b25198b3f5

4 changed files with 9 additions and 29 deletions
Show stats Expand all files Collapse all files

2
api/admin/scheduledTasks/runDue.php
View file

@ -1,7 +1,7 @@
<?php <?php
require_once __DIR__ . '/../../helpers.php'; require_once __DIR__ . '/../../helpers.php';
require_once __DIR__ . '/_cronUtils.php'; require_once __DIR__ . '/_cronUtils.php';
requireCronSecret(); // No runAuth() — this is a cron/public endpoint
/** /**
* Process all due scheduled tasks. * Process all due scheduled tasks.

32
api/helpers.php
View file

@ -300,30 +300,6 @@ function sendSMS(string $to, string $body): array {
return ['success' => false, 'message' => $errMsg]; return ['success' => false, 'message' => $errMsg];
} }
// ============================================
// CRON AUTH
// ============================================
/**
* Require a valid X-Cron-Secret header for cron/scheduled task endpoints.
* The secret is read from the PAYFRIT_CRON_SECRET environment variable.
* Aborts with 403 if missing or mismatched.
*/
function requireCronSecret(): void {
$expected = trim(getenv('PAYFRIT_CRON_SECRET') ?: '');
if ($expected === '') {
error_log('[cron_auth] PAYFRIT_CRON_SECRET env var is not set. Blocking request.');
http_response_code(403);
jsonResponse(['OK' => false, 'ERROR' => 'cron_secret_not_configured'], 403);
}
$provided = headerValue('X-Cron-Secret');
if ($provided === '' || !hash_equals($expected, $provided)) {
http_response_code(403);
jsonResponse(['OK' => false, 'ERROR' => 'invalid_cron_secret'], 403);
}
}
// ============================================ // ============================================
// AUTH MIDDLEWARE // AUTH MIDDLEWARE
// ============================================ // ============================================
@ -549,14 +525,18 @@ function runAuth(): void {
$businessId = (int) $bizHeader; $businessId = (int) $bizHeader;
} }
// Check if public route (exact match only) // Check if public route
$isPublic = false; $isPublic = false;
foreach (PUBLIC_ROUTES as $route) { foreach (PUBLIC_ROUTES as $route) {
if ($path === strtolower($route)) { if (str_contains($path, strtolower($route))) {
$isPublic = true; $isPublic = true;
break; break;
} }
} }
// Also allow /api/admin/ paths
if (str_contains($path, '/api/admin/')) {
$isPublic = true;
}
if (!$isPublic) { if (!$isPublic) {
if ($userId <= 0) { if ($userId <= 0) {

2
cron/expireStaleChats.php
View file

@ -1,6 +1,6 @@
<?php <?php
require_once __DIR__ . '/../api/helpers.php'; require_once __DIR__ . '/../api/helpers.php';
requireCronSecret(); // No runAuth() — cron/public endpoint
/** /**
* Expire stale chats (older than 20 minutes with no recent activity). * Expire stale chats (older than 20 minutes with no recent activity).

2
cron/expireTabs.php
View file

@ -1,7 +1,7 @@
<?php <?php
require_once __DIR__ . '/../api/helpers.php'; require_once __DIR__ . '/../api/helpers.php';
require_once __DIR__ . '/../api/config/stripe.php'; require_once __DIR__ . '/../api/config/stripe.php';
requireCronSecret(); // No runAuth() — cron/public endpoint
/** /**
* Scheduled task to handle tab expiry and cleanup. * Scheduled task to handle tab expiry and cleanup.