payfrit/payfrit-api
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
PHP API (migrated from CFML)
35 commits 3 branches 0 tags 1.1 MiB
PHP 100%
Find a file
Schwifty 601245d969 fix: harden auth middleware — exact route matching, remove admin bypass, add cron secret 
1. Switch str_contains() to exact match ($path === $route) in PUBLIC_ROUTES check
   to prevent substring-based route bypass attacks.

2. Remove blanket /api/admin/ bypass that was letting all admin endpoints through
   without authentication.

3. Add requireCronSecret() — cron/scheduled task endpoints now require a valid
   X-Cron-Secret header matching the PAYFRIT_CRON_SECRET env var. Uses
   hash_equals() for timing-safe comparison. Applied to:
   - cron/expireStaleChats.php
   - cron/expireTabs.php
   - api/admin/scheduledTasks/runDue.php
2026-03-23 01:43:43 +00:00
_webhook Add deploy webhook for auto-deploy from Forgejo 2026-03-14 15:04:53 -07:00
api fix: harden auth middleware — exact route matching, remove admin bypass, add cron secret 2026-03-23 01:43:43 +00:00
config Port Twilio SMS integration from CFML to PHP 2026-03-14 16:02:34 -07:00
cron fix: harden auth middleware — exact route matching, remove admin bypass, add cron secret 2026-03-23 01:43:43 +00:00
receipt Port admin, cron, and receipt endpoints from CFML to PHP 2026-03-14 15:57:25 -07:00