payfrit/payfrit-api
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
payfrit-api/api
History
Schwifty 601245d969 fix: harden auth middleware — exact route matching, remove admin bypass, add cron secret 
1. Switch str_contains() to exact match ($path === $route) in PUBLIC_ROUTES check
   to prevent substring-based route bypass attacks.

2. Remove blanket /api/admin/ bypass that was letting all admin endpoints through
   without authentication.

3. Add requireCronSecret() — cron/scheduled task endpoints now require a valid
   X-Cron-Secret header matching the PAYFRIT_CRON_SECRET env var. Uses
   hash_equals() for timing-safe comparison. Applied to:
   - cron/expireStaleChats.php
   - cron/expireTabs.php
   - api/admin/scheduledTasks/runDue.php
2026-03-23 01:43:43 +00:00
..
addresses Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
admin fix: harden auth middleware — exact route matching, remove admin bypass, add cron secret 2026-03-23 01:43:43 +00:00
app Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
assignments Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
auth Enable magic OTP (123456) for Apple app review testing 2026-03-20 05:22:17 +00:00
beacon-sharding Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
beacons Add beacons/lookupByMac.php and beacons/wipe.php endpoints 2026-03-16 19:13:21 -07:00
businesses Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
chat Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
config Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
grants Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
menu Fix item prices returning as strings instead of floats in JSON 2026-03-16 17:24:57 -07:00
orders Add TaskTypeID=0 to order task creation INSERTs 2026-03-16 23:21:41 -07:00
portal Add portal/getSettings and portal/updateSettings PHP endpoints 2026-03-17 15:42:24 -07:00
presence Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
ratings Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
servicepoints Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
setup Add IsServiceBell flag to task types 2026-03-15 16:52:23 -07:00
stations Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
stripe Add TaskTypeID=0 to order task creation INSERTs 2026-03-16 23:21:41 -07:00
tabs Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
tasks Add IsServiceBell flag to task types 2026-03-15 16:52:23 -07:00
users Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
workers Initial PHP API migration from CFML 2026-03-14 14:26:59 -07:00
helpers.php fix: harden auth middleware — exact route matching, remove admin bypass, add cron secret 2026-03-23 01:43:43 +00:00