payfrit/payfrit-api
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
payfrit-api/api/admin/scheduledTasks
History
Schwifty 601245d969 fix: harden auth middleware — exact route matching, remove admin bypass, add cron secret 
1. Switch str_contains() to exact match ($path === $route) in PUBLIC_ROUTES check
   to prevent substring-based route bypass attacks.

2. Remove blanket /api/admin/ bypass that was letting all admin endpoints through
   without authentication.

3. Add requireCronSecret() — cron/scheduled task endpoints now require a valid
   X-Cron-Secret header matching the PAYFRIT_CRON_SECRET env var. Uses
   hash_equals() for timing-safe comparison. Applied to:
   - cron/expireStaleChats.php
   - cron/expireTabs.php
   - api/admin/scheduledTasks/runDue.php
2026-03-23 01:43:43 +00:00
..
_cronUtils.php Port admin, cron, and receipt endpoints from CFML to PHP 2026-03-14 15:57:25 -07:00
delete.php Port admin, cron, and receipt endpoints from CFML to PHP 2026-03-14 15:57:25 -07:00
list.php Port admin, cron, and receipt endpoints from CFML to PHP 2026-03-14 15:57:25 -07:00
run.php Port admin, cron, and receipt endpoints from CFML to PHP 2026-03-14 15:57:25 -07:00
runDue.php fix: harden auth middleware — exact route matching, remove admin bypass, add cron secret 2026-03-23 01:43:43 +00:00
save.php Port admin, cron, and receipt endpoints from CFML to PHP 2026-03-14 15:57:25 -07:00
toggle.php Port admin, cron, and receipt endpoints from CFML to PHP 2026-03-14 15:57:25 -07:00