payfrit-biz

payfrit/payfrit-biz

Archived

Fork 0

Commit graph

Author	SHA1	Message	Date
John Mizerek	3f15b0c8b6	Fix SQL injection, wrong PK, and hardcoded production URLs Security: - orders/submit.cfm: parameterize IN clause (was string-interpolated) - auth/completeProfile.cfm: fix UserID → ID on Users table PK Environment-aware URLs: - Add application.baseUrl to config/environment.cfm - Replace all hardcoded https://biz.payfrit.com with application.baseUrl in: orders/getDetail, tasks/getDetails, auth/completeProfile, auth/avatar, stripe/onboard, users/search, workers/onboardingLink, workers/earlyUnlock Also fix submit.cfm qMeta.ItemID → qMeta.ID (column not in SELECT) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-31 21:14:19 -08:00
John Mizerek	d8d7efe056	Add user account APIs and fix Lucee header handling - Add avatar.cfm: GET/POST for user profile photos with multi-extension support - Add profile.cfm: GET/POST for user profile (name, email, phone) - Add history.cfm: Order history endpoint with pagination - Add addresses/list.cfm and add.cfm: Delivery address management - Add setOrderType.cfm: Set delivery/takeaway type on orders - Add checkToken.cfm: Debug endpoint for token validation - Fix headerValue() in Application.cfm to use servlet request object (Lucee CGI scope doesn't expose custom HTTP headers like X-User-Token) - Update public allowlist for new endpoints - Add privacy.html page 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-08 20:01:07 -08:00

Author

SHA1

Message

Date

John Mizerek

3f15b0c8b6

Fix SQL injection, wrong PK, and hardcoded production URLs

Security:
- orders/submit.cfm: parameterize IN clause (was string-interpolated)
- auth/completeProfile.cfm: fix UserID → ID on Users table PK

Environment-aware URLs:
- Add application.baseUrl to config/environment.cfm
- Replace all hardcoded https://biz.payfrit.com with application.baseUrl in:
  orders/getDetail, tasks/getDetails, auth/completeProfile, auth/avatar,
  stripe/onboard, users/search, workers/onboardingLink, workers/earlyUnlock

Also fix submit.cfm qMeta.ItemID → qMeta.ID (column not in SELECT)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-31 21:14:19 -08:00

John Mizerek

d8d7efe056

Add user account APIs and fix Lucee header handling

- Add avatar.cfm: GET/POST for user profile photos with multi-extension support
- Add profile.cfm: GET/POST for user profile (name, email, phone)
- Add history.cfm: Order history endpoint with pagination
- Add addresses/list.cfm and add.cfm: Delivery address management
- Add setOrderType.cfm: Set delivery/takeaway type on orders
- Add checkToken.cfm: Debug endpoint for token validation
- Fix headerValue() in Application.cfm to use servlet request object
  (Lucee CGI scope doesn't expose custom HTTP headers like X-User-Token)
- Update public allowlist for new endpoints
- Add privacy.html page

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-08 20:01:07 -08:00

2 commits