payfrit/payfrit-biz
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
This repository has been archived on 2026-03-21. You can view files and clone it, but cannot push or open issues or pull requests.
payfrit-biz/api/workers/onboardingLink.cfm
John Mizerek 3f15b0c8b6 Fix SQL injection, wrong PK, and hardcoded production URLs 
Security:
- orders/submit.cfm: parameterize IN clause (was string-interpolated)
- auth/completeProfile.cfm: fix UserID → ID on Users table PK

Environment-aware URLs:
- Add application.baseUrl to config/environment.cfm
- Replace all hardcoded https://biz.payfrit.com with application.baseUrl in:
  orders/getDetail, tasks/getDetails, auth/completeProfile, auth/avatar,
  stripe/onboard, users/search, workers/onboardingLink, workers/earlyUnlock

Also fix submit.cfm qMeta.ItemID → qMeta.ID (column not in SELECT)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 21:14:19 -08:00

78 lines
2.4 KiB
Text
Raw Blame History

<cfsetting showdebugoutput="false">
<cfsetting enablecfoutputonly="true">
<cfcontent type="application/json; charset=utf-8" reset="true">
<cfscript>
/**
* Generate Stripe-hosted onboarding link for worker's connected account.
*/
response = { "OK": false };
try {
requestData = deserializeJSON(toString(getHttpRequestData().content));
userID = val(requestData.UserID ?: 0);
if (userID == 0 && structKeyExists(request, "UserID")) {
userID = val(request.UserID);
}
if (userID == 0) {
response["ERROR"] = "missing_params";
response["MESSAGE"] = "UserID is required.";
writeOutput(serializeJSON(response));
abort;
}
qUser = queryExecute("
SELECT StripeConnectedAccountID FROM Users WHERE ID = :userID
", { userID: userID }, { datasource: "payfrit" });
if (qUser.recordCount == 0) {
response["ERROR"] = "user_not_found";
writeOutput(serializeJSON(response));
abort;
}
accountID = qUser.StripeConnectedAccountID ?: "";
if (len(trim(accountID)) == 0) {
response["ERROR"] = "no_stripe_account";
response["MESSAGE"] = "Create a Stripe account first.";
writeOutput(serializeJSON(response));
abort;
}
// Create Account Link for onboarding
stripeSecretKey = application.stripeSecretKey ?: "";
httpService = new http();
httpService.setMethod("POST");
httpService.setUrl("https://api.stripe.com/v1/account_links");
httpService.setUsername(stripeSecretKey);
httpService.setPassword("");
httpService.addParam(type="formfield", name="account", value=accountID);
baseUrl = application.baseUrl;
httpService.addParam(type="formfield", name="refresh_url", value=baseUrl & "/works/stripe-return.cfm?status=refresh");
httpService.addParam(type="formfield", name="return_url", value=baseUrl & "/works/stripe-return.cfm?status=complete");
httpService.addParam(type="formfield", name="type", value="account_onboarding");
result = httpService.send().getPrefix();
linkData = deserializeJSON(result.fileContent);
if (structKeyExists(linkData, "error")) {
response["ERROR"] = linkData.error.message;
writeOutput(serializeJSON(response));
abort;
}
response["OK"] = true;
response["ONBOARDING_URL"] = linkData.url;
} catch (any e) {
response["ERROR"] = e.message;
}
writeOutput(serializeJSON(response));
</cfscript>
Reference in a new issue View git blame Copy permalink