payfrit-biz/api/auth/verifyLoginOTP.cfm

<cfsetting showdebugoutput="false">
<cfsetting enablecfoutputonly="true">
<cfcontent type="application/json; charset=utf-8" reset="true">
<cfheader name="Cache-Control" value="no-store">

<cfscript>
/**
 * Verify OTP for LOGIN (existing verified accounts)
 *
 * POST: { "uuid": "...", "otp": "123456" }
 *
 * Returns: { OK: true, UserID: 123, Token: "...", FirstName: "..." }
 */

function apiAbort(required struct payload) {
    writeOutput(serializeJSON(payload));
    abort;
}

function readJsonBody() {
    var raw = getHttpRequestData().content;
    if (isNull(raw)) raw = "";
    if (!len(trim(raw))) return {};
    try {
        var data = deserializeJSON(raw);
        if (isStruct(data)) return data;
    } catch (any e) {}
    return {};
}

try {
    data = readJsonBody();
    userUUID = structKeyExists(data, "uuid") ? trim(data.uuid) : "";
    otp = structKeyExists(data, "otp") ? trim(data.otp) : "";

    if (!len(userUUID) || !len(otp)) {
        apiAbort({ "OK": false, "ERROR": "missing_fields", "MESSAGE": "UUID and OTP are required" });
    }

    // Check for magic OTP bypass (for App Store review)
    isMagicOTP = structKeyExists(application, "MAGIC_OTP_ENABLED")
                 && application.MAGIC_OTP_ENABLED
                 && structKeyExists(application, "MAGIC_OTP_CODE")
                 && otp == application.MAGIC_OTP_CODE;

    // Find verified user with matching UUID and OTP (or magic OTP)
    if (isMagicOTP) {
        qUser = queryExecute("
            SELECT ID, FirstName, LastName
            FROM Users
            WHERE UUID = :uuid
              AND IsContactVerified = 1
            LIMIT 1
        ", {
            uuid: { value: userUUID, cfsqltype: "cf_sql_varchar" }
        }, { datasource: "payfrit" });
    } else {
        qUser = queryExecute("
            SELECT ID, FirstName, LastName
            FROM Users
            WHERE UUID = :uuid
              AND MobileVerifyCode = :otp
              AND IsContactVerified = 1
            LIMIT 1
        ", {
            uuid: { value: userUUID, cfsqltype: "cf_sql_varchar" },
            otp: { value: otp, cfsqltype: "cf_sql_varchar" }
        }, { datasource: "payfrit" });
    }

    if (qUser.recordCount == 0) {
        // Check if UUID exists but OTP is wrong
        qCheck = queryExecute("
            SELECT ID FROM Users WHERE UUID = :uuid AND IsContactVerified = 1
        ", { uuid: { value: userUUID, cfsqltype: "cf_sql_varchar" } }, { datasource: "payfrit" });

        if (qCheck.recordCount > 0) {
            apiAbort({ "OK": false, "ERROR": "invalid_otp", "MESSAGE": "Invalid code. Please try again." });
        } else {
            apiAbort({ "OK": false, "ERROR": "expired", "MESSAGE": "Session expired. Please request a new code." });
        }
    }

    // Clear the OTP (one-time use)
    queryExecute("
        UPDATE Users
        SET MobileVerifyCode = ''
        WHERE UserID = :userId
    ", { userId: { value: qUser.ID, cfsqltype: "cf_sql_integer" } }, { datasource: "payfrit" });

    // Create auth token
    token = replace(createUUID(), "-", "", "all");
    queryExecute("
        INSERT INTO UserTokens (UserID, Token) VALUES (:userId, :token)
    ", {
        userId: { value: qUser.ID, cfsqltype: "cf_sql_integer" },
        token: { value: token, cfsqltype: "cf_sql_varchar" }
    }, { datasource: "payfrit" });

    writeOutput(serializeJSON({
        "OK": true,
        "UserID": qUser.ID,
        "Token": token,
        "FirstName": qUser.FirstName ?: ""
    }));

} catch (any e) {
    apiAbort({
        "OK": false,
        "ERROR": "server_error",
        "MESSAGE": e.message
    });
}
</cfscript>