3f15b0c8b6
Security: - orders/submit.cfm: parameterize IN clause (was string-interpolated) - auth/completeProfile.cfm: fix UserID → ID on Users table PK Environment-aware URLs: - Add application.baseUrl to config/environment.cfm - Replace all hardcoded https://biz.payfrit.com with application.baseUrl in: orders/getDetail, tasks/getDetails, auth/completeProfile, auth/avatar, stripe/onboard, users/search, workers/onboardingLink, workers/earlyUnlock Also fix submit.cfm qMeta.ItemID → qMeta.ID (column not in SELECT) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
86 lines
3 KiB
Text
86 lines
3 KiB
Text
<cfsetting showdebugoutput="false">
|
|
<cfsetting enablecfoutputonly="true">
|
|
<cfcontent type="application/json; charset=utf-8" reset="true">
|
|
|
|
<cfscript>
|
|
/**
|
|
* Create Stripe Checkout Session for activation early unlock.
|
|
* Worker pays remaining activation balance via card.
|
|
*/
|
|
|
|
response = { "OK": false };
|
|
|
|
try {
|
|
requestData = deserializeJSON(toString(getHttpRequestData().content));
|
|
userID = val(requestData.UserID ?: 0);
|
|
|
|
if (userID == 0 && structKeyExists(request, "UserID")) {
|
|
userID = val(request.UserID);
|
|
}
|
|
|
|
if (userID == 0) {
|
|
response["ERROR"] = "missing_params";
|
|
response["MESSAGE"] = "UserID is required.";
|
|
writeOutput(serializeJSON(response));
|
|
abort;
|
|
}
|
|
|
|
qUser = queryExecute("
|
|
SELECT ActivationBalanceCents, ActivationCapCents
|
|
FROM Users WHERE ID = :userID
|
|
", { userID: userID }, { datasource: "payfrit" });
|
|
|
|
if (qUser.recordCount == 0) {
|
|
response["ERROR"] = "user_not_found";
|
|
writeOutput(serializeJSON(response));
|
|
abort;
|
|
}
|
|
|
|
remainingCents = val(qUser.ActivationCapCents) - val(qUser.ActivationBalanceCents);
|
|
|
|
if (remainingCents <= 0) {
|
|
response["OK"] = true;
|
|
response["ALREADY_COMPLETE"] = true;
|
|
writeOutput(serializeJSON(response));
|
|
abort;
|
|
}
|
|
|
|
// Create Stripe Checkout Session
|
|
stripeSecretKey = application.stripeSecretKey ?: "";
|
|
|
|
httpService = new http();
|
|
httpService.setMethod("POST");
|
|
httpService.setUrl("https://api.stripe.com/v1/checkout/sessions");
|
|
httpService.setUsername(stripeSecretKey);
|
|
httpService.setPassword("");
|
|
|
|
httpService.addParam(type="formfield", name="mode", value="payment");
|
|
httpService.addParam(type="formfield", name="line_items[0][price_data][unit_amount]", value=remainingCents);
|
|
httpService.addParam(type="formfield", name="line_items[0][price_data][currency]", value="usd");
|
|
httpService.addParam(type="formfield", name="line_items[0][price_data][product_data][name]", value="Payfrit Activation");
|
|
httpService.addParam(type="formfield", name="line_items[0][quantity]", value="1");
|
|
baseUrl = application.baseUrl;
|
|
httpService.addParam(type="formfield", name="success_url", value=baseUrl & "/works/stripe-return.cfm?status=success");
|
|
httpService.addParam(type="formfield", name="cancel_url", value=baseUrl & "/works/stripe-return.cfm?status=cancel");
|
|
httpService.addParam(type="formfield", name="metadata[user_id]", value=userID);
|
|
httpService.addParam(type="formfield", name="metadata[type]", value="activation_unlock");
|
|
|
|
result = httpService.send().getPrefix();
|
|
sessionData = deserializeJSON(result.fileContent);
|
|
|
|
if (structKeyExists(sessionData, "error")) {
|
|
response["ERROR"] = sessionData.error.message;
|
|
writeOutput(serializeJSON(response));
|
|
abort;
|
|
}
|
|
|
|
response["OK"] = true;
|
|
response["CHECKOUT_URL"] = sessionData.url;
|
|
response["AMOUNT_DUE_CENTS"] = remainingCents;
|
|
|
|
} catch (any e) {
|
|
response["ERROR"] = e.message;
|
|
}
|
|
|
|
writeOutput(serializeJSON(response));
|
|
</cfscript>
|