payfrit/payfrit-biz
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
This repository has been archived on 2026-03-21. You can view files and clone it, but cannot push or open issues or pull requests.
payfrit-biz/api/auth
History
John Mizerek 3f15b0c8b6 Fix SQL injection, wrong PK, and hardcoded production URLs 
Security:
- orders/submit.cfm: parameterize IN clause (was string-interpolated)
- auth/completeProfile.cfm: fix UserID → ID on Users table PK

Environment-aware URLs:
- Add application.baseUrl to config/environment.cfm
- Replace all hardcoded https://biz.payfrit.com with application.baseUrl in:
  orders/getDetail, tasks/getDetails, auth/completeProfile, auth/avatar,
  stripe/onboard, users/search, workers/onboardingLink, workers/earlyUnlock

Also fix submit.cfm qMeta.ItemID → qMeta.ID (column not in SELECT)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 21:14:19 -08:00
..
avatar.cfm Fix SQL injection, wrong PK, and hardcoded production URLs 2026-01-31 21:14:19 -08:00
completeProfile.cfm Fix SQL injection, wrong PK, and hardcoded production URLs 2026-01-31 21:14:19 -08:00
login.cfm Restore API performance tracking and fix perf dashboard 2026-01-30 17:04:12 -08:00
loginOTP.cfm Fix magic OTP on dev, fix portal login flash of login form 2026-01-31 14:19:36 -08:00
profile.cfm Fix UserID column references in auth endpoints after schema normalization 2026-01-30 17:15:46 -08:00
sendOTP.cfm Fix magic OTP on dev, fix portal login flash of login form 2026-01-31 14:19:36 -08:00
validateToken.cfm Complete DB column normalization: strip redundant table-name prefixes from all SQL queries 2026-01-31 20:03:40 -08:00
verifyLoginOTP.cfm Fix normalized DB column names across all API files 2026-01-31 16:56:41 -08:00
verifyOTP.cfm Fix normalized DB column names across all API files 2026-01-31 16:56:41 -08:00