payfrit-biz/api/auth/verifyLoginOTP.cfm

<cfsetting showdebugoutput="false">
<cfsetting enablecfoutputonly="true">
<cfcontent type="application/json; charset=utf-8" reset="true">
<cfheader name="Cache-Control" value="no-store">

<cfscript>
/**
 * Verify OTP for LOGIN (existing verified accounts)
 *
 * POST: { "uuid": "...", "otp": "123456" }
 *
 * Returns: { OK: true, UserID: 123, Token: "...", FirstName: "..." }
 */

function apiAbort(required struct payload) {
    writeOutput(serializeJSON(payload));
    abort;
}

function readJsonBody() {
    var raw = getHttpRequestData().content;
    if (isNull(raw)) raw = "";
    if (!len(trim(raw))) return {};
    try {
        var data = deserializeJSON(raw);
        if (isStruct(data)) return data;
    } catch (any e) {}
    return {};
}

try {
    data = readJsonBody();
    userUUID = structKeyExists(data, "uuid") ? trim(data.uuid) : "";
    otp = structKeyExists(data, "otp") ? trim(data.otp) : "";

    if (!len(userUUID) || !len(otp)) {
        apiAbort({ "OK": false, "ERROR": "missing_fields", "MESSAGE": "UUID and OTP are required" });
    }

    // Find verified user by UUID
    qUser = queryTimed("
        SELECT ID, FirstName, LastName, MobileVerifyCode
        FROM Users
        WHERE UUID = :uuid
          AND IsContactVerified = 1
        LIMIT 1
    ", {
        uuid: { value: userUUID, cfsqltype: "cf_sql_varchar" }
    }, { datasource: "payfrit" });

    if (qUser.recordCount == 0) {
        apiAbort({ "OK": false, "ERROR": "expired", "MESSAGE": "Session expired. Please request a new code." });
    }

    // Check OTP: accept real code OR magic code (123456) when enabled
    isMagic = structKeyExists(application, "MAGIC_OTP_ENABLED") && application.MAGIC_OTP_ENABLED
              && structKeyExists(application, "MAGIC_OTP_CODE") && otp == application.MAGIC_OTP_CODE;

    if (qUser.MobileVerifyCode != otp && !isMagic) {
        apiAbort({ "OK": false, "ERROR": "invalid_otp", "MESSAGE": "Invalid code. Please try again." });
    }

    // Clear the OTP (one-time use)
    queryTimed("
        UPDATE Users
        SET MobileVerifyCode = ''
        WHERE ID = :userId
    ", { userId: { value: qUser.ID, cfsqltype: "cf_sql_integer" } }, { datasource: "payfrit" });

    // Create auth token
    token = replace(createUUID(), "-", "", "all");
    queryTimed("
        INSERT INTO UserTokens (UserID, Token) VALUES (:userId, :token)
    ", {
        userId: { value: qUser.ID, cfsqltype: "cf_sql_integer" },
        token: { value: token, cfsqltype: "cf_sql_varchar" }
    }, { datasource: "payfrit" });

    writeOutput(serializeJSON({
        "OK": true,
        "UserID": qUser.ID,
        "Token": token,
        "FirstName": qUser.FirstName ?: ""
    }));

} catch (any e) {
    apiAbort({
        "OK": false,
        "ERROR": "server_error",
        "MESSAGE": e.message
    });
}
</cfscript>