From 41122fc0fb43a6b9ce5ac95d8d8d5c24b4156e86 Mon Sep 17 00:00:00 2001
From: John Mizerek <mizerek@gmail.com>
Date: Mon, 29 Dec 2025 10:01:43 -0800
Subject: [PATCH] fix: correct CFScript syntax in login endpoint

- Fix cflock to lock in CFScript
- Remove var keyword at top-level scope (outside functions)
- Fixes 500 error and now returns proper JSON responses
---
 api/auth/login.cfm | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/api/auth/login.cfm b/api/auth/login.cfm
index 7bcd638..7f4ed93 100644
--- a/api/auth/login.cfm
+++ b/api/auth/login.cfm
@@ -42,16 +42,16 @@ function normalizeUsername(required string u) {
   return x;
 }
 
-var data = readJsonBody();
-var username = structKeyExists(data, "username") ? normalizeUsername("" & data.username) : "";
-var password = structKeyExists(data, "password") ? ("" & data.password) : "";
+data = readJsonBody();
+username = structKeyExists(data, "username") ? normalizeUsername("" & data.username) : "";
+password = structKeyExists(data, "password") ? ("" & data.password) : "";
 
 if (!len(username) || !len(password)) {
   apiAbort({ "OK": false, "ERROR": "missing_fields" });
 }
 
 try {
-  var q = queryExecute(
+  q = queryExecute(
     "
       SELECT UserID, UserFirstName
       FROM Users
@@ -77,7 +77,7 @@ try {
     apiAbort({ "OK": false, "ERROR": "bad_credentials" });
   }
 
-  var token = replace(createUUID(), "-", "", "all");
+  token = replace(createUUID(), "-", "", "all");
 
   queryExecute(
     "INSERT INTO UserTokens (UserID, Token) VALUES (?, ?)",
@@ -89,7 +89,7 @@ try {
   );
 
   // Optional: also set session for browser tools
-  cflock timeout="15" throwontimeout="yes" type="exclusive" scope="session" {
+  lock timeout="15" throwontimeout="yes" type="exclusive" scope="session" {
     session.UserID = q.UserID;
   }
   request.UserID = q.UserID;