fix: correct CFScript syntax in login endpoint

- Fix cflock to lock in CFScript
- Remove var keyword at top-level scope (outside functions)
- Fixes 500 error and now returns proper JSON responses

api/auth/login.cfm

@@ -42,16 +42,16 @@ function normalizeUsername(required string u) {
   return x;
 }
 
-var data = readJsonBody();
+data = readJsonBody();
-var username = structKeyExists(data, "username") ? normalizeUsername("" & data.username) : "";
+username = structKeyExists(data, "username") ? normalizeUsername("" & data.username) : "";
-var password = structKeyExists(data, "password") ? ("" & data.password) : "";
+password = structKeyExists(data, "password") ? ("" & data.password) : "";
 
 if (!len(username) || !len(password)) {
   apiAbort({ "OK": false, "ERROR": "missing_fields" });
 }
 
 try {
-  var q = queryExecute(
+  q = queryExecute(
     "
       SELECT UserID, UserFirstName
       FROM Users
@@ -77,7 +77,7 @@ try {
     apiAbort({ "OK": false, "ERROR": "bad_credentials" });
   }
 
-  var token = replace(createUUID(), "-", "", "all");
+  token = replace(createUUID(), "-", "", "all");
 
   queryExecute(
     "INSERT INTO UserTokens (UserID, Token) VALUES (?, ?)",
@@ -89,7 +89,7 @@ try {
   );
 
   // Optional: also set session for browser tools
-  cflock timeout="15" throwontimeout="yes" type="exclusive" scope="session" {
+  lock timeout="15" throwontimeout="yes" type="exclusive" scope="session" {
     session.UserID = q.UserID;
   }
   request.UserID = q.UserID;