function apiAbort(obj) { writeOutput(serializeJSON(obj)); abort; } // Determine current request path scriptName = ""; if (structKeyExists(cgi, "SCRIPT_NAME")) { scriptName = cgi.SCRIPT_NAME; } else if (structKeyExists(cgi, "PATH_INFO")) { scriptName = cgi.PATH_INFO; } // MVP allowlist: PUBLIC endpoint(s) under /api isPublicEndpoint = false; if (len(scriptName)) { // Use contains (case-insensitive) so it works whether SCRIPT_NAME is: // /api/servicepoints/list.cfm OR /biz.payfrit.com/api/servicepoints/list.cfm if (findNoCase("/api/businesses/list.cfm", scriptName) GT 0) { isPublicEndpoint = true; } if (findNoCase("/api/servicepoints/list.cfm", scriptName) GT 0) { isPublicEndpoint = true; } } // Copy auth from session if present if (!structKeyExists(request, "UserID") && structKeyExists(session, "UserID")) { request.UserID = Duplicate(session.UserID); } if (!structKeyExists(request, "BusinessID") && structKeyExists(session, "BusinessID")) { request.BusinessID = Duplicate(session.BusinessID); } // Enforce auth for all /api endpoints EXCEPT allowlisted public endpoints if (!isPublicEndpoint) { if (!structKeyExists(request, "UserID") || !isNumeric(request.UserID) || request.UserID LTE 0) { apiAbort({ OK=false, ERROR="not_logged_in" }); } if (!structKeyExists(request, "BusinessID") || !isNumeric(request.BusinessID) || request.BusinessID LTE 0) { apiAbort({ OK=false, ERROR="no_business_selected" }); } }