payfrit-works/api/Application.cfm

<cfsetting showdebugoutput="false">
<cfsetting enablecfoutputonly="true">

<!---
  FILE: C:\lucee\tomcat\webapps\ROOT\biz.payfrit.com\api\Application.cfm

  GOAL:
  - Ensure /api/* requests run under the SAME CF application/session as biz.payfrit.com
    by including the parent Application.cfm (because CF uses the nearest Application.cfm).
  - Force JSON responses for API requests (never HTML).
  - Gate access based on existing biz login + business "Become" selection:
      session.UserID / request.UserID
      session.BusinessID / request.BusinessID
--->

<!--- Mark API context BEFORE including parent, in case parent logic checks it --->
<cfset request.IsApiRequest = true>

<!---
  CRITICAL:
  Without this include, /api/* becomes a different app/session and won't see logged-in state.
--->
<cfinclude template="../Application.cfm">

<!--- Force JSON for everything under /api --->
<cfcontent type="application/json; charset=utf-8" reset="true">
<cfheader name="Cache-Control" value="no-store">

<cfscript>
function apiAbort(obj) {
  writeOutput(serializeJSON(obj));
  abort;
}

// Some apps store auth in session and copy to request in page code.
// Make /api resilient by copying from session if needed.
if (!structKeyExists(request, "UserID") && structKeyExists(session, "UserID")) {
  request.UserID = Duplicate(session.UserID);
}
if (!structKeyExists(request, "BusinessID") && structKeyExists(session, "BusinessID")) {
  request.BusinessID = Duplicate(session.BusinessID);
}

// Enforce auth for all /api endpoints
if (!structKeyExists(request, "UserID") || !isNumeric(request.UserID) || request.UserID LTE 0) {
  apiAbort({ OK=false, ERROR="not_logged_in" });
}
if (!structKeyExists(request, "BusinessID") || !isNumeric(request.BusinessID) || request.BusinessID LTE 0) {
  apiAbort({ OK=false, ERROR="no_business_selected" });
}
</cfscript>