payfrit/payfrit-works
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
payfrit-works/api/Application.cfm

68 lines
2.1 KiB
Text
Raw Blame History

<cfsetting showdebugoutput="false">
<cfsetting enablecfoutputonly="true">
<!---
FILE: C:\lucee\tomcat\webapps\ROOT\biz.payfrit.com\api\Application.cfm
MVP CHANGE:
- Public allowlist for:
/api/businesses/list.cfm
/api/servicepoints/list.cfm
IMPORTANT:
- Do NOT rely on exact SCRIPT_NAME equality; in some deployments it may include
the site folder prefix (e.g. /biz.payfrit.com/api/...).
- So we allowlist by "contains" match.
--->
<cfset request.IsApiRequest = true>
<cfinclude template="../Application.cfm">
<cfcontent type="application/json; charset=utf-8" reset="true">
<cfheader name="Cache-Control" value="no-store">
<cfscript>
function apiAbort(obj) {
writeOutput(serializeJSON(obj));
abort;
}
// Determine current request path
scriptName = "";
if (structKeyExists(cgi, "SCRIPT_NAME")) {
scriptName = cgi.SCRIPT_NAME;
} else if (structKeyExists(cgi, "PATH_INFO")) {
scriptName = cgi.PATH_INFO;
}
// MVP allowlist: PUBLIC endpoint(s) under /api
isPublicEndpoint = false;
if (len(scriptName)) {
// Use contains (case-insensitive) so it works whether SCRIPT_NAME is:
// /api/servicepoints/list.cfm OR /biz.payfrit.com/api/servicepoints/list.cfm
if (findNoCase("/api/businesses/list.cfm", scriptName) GT 0) {
isPublicEndpoint = true;
}
if (findNoCase("/api/servicepoints/list.cfm", scriptName) GT 0) {
isPublicEndpoint = true;
}
}
// Copy auth from session if present
if (!structKeyExists(request, "UserID") && structKeyExists(session, "UserID")) {
request.UserID = Duplicate(session.UserID);
}
if (!structKeyExists(request, "BusinessID") && structKeyExists(session, "BusinessID")) {
request.BusinessID = Duplicate(session.BusinessID);
}
// Enforce auth for all /api endpoints EXCEPT allowlisted public endpoints
if (!isPublicEndpoint) {
if (!structKeyExists(request, "UserID") || !isNumeric(request.UserID) || request.UserID LTE 0) {
apiAbort({ OK=false, ERROR="not_logged_in" });
}
if (!structKeyExists(request, "BusinessID") || !isNumeric(request.BusinessID) || request.BusinessID LTE 0) {
apiAbort({ OK=false, ERROR="no_business_selected" });
}
}
</cfscript>
Reference in a new issue View git blame Copy permalink