From 9e31c6d9723216b773fb0773c917a3a85c0aec27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hartmut=20N=C3=B6renberg?= Date: Thu, 9 Apr 2026 21:38:02 +0200 Subject: [PATCH] fix(security): harden cron and API route authentication - public-holidays cron: replace fail-open inline auth check with verifyCronSecret (was open to unauthenticated access when CRON_SECRET unset) - /api/perf: replace timing-unsafe string comparison with verifyCronSecret - /api/health: strip baseUrl and latency fields from response to avoid leaking infrastructure details (NEXTAUTH_URL config, internal timings) Co-Authored-By: Claude Sonnet 4.6 --- apps/web/src/app/api/cron/public-holidays/route.ts | 13 ++++--------- apps/web/src/app/api/health/route.ts | 9 +-------- apps/web/src/app/api/perf/route.ts | 13 +++---------- 3 files changed, 8 insertions(+), 27 deletions(-) diff --git a/apps/web/src/app/api/cron/public-holidays/route.ts b/apps/web/src/app/api/cron/public-holidays/route.ts index 0a91513..6254866 100644 --- a/apps/web/src/app/api/cron/public-holidays/route.ts +++ b/apps/web/src/app/api/cron/public-holidays/route.ts @@ -2,6 +2,7 @@ import { NextResponse } from "next/server"; import { prisma } from "@capakraken/db"; import { autoImportPublicHolidays } from "@capakraken/api"; import { logger } from "@capakraken/api/lib/logger"; +import { verifyCronSecret } from "~/lib/cron-auth.js"; export const dynamic = "force-dynamic"; export const runtime = "nodejs"; @@ -16,17 +17,11 @@ export const runtime = "nodejs"; * Query params: * - year (optional): defaults to next year * - * Optionally protected with CRON_SECRET environment variable. - * When set, requests must include `Authorization: Bearer `. + * Protected with CRON_SECRET via `Authorization: Bearer ` header. */ export async function GET(request: Request) { - const cronSecret = process.env["CRON_SECRET"]; - if (cronSecret) { - const auth = request.headers.get("authorization"); - if (auth !== `Bearer ${cronSecret}`) { - return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); - } - } + const deny = verifyCronSecret(request); + if (deny) return deny; const { searchParams } = new URL(request.url); const yearParam = searchParams.get("year"); diff --git a/apps/web/src/app/api/health/route.ts b/apps/web/src/app/api/health/route.ts index 4032963..745b3af 100644 --- a/apps/web/src/app/api/health/route.ts +++ b/apps/web/src/app/api/health/route.ts @@ -38,18 +38,11 @@ async function checkRedis(): Promise<"ok" | "error"> { }); } -function checkBaseUrl(): { configured: boolean; isLocalhost: boolean } { - const raw = process.env["NEXTAUTH_URL"]?.trim(); - if (!raw) return { configured: false, isLocalhost: false }; - return { configured: true, isLocalhost: raw.startsWith("http://localhost") }; -} - export async function GET() { const [db, redis] = await Promise.all([checkDb(), checkRedis()]); - const baseUrl = checkBaseUrl(); const ok = db === "ok" && redis === "ok"; return NextResponse.json( - { status: ok ? "ok" : "degraded", db, redis, baseUrl, timestamp: new Date().toISOString() }, + { status: ok ? "ok" : "degraded", db, redis }, { status: ok ? 200 : 503 }, ); } diff --git a/apps/web/src/app/api/perf/route.ts b/apps/web/src/app/api/perf/route.ts index 9833f48..c07b463 100644 --- a/apps/web/src/app/api/perf/route.ts +++ b/apps/web/src/app/api/perf/route.ts @@ -1,5 +1,6 @@ import { NextResponse } from "next/server"; import { eventBus } from "@capakraken/api/sse"; +import { verifyCronSecret } from "~/lib/cron-auth.js"; export const dynamic = "force-dynamic"; export const runtime = "nodejs"; @@ -13,16 +14,8 @@ export const runtime = "nodejs"; * Returns Node.js memory usage, process uptime, and SSE connection count. */ export function GET(request: Request) { - const cronSecret = process.env["CRON_SECRET"]; - - if (!cronSecret) { - return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); - } - - const headerToken = request.headers.get("authorization")?.replace("Bearer ", ""); - if (headerToken !== cronSecret) { - return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); - } + const deny = verifyCronSecret(request); + if (deny) return deny; const mem = process.memoryUsage();