Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(security): harden cron and API route authentication

Browse Source 
- public-holidays cron: replace fail-open inline auth check with verifyCronSecret
  (was open to unauthenticated access when CRON_SECRET unset)
- /api/perf: replace timing-unsafe string comparison with verifyCronSecret
- /api/health: strip baseUrl and latency fields from response to avoid
  leaking infrastructure details (NEXTAUTH_URL config, internal timings)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-09 21:38:02 +02:00
parent 3452464809
commit 9e31c6d972
3 changed files with 8 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/app/api/cron/public-holidays/route.ts
+4 -9
View File
@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
import { prisma } from "@capakraken/db";
import { autoImportPublicHolidays } from "@capakraken/api";
import { logger } from "@capakraken/api/lib/logger";
import { verifyCronSecret } from "~/lib/cron-auth.js";
export const dynamic = "force-dynamic";
export const runtime = "nodejs";
@@ -16,17 +17,11 @@ export const runtime = "nodejs";
* Query params:
* - year (optional): defaults to next year
*
* Optionally protected with CRON_SECRET environment variable.
* When set, requests must include `Authorization: Bearer <secret>`.
* Protected with CRON_SECRET via `Authorization: Bearer <secret>` header.
*/
export async function GET(request: Request) {
const cronSecret = process.env["CRON_SECRET"];
if (cronSecret) {
const auth = request.headers.get("authorization");
if (auth !== `Bearer ${cronSecret}`) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
}
const deny = verifyCronSecret(request);
if (deny) return deny;
const { searchParams } = new URL(request.url);
const yearParam = searchParams.get("year");
apps/web/src/app/api/health/route.ts
+1 -8
View File
@@ -38,18 +38,11 @@ async function checkRedis(): Promise<"ok" | "error"> {
});
}
function checkBaseUrl(): { configured: boolean; isLocalhost: boolean } {
const raw = process.env["NEXTAUTH_URL"]?.trim();
if (!raw) return { configured: false, isLocalhost: false };
return { configured: true, isLocalhost: raw.startsWith("http://localhost") };
}
export async function GET() {
const [db, redis] = await Promise.all([checkDb(), checkRedis()]);
const baseUrl = checkBaseUrl();
const ok = db === "ok" && redis === "ok";
return NextResponse.json(
{ status: ok ? "ok" : "degraded", db, redis, baseUrl, timestamp: new Date().toISOString() },
{ status: ok ? "ok" : "degraded", db, redis },
{ status: ok ? 200 : 503 },
);
}
apps/web/src/app/api/perf/route.ts
+3 -10
View File
@@ -1,5 +1,6 @@
import { NextResponse } from "next/server";
import { eventBus } from "@capakraken/api/sse";
import { verifyCronSecret } from "~/lib/cron-auth.js";
export const dynamic = "force-dynamic";
export const runtime = "nodejs";
@@ -13,16 +14,8 @@ export const runtime = "nodejs";
* Returns Node.js memory usage, process uptime, and SSE connection count.
*/
export function GET(request: Request) {
const cronSecret = process.env["CRON_SECRET"];
if (!cronSecret) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const headerToken = request.headers.get("authorization")?.replace("Bearer ", "");
if (headerToken !== cronSecret) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const deny = verifyCronSecret(request);
if (deny) return deny;
const mem = process.memoryUsage();