Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(security): harden cron and API route authentication

Browse Source 
- public-holidays cron: replace fail-open inline auth check with verifyCronSecret
  (was open to unauthenticated access when CRON_SECRET unset)
- /api/perf: replace timing-unsafe string comparison with verifyCronSecret
- /api/health: strip baseUrl and latency fields from response to avoid
  leaking infrastructure details (NEXTAUTH_URL config, internal timings)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-09 21:38:02 +02:00
parent 3452464809
commit 9e31c6d972
3 changed files with 8 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/app/api/health/route.ts
+1 -8
View File
@@ -38,18 +38,11 @@ async function checkRedis(): Promise<"ok" | "error"> {
});
}
function checkBaseUrl(): { configured: boolean; isLocalhost: boolean } {
const raw = process.env["NEXTAUTH_URL"]?.trim();
if (!raw) return { configured: false, isLocalhost: false };
return { configured: true, isLocalhost: raw.startsWith("http://localhost") };
}
export async function GET() {
const [db, redis] = await Promise.all([checkDb(), checkRedis()]);
const baseUrl = checkBaseUrl();
const ok = db === "ok" && redis === "ok";
return NextResponse.json(
{ status: ok ? "ok" : "degraded", db, redis, baseUrl, timestamp: new Date().toISOString() },
{ status: ok ? "ok" : "degraded", db, redis },
{ status: ok ? 200 : 503 },
);
}