fix(security): harden cron and API route authentication

- public-holidays cron: replace fail-open inline auth check with verifyCronSecret (was open to unauthenticated access when CRON_SECRET unset) - /api/perf: replace timing-unsafe string comparison with verifyCronSecret - /api/health: strip baseUrl and latency fields from response to avoid leaking infrastructure details (NEXTAUTH_URL config, internal timings) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 21:38:02 +02:00
parent 3452464809
commit 9e31c6d972
3 changed files with 8 additions and 27 deletions
@@ -1,5 +1,6 @@
 import { NextResponse } from "next/server";
 import { eventBus } from "@capakraken/api/sse";
+import { verifyCronSecret } from "~/lib/cron-auth.js";

 export const dynamic = "force-dynamic";
 export const runtime = "nodejs";
@@ -13,16 +14,8 @@ export const runtime = "nodejs";
 * Returns Node.js memory usage, process uptime, and SSE connection count.
 */
 export function GET(request: Request) {
-  const cronSecret = process.env["CRON_SECRET"];
-
-  if (!cronSecret) {
-    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  }
-
-  const headerToken = request.headers.get("authorization")?.replace("Bearer ", "");
-  if (headerToken !== cronSecret) {
-    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  }
+  const deny = verifyCronSecret(request);
+  if (deny) return deny;

  const mem = process.memoryUsage();