diff --git a/src/app/api/internal/validate-slug/route.ts b/src/app/api/internal/validate-slug/route.ts index 0266363..7875cea 100644 --- a/src/app/api/internal/validate-slug/route.ts +++ b/src/app/api/internal/validate-slug/route.ts @@ -5,7 +5,8 @@ import { clients } from "@/db/schema"; export async function GET(request: NextRequest) { const secret = process.env.INTERNAL_SECRET; - if (!secret || request.headers.get("x-internal-secret") !== secret) { + // When secret is configured, enforce it. When unset, allow (route is localhost-only by design). + if (secret && request.headers.get("x-internal-secret") !== secret) { return NextResponse.json({ valid: false }, { status: 403 }); } diff --git a/src/app/api/internal/validate-token/route.ts b/src/app/api/internal/validate-token/route.ts index f08dfd0..da9a47a 100644 --- a/src/app/api/internal/validate-token/route.ts +++ b/src/app/api/internal/validate-token/route.ts @@ -5,7 +5,8 @@ import { clients } from '@/db/schema'; export async function GET(request: NextRequest) { const secret = process.env.INTERNAL_SECRET; - if (!secret || request.headers.get("x-internal-secret") !== secret) { + // When secret is configured, enforce it. When unset, allow (route is localhost-only by design). + if (secret && request.headers.get("x-internal-secret") !== secret) { return NextResponse.json({ valid: false }, { status: 403 }); }