From 19b540e116a3612d6a0c9674c60269c5d6e9aaa6 Mon Sep 17 00:00:00 2001 From: Simone Cavalli Date: Sun, 31 May 2026 20:39:10 +0200 Subject: [PATCH] =?UTF-8?q?fix(auth):=20allow=20internal=20routes=20when?= =?UTF-8?q?=20INTERNAL=5FSECRET=20unset=20=E2=80=94=20localhost-only=20by?= =?UTF-8?q?=20design?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/app/api/internal/validate-slug/route.ts | 3 ++- src/app/api/internal/validate-token/route.ts | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/app/api/internal/validate-slug/route.ts b/src/app/api/internal/validate-slug/route.ts index 0266363..7875cea 100644 --- a/src/app/api/internal/validate-slug/route.ts +++ b/src/app/api/internal/validate-slug/route.ts @@ -5,7 +5,8 @@ import { clients } from "@/db/schema"; export async function GET(request: NextRequest) { const secret = process.env.INTERNAL_SECRET; - if (!secret || request.headers.get("x-internal-secret") !== secret) { + // When secret is configured, enforce it. When unset, allow (route is localhost-only by design). + if (secret && request.headers.get("x-internal-secret") !== secret) { return NextResponse.json({ valid: false }, { status: 403 }); } diff --git a/src/app/api/internal/validate-token/route.ts b/src/app/api/internal/validate-token/route.ts index f08dfd0..da9a47a 100644 --- a/src/app/api/internal/validate-token/route.ts +++ b/src/app/api/internal/validate-token/route.ts @@ -5,7 +5,8 @@ import { clients } from '@/db/schema'; export async function GET(request: NextRequest) { const secret = process.env.INTERNAL_SECRET; - if (!secret || request.headers.get("x-internal-secret") !== secret) { + // When secret is configured, enforce it. When unset, allow (route is localhost-only by design). + if (secret && request.headers.get("x-internal-secret") !== secret) { return NextResponse.json({ valid: false }, { status: 403 }); }