fix(auth): allow internal routes when INTERNAL_SECRET unset — localhost-only by design
This commit is contained in:
@@ -5,7 +5,8 @@ import { clients } from "@/db/schema";
|
||||
|
||||
export async function GET(request: NextRequest) {
|
||||
const secret = process.env.INTERNAL_SECRET;
|
||||
if (!secret || request.headers.get("x-internal-secret") !== secret) {
|
||||
// When secret is configured, enforce it. When unset, allow (route is localhost-only by design).
|
||||
if (secret && request.headers.get("x-internal-secret") !== secret) {
|
||||
return NextResponse.json({ valid: false }, { status: 403 });
|
||||
}
|
||||
|
||||
|
||||
@@ -5,7 +5,8 @@ import { clients } from '@/db/schema';
|
||||
|
||||
export async function GET(request: NextRequest) {
|
||||
const secret = process.env.INTERNAL_SECRET;
|
||||
if (!secret || request.headers.get("x-internal-secret") !== secret) {
|
||||
// When secret is configured, enforce it. When unset, allow (route is localhost-only by design).
|
||||
if (secret && request.headers.get("x-internal-secret") !== secret) {
|
||||
return NextResponse.json({ valid: false }, { status: 403 });
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user