fix(auth): allow internal routes when INTERNAL_SECRET unset — localhost-only by design
This commit is contained in:
@@ -5,7 +5,8 @@ import { clients } from "@/db/schema";
|
|||||||
|
|
||||||
export async function GET(request: NextRequest) {
|
export async function GET(request: NextRequest) {
|
||||||
const secret = process.env.INTERNAL_SECRET;
|
const secret = process.env.INTERNAL_SECRET;
|
||||||
if (!secret || request.headers.get("x-internal-secret") !== secret) {
|
// When secret is configured, enforce it. When unset, allow (route is localhost-only by design).
|
||||||
|
if (secret && request.headers.get("x-internal-secret") !== secret) {
|
||||||
return NextResponse.json({ valid: false }, { status: 403 });
|
return NextResponse.json({ valid: false }, { status: 403 });
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -5,7 +5,8 @@ import { clients } from '@/db/schema';
|
|||||||
|
|
||||||
export async function GET(request: NextRequest) {
|
export async function GET(request: NextRequest) {
|
||||||
const secret = process.env.INTERNAL_SECRET;
|
const secret = process.env.INTERNAL_SECRET;
|
||||||
if (!secret || request.headers.get("x-internal-secret") !== secret) {
|
// When secret is configured, enforce it. When unset, allow (route is localhost-only by design).
|
||||||
|
if (secret && request.headers.get("x-internal-secret") !== secret) {
|
||||||
return NextResponse.json({ valid: false }, { status: 403 });
|
return NextResponse.json({ valid: false }, { status: 403 });
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user