fix(auth): allow internal routes when INTERNAL_SECRET unset — localhost-only by design

This commit is contained in:
2026-05-31 20:39:10 +02:00
parent 6e97a53b73
commit 19b540e116
2 changed files with 4 additions and 2 deletions
+2 -1
View File
@@ -5,7 +5,8 @@ import { clients } from "@/db/schema";
export async function GET(request: NextRequest) { export async function GET(request: NextRequest) {
const secret = process.env.INTERNAL_SECRET; const secret = process.env.INTERNAL_SECRET;
if (!secret || request.headers.get("x-internal-secret") !== secret) { // When secret is configured, enforce it. When unset, allow (route is localhost-only by design).
if (secret && request.headers.get("x-internal-secret") !== secret) {
return NextResponse.json({ valid: false }, { status: 403 }); return NextResponse.json({ valid: false }, { status: 403 });
} }
+2 -1
View File
@@ -5,7 +5,8 @@ import { clients } from '@/db/schema';
export async function GET(request: NextRequest) { export async function GET(request: NextRequest) {
const secret = process.env.INTERNAL_SECRET; const secret = process.env.INTERNAL_SECRET;
if (!secret || request.headers.get("x-internal-secret") !== secret) { // When secret is configured, enforce it. When unset, allow (route is localhost-only by design).
if (secret && request.headers.get("x-internal-secret") !== secret) {
return NextResponse.json({ valid: false }, { status: 403 }); return NextResponse.json({ valid: false }, { status: 403 });
} }