Skip to content

Unauthenticated /api/cron/archive-data Allows Mass Data Deletion #3955

Description

@atul-upadhyay-7

Description

The /api/cron/archive-data endpoint has its authentication check entirely commented out (lines 7-14). The comments state: "we'll leave it open for demonstration/manual triggering or rely on Vercel's network layer."

This allows anyone to call this endpoint to:

  • Delete attendance records from Firestore
  • Purge biometric face descriptor data from users

Other cron routes (/api/cron/attendance-warnings and /api/cron/attendance-risk) properly use authorizeCronRequest from @/lib/cronAuth.

Impact

  • Permanent destruction of user data (attendance records + biometric face data)
  • The 500-record deletion limit can be bypassed by calling the endpoint multiple times
  • Violates data retention policies and could constitute a GDPR/data protection violation
  • Biometric data used for face-based authentication is irrecoverable

Location

app/api/cron/archive-data/route.js, Lines 5-14

Suggested Fix

  • Uncomment and implement the CRON_SECRET authentication check
  • Use authorizeCronRequest(request) from @/lib/cronAuth at the start of the handler
  • Set the CRON_SECRET environment variable in production

Metadata

Metadata

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions