Description
The /api/cron/archive-data endpoint has its authentication check entirely commented out (lines 7-14). The comments state: "we'll leave it open for demonstration/manual triggering or rely on Vercel's network layer."
This allows anyone to call this endpoint to:
- Delete attendance records from Firestore
- Purge biometric face descriptor data from users
Other cron routes (/api/cron/attendance-warnings and /api/cron/attendance-risk) properly use authorizeCronRequest from @/lib/cronAuth.
Impact
- Permanent destruction of user data (attendance records + biometric face data)
- The 500-record deletion limit can be bypassed by calling the endpoint multiple times
- Violates data retention policies and could constitute a GDPR/data protection violation
- Biometric data used for face-based authentication is irrecoverable
Location
app/api/cron/archive-data/route.js, Lines 5-14
Suggested Fix
- Uncomment and implement the
CRON_SECRET authentication check
- Use
authorizeCronRequest(request) from @/lib/cronAuth at the start of the handler
- Set the
CRON_SECRET environment variable in production
Description
The
/api/cron/archive-dataendpoint has its authentication check entirely commented out (lines 7-14). The comments state: "we'll leave it open for demonstration/manual triggering or rely on Vercel's network layer."This allows anyone to call this endpoint to:
Other cron routes (
/api/cron/attendance-warningsand/api/cron/attendance-risk) properly useauthorizeCronRequestfrom@/lib/cronAuth.Impact
Location
app/api/cron/archive-data/route.js, Lines 5-14Suggested Fix
CRON_SECRETauthentication checkauthorizeCronRequest(request)from@/lib/cronAuthat the start of the handlerCRON_SECRETenvironment variable in production