Skip to content

fix: add authentication to /api/cron/archive-data endpoint (#3955)#3960

Open
atul-upadhyay-7 wants to merge 10 commits into
Premshaw23:masterfrom
atul-upadhyay-7:fix/unauthenticated-cron-archive-data
Open

fix: add authentication to /api/cron/archive-data endpoint (#3955)#3960
atul-upadhyay-7 wants to merge 10 commits into
Premshaw23:masterfrom
atul-upadhyay-7:fix/unauthenticated-cron-archive-data

Conversation

@atul-upadhyay-7

Copy link
Copy Markdown
Contributor

Summary

This PR fixes the unauthenticated /api/cron/archive-data endpoint that allowed anyone to permanently delete attendance records and biometric face data without any authorization.

Changes

  1. Added authorizeCronRequest authentication — The endpoint now verifies the CRON_SECRET Bearer token, matching the pattern used by other cron routes (/api/cron/attendance-warnings, /api/cron/attendance-risk).

  2. Fixed broken import — Changed import { initAdmin } from "@/lib/firebaseAdmin" to import { initializeFirebase } from "@/lib/firebase-admin" (the original module did not exist).

  3. Added export const dynamic = "force-dynamic" — Ensures the route is not statically optimized, consistent with other cron routes.

How It Works

The endpoint now requires a valid Authorization: Bearer <CRON_SECRET> header. Without it, the request receives a 401 Unauthorized response.

Requests without the header:

HTTP 401 Unauthorized

Requests with a valid token proceed normally.

Environment Setup

Ensure CRON_SECRET is set in your production environment variables. Vercel Cron Jobs automatically include this header when configured in vercel.json.

Testing

  1. Call GET /api/cron/archive-data without an auth header — should return 401
  2. Call with Authorization: Bearer <valid CRON_SECRET> — should execute the data retention policy

Related Issue

Fixes #3955

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Unauthenticated /api/cron/archive-data Allows Mass Data Deletion

1 participant