fix: add authentication to /api/cron/archive-data endpoint (#3955)#3960
Open
atul-upadhyay-7 wants to merge 10 commits into
Open
fix: add authentication to /api/cron/archive-data endpoint (#3955)#3960atul-upadhyay-7 wants to merge 10 commits into
atul-upadhyay-7 wants to merge 10 commits into
Conversation
- Add authorizeCronRequest to verify CRON_SECRET Bearer token - Fix broken import from @/lib/firebaseAdmin to @/lib/firebase-admin - Use initializeFirebase instead of non-existent initAdmin - Add export const dynamic = force-dynamic for consistency Fixes Premshaw23#3955
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes the unauthenticated
/api/cron/archive-dataendpoint that allowed anyone to permanently delete attendance records and biometric face data without any authorization.Changes
Added
authorizeCronRequestauthentication — The endpoint now verifies theCRON_SECRETBearer token, matching the pattern used by other cron routes (/api/cron/attendance-warnings,/api/cron/attendance-risk).Fixed broken import — Changed
import { initAdmin } from "@/lib/firebaseAdmin"toimport { initializeFirebase } from "@/lib/firebase-admin"(the original module did not exist).Added
export const dynamic = "force-dynamic"— Ensures the route is not statically optimized, consistent with other cron routes.How It Works
The endpoint now requires a valid
Authorization: Bearer <CRON_SECRET>header. Without it, the request receives a401 Unauthorizedresponse.Requests without the header:
Requests with a valid token proceed normally.
Environment Setup
Ensure
CRON_SECRETis set in your production environment variables. Vercel Cron Jobs automatically include this header when configured invercel.json.Testing
GET /api/cron/archive-datawithout an auth header — should return 401Authorization: Bearer <valid CRON_SECRET>— should execute the data retention policyRelated Issue
Fixes #3955