fix(cron): reject CRON requests when CRON secret is not set (#2343)

waleedlatif1 · web-flow · commit e359dc2946b1 · 2025-12-12T17:08:48.000-08:00
diff --git a/apps/sim/app/api/workflows/middleware.ts b/apps/sim/app/api/workflows/middleware.ts
@@ -42,7 +42,7 @@ export async function validateWorkflowAccess(
       }
 
       const internalSecret = request.headers.get('X-Internal-Secret')
-      if (internalSecret === env.INTERNAL_API_SECRET) {
+      if (env.INTERNAL_API_SECRET && internalSecret === env.INTERNAL_API_SECRET) {
         return { workflow }
       }
 
diff --git a/apps/sim/lib/auth/internal.ts b/apps/sim/lib/auth/internal.ts
@@ -69,6 +69,16 @@ export async function verifyInternalToken(
  * Returns null if authorized, or a NextResponse with error if unauthorized
  */
 export function verifyCronAuth(request: NextRequest, context?: string): NextResponse | null {
+  if (!env.CRON_SECRET) {
+    const contextInfo = context ? ` for ${context}` : ''
+    logger.warn(`CRON endpoint accessed but CRON_SECRET is not configured${contextInfo}`, {
+      ip: request.headers.get('x-forwarded-for') ?? request.headers.get('x-real-ip') ?? 'unknown',
+      userAgent: request.headers.get('user-agent') ?? 'unknown',
+      context,
+    })
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
   const authHeader = request.headers.get('authorization')
   const expectedAuth = `Bearer ${env.CRON_SECRET}`
   if (authHeader !== expectedAuth) {

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ export async function validateWorkflowAccess(`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`const internalSecret = request.headers.get('X-Internal-Secret')`
`45`		`- if (internalSecret === env.INTERNAL_API_SECRET) {`
	`45`	`+ if (env.INTERNAL_API_SECRET && internalSecret === env.INTERNAL_API_SECRET) {`
`46`	`46`	`return { workflow }`
`47`	`47`	`}`
`48`	`48`