fix: close CRON_SECRET fail-open auth in check-renders + sponsor-outreach

[codercatdev]

Security Fix: CRON_SECRET Fail-Open Auth Vulnerability

The Bug

Both check-renders and sponsor-outreach cron routes had an auth check of the form:

const authHeader = request.headers.get('authorization');
if (authHeader !== `Bearer ${process.env.CRON_SECRET}`) {

When CRON_SECRET is not set in the environment, process.env.CRON_SECRET evaluates to undefined, making the comparison string "Bearer undefined". An attacker who knows this pattern can bypass authentication entirely by sending:

Authorization: Bearer undefined

This is a fail-open vulnerability — a missing env var silently disables auth instead of blocking requests.

The Fix

Both files now follow the same fail-close pattern already used in check-research and ingest routes:

const cronSecret = process.env.CRON_SECRET;
if (!cronSecret) {
  console.error('[PIPELINE] CRON_SECRET not configured');
  return Response.json({ error: 'Server misconfigured' }, { status: 503 });
}
const authHeader = request.headers.get('authorization');
if (authHeader !== `Bearer ${cronSecret}`) {

Key changes:

1. Extract process.env.CRON_SECRET into a const cronSecret variable
2. Check !cronSecret before the comparison — returns 503 if not configured (fail-closed)
3. Use cronSecret in the comparison instead of process.env.CRON_SECRET

Files Changed

• app/api/cron/check-renders/route.ts — uses [PIPELINE] log prefix, Response.json() format
• app/api/cron/sponsor-outreach/route.ts — uses [SPONSOR] log prefix, new Response() format

Verification

grep -n "cronSecret" app/api/cron/check-renders/route.ts app/api/cron/sponsor-outreach/route.ts

TypeScript check is clean (pre-existing @vercel/analytics type errors are unrelated to this change).

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
codingcat-dev	Building	Preview, Comment	Mar 5, 2026 3:29am