fix: reject auth when CRON_SECRET is unset#29765
Conversation
…ipeCustomerId The createStripeCustomerId function used a try/catch that treated all errors the same as 'no customer found'. When Stripe API errors occurred (auth failures, network issues, rate limits), the catch block silently created a new customer instead of propagating the error, resulting in duplicate Stripe customers. Replace the broad catch with an explicit check on the response data length — only create a new customer when the list is genuinely empty. Fixes calcom#29455 Signed-off-by: Prathamesh Hukkeri <prathamesh04@users.noreply.github.com>
When CRON_SECRET is not configured, the Bearer token comparison evaluates to `Bearer undefined`, which allows unauthenticated requests to pass the auth check on cron endpoints. Add early return when CRON_SECRET is missing so the comparison is never performed against an undefined value. Signed-off-by: Prathamesh Hukkeri <prathamesh04@users.noreply.github.com>
|
Welcome to Cal.diy, @prathamesh04! Thanks for opening this pull request. A few things to keep in mind:
A maintainer will review your PR soon. Thanks for contributing! |
|
@bandhan-majumder could you take a look when you get a chance? |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (7)
📝 WalkthroughWalkthroughCron authorization guards now reject requests when 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
What does this PR do?
When
CRON_SECRETis not set, the Bearer token comparison evaluates to the string"Bearer undefined", allowing unauthenticated requests to pass auth checks on cron endpoints.Root cause
The original code compares
authHeaderagainstBearer ${process.env.CRON_SECRET}without first verifying thatCRON_SECRETis defined. On default deployments where onlyCRON_API_KEYis configured, this results in comparing against the literal string"Bearer undefined".Fix
Added an early return when
CRON_SECRETis missing so the template literal comparison is never performed against an undefined value. This affects:packages/features/tasker/api/cron.ts— task queue processorpackages/features/tasker/api/cleanup.ts— task cleanupapps/web/app/api/cron/calendar-subscriptions/route.ts— calendar subscription rolloutsapps/web/app/api/cron/calendar-subscriptions-cleanup/route.ts— stale cache cleanupapps/web/app/api/cron/selected-calendars/route.ts— delegation credential selected calendarsAlso added a test in
calendar-subscriptions-cleanupverifying that"Bearer undefined"is rejected whenCRON_SECRETis unset.Closes #29565