Skip to content

fix: reject auth when CRON_SECRET is unset#29765

Open
prathamesh04 wants to merge 2 commits into
calcom:mainfrom
prathamesh04:fix/bearer-undefined-auth
Open

fix: reject auth when CRON_SECRET is unset#29765
prathamesh04 wants to merge 2 commits into
calcom:mainfrom
prathamesh04:fix/bearer-undefined-auth

Conversation

@prathamesh04

Copy link
Copy Markdown

What does this PR do?

When CRON_SECRET is not set, the Bearer token comparison evaluates to the string "Bearer undefined", allowing unauthenticated requests to pass auth checks on cron endpoints.

Root cause

The original code compares authHeader against Bearer ${process.env.CRON_SECRET} without first verifying that CRON_SECRET is defined. On default deployments where only CRON_API_KEY is configured, this results in comparing against the literal string "Bearer undefined".

Fix

Added an early return when CRON_SECRET is missing so the template literal comparison is never performed against an undefined value. This affects:

  • packages/features/tasker/api/cron.ts — task queue processor
  • packages/features/tasker/api/cleanup.ts — task cleanup
  • apps/web/app/api/cron/calendar-subscriptions/route.ts — calendar subscription rollouts
  • apps/web/app/api/cron/calendar-subscriptions-cleanup/route.ts — stale cache cleanup
  • apps/web/app/api/cron/selected-calendars/route.ts — delegation credential selected calendars

Also added a test in calendar-subscriptions-cleanup verifying that "Bearer undefined" is rejected when CRON_SECRET is unset.

Closes #29565

…ipeCustomerId

The createStripeCustomerId function used a try/catch that treated all
errors the same as 'no customer found'. When Stripe API errors occurred
(auth failures, network issues, rate limits), the catch block silently
created a new customer instead of propagating the error, resulting in
duplicate Stripe customers.

Replace the broad catch with an explicit check on the response data
length — only create a new customer when the list is genuinely empty.

Fixes calcom#29455

Signed-off-by: Prathamesh Hukkeri <prathamesh04@users.noreply.github.com>
When CRON_SECRET is not configured, the Bearer token comparison
evaluates to `Bearer undefined`, which allows unauthenticated
requests to pass the auth check on cron endpoints.

Add early return when CRON_SECRET is missing so the comparison
is never performed against an undefined value.

Signed-off-by: Prathamesh Hukkeri <prathamesh04@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

Welcome to Cal.diy, @prathamesh04! Thanks for opening this pull request.

A few things to keep in mind:

  • This is Cal.diy, not Cal.com. Cal.diy is a community-driven, fully open-source fork of Cal.com licensed under MIT. Your changes here will be part of Cal.diy — they will not be deployed to the Cal.com production app.
  • Please review our Contributing Guidelines if you haven't already.
  • Make sure your PR title follows the Conventional Commits format.

A maintainer will review your PR soon. Thanks for contributing!

@github-actions github-actions Bot added the 🐛 bug Something isn't working label Jul 13, 2026
@prathamesh04

Copy link
Copy Markdown
Author

@bandhan-majumder could you take a look when you get a chance?

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7ee1be6d-b2df-4550-b8bc-e27f814583fe

📥 Commits

Reviewing files that changed from the base of the PR and between f004349 and 019b528.

📒 Files selected for processing (7)
  • apps/api/v2/src/modules/stripe/stripe.service.ts
  • apps/web/app/api/cron/calendar-subscriptions-cleanup/__tests__/route.test.ts
  • apps/web/app/api/cron/calendar-subscriptions-cleanup/route.ts
  • apps/web/app/api/cron/calendar-subscriptions/route.ts
  • apps/web/app/api/cron/selected-calendars/route.ts
  • packages/features/tasker/api/cleanup.ts
  • packages/features/tasker/api/cron.ts

📝 Walkthrough

Walkthrough

Cron authorization guards now reject requests when CRON_SECRET is unset, and cleanup route tests cover the Bearer undefined case. Stripe customer provisioning now uses the first customer returned by an email-based lookup, creates a customer only when no match exists, and allows lookup failures to propagate before storing the resolved customer ID.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The Stripe customer ID logic change is unrelated to the cron auth issue and appears out of scope. Move the StripeService change to a separate PR so this patch stays focused on the cron/tasker auth fix.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main fix: rejecting auth when CRON_SECRET is unset.
Description check ✅ Passed The description matches the cron auth fix and the added test in the changeset.
Linked Issues check ✅ Passed The cron/tasker routes now fail closed when CRON_SECRET is missing, and the new test covers the Bearer undefined case from #29565.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

🐛 bug Something isn't working size/M

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Cron/tasker endpoints authorize with "Bearer undefined" when CRON_SECRET is not set

1 participant