From 146691be001f82467f49350eca8349a2f4796799 Mon Sep 17 00:00:00 2001
From: Matt <matt@Matt-Surface.local>
Date: Tue, 9 Jun 2026 16:03:55 +0200
Subject: [PATCH] fix(auth): allow /api/cron paths past middleware
 (self-guarded by CRON_SECRET)

The middleware matcher intercepts /api/cron/* but the prefix was absent from
publicPaths, so unauthenticated scheduler calls were 307'd to /login and the
cron handlers never ran. All 9 cron routes already enforce x-cron-secret, so
opening the prefix is safe and unblocks the new final-document-reminders cron
(and repairs the existing crons). Same class of gap as the /lunch/pick fix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 src/lib/auth.config.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lib/auth.config.ts b/src/lib/auth.config.ts
index 26924cd..12b819e 100644
--- a/src/lib/auth.config.ts
+++ b/src/lib/auth.config.ts
@@ -61,6 +61,7 @@ export const authConfig: NextAuthConfig = {
         '/lunch/pick', // external attendees pick a dish via signed token (no account)
         '/api/auth',
         '/api/trpc', // tRPC handles its own auth via procedures
+        '/api/cron', // cron endpoints self-guard via x-cron-secret (CRON_SECRET)
       ]
 
       // Check if it's a public path