MOPC/MOPC-Portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): allow /api/cron paths past middleware (self-guarded by CRON_SECRET)

Browse Source 
The middleware matcher intercepts /api/cron/* but the prefix was absent from
publicPaths, so unauthenticated scheduler calls were 307'd to /login and the
cron handlers never ran. All 9 cron routes already enforce x-cron-secret, so
opening the prefix is safe and unblocks the new final-document-reminders cron
(and repairs the existing crons). Same class of gap as the /lunch/pick fix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-06-09 16:03:55 +02:00
parent e4f13aaed4
commit 146691be00
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/lib/auth.config.ts
View File

@@ -61,6 +61,7 @@ export const authConfig: NextAuthConfig = {
'/lunch/pick', // external attendees pick a dish via signed token (no account) '/lunch/pick', // external attendees pick a dish via signed token (no account)
'/api/auth', '/api/auth',
'/api/trpc', // tRPC handles its own auth via procedures '/api/trpc', // tRPC handles its own auth via procedures
'/api/cron', // cron endpoints self-guard via x-cron-secret (CRON_SECRET)
] ]
// Check if it's a public path // Check if it's a public path