security: gate /api/migrate behind MIGRATION_SECRET in production#11
Open
vorcigernix wants to merge 1 commit intomainfrom
Open
security: gate /api/migrate behind MIGRATION_SECRET in production#11vorcigernix wants to merge 1 commit intomainfrom
vorcigernix wants to merge 1 commit intomainfrom
Conversation
The migrate endpoint was previously unauthenticated, allowing anyone to trigger destructive schema changes. Add Bearer-token auth via a MIGRATION_SECRET env var in production. Development/test mode remains open for local DB bootstrap. Co-authored-by: Ona <no-reply@ona.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The
POST /api/migrateendpoint was completely unauthenticated — any HTTP client could trigger destructive database schema changes in production.Changes
app/api/migrate/route.ts— Replace the open endpoint withAuthorization: Bearer <secret>validation against aMIGRATION_SECRETenv var. In production, requests without a valid token get 401. IfMIGRATION_SECRETis not configured at all, the endpoint rejects everything (fail-closed). Development and test modes remain open for localcurlbootstrap.lib/env-validation.ts— AddMIGRATION_SECRETto the env schema (optional, min 16 chars).environment.example— Document the new variable with generation instructions.__tests__/api/migrate.test.ts— 9 tests covering: missing secret, missing header, wrong token, wrong auth scheme, valid secret, migration failure, migration throw, and dev/test mode bypass.