fix: harden auth middleware security #1

Merged

schwifty merged 1 commit from schwifty/fix-auth-security into main

2026-03-23 01:44:02 +00:00

Author	SHA1	Message	Date
Schwifty	601245d969	fix: harden auth middleware — exact route matching, remove admin bypass, add cron secret 1. Switch str_contains() to exact match ($path === $route) in PUBLIC_ROUTES check to prevent substring-based route bypass attacks. 2. Remove blanket /api/admin/ bypass that was letting all admin endpoints through without authentication. 3. Add requireCronSecret() — cron/scheduled task endpoints now require a valid X-Cron-Secret header matching the PAYFRIT_CRON_SECRET env var. Uses hash_equals() for timing-safe comparison. Applied to: - cron/expireStaleChats.php - cron/expireTabs.php - api/admin/scheduledTasks/runDue.php	2026-03-23 01:43:43 +00:00

Author

SHA1

Message

Date

Schwifty

601245d969

fix: harden auth middleware — exact route matching, remove admin bypass, add cron secret

1. Switch str_contains() to exact match ($path === $route) in PUBLIC_ROUTES check
   to prevent substring-based route bypass attacks.

2. Remove blanket /api/admin/ bypass that was letting all admin endpoints through
   without authentication.

3. Add requireCronSecret() — cron/scheduled task endpoints now require a valid
   X-Cron-Secret header matching the PAYFRIT_CRON_SECRET env var. Uses
   hash_equals() for timing-safe comparison. Applied to:
   - cron/expireStaleChats.php
   - cron/expireTabs.php
   - api/admin/scheduledTasks/runDue.php

2026-03-23 01:43:43 +00:00