fix(cron): reject CRON requests when CRON secret is not set

apps/sim/app/api/workflows/middleware.ts

@@ -42,7 +42,7 @@ export async function validateWorkflowAccess(
       }
 
       const internalSecret = request.headers.get('X-Internal-Secret')
-      if (internalSecret === env.INTERNAL_API_SECRET) {
+      if (env.INTERNAL_API_SECRET && internalSecret === env.INTERNAL_API_SECRET) {
         return { workflow }
       }
 

apps/sim/lib/auth/internal.ts

@@ -69,6 +69,16 @@ export async function verifyInternalToken(
  * Returns null if authorized, or a NextResponse with error if unauthorized
  */
 export function verifyCronAuth(request: NextRequest, context?: string): NextResponse | null {
+  if (!env.CRON_SECRET) {
+    const contextInfo = context ? ` for ${context}` : ''
+    logger.warn(`CRON endpoint accessed but CRON_SECRET is not configured${contextInfo}`, {
+      ip: request.headers.get('x-forwarded-for') ?? request.headers.get('x-real-ip') ?? 'unknown',
+      userAgent: request.headers.get('user-agent') ?? 'unknown',
+      context,
+    })
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
   const authHeader = request.headers.get('authorization')
   const expectedAuth = `Bearer ${env.CRON_SECRET}`
   if (authHeader !== expectedAuth) {