Bug description
POST /api/affiliates/settle is documented as protected by CRON_SECRET, but the guard only rejects when CRON_SECRET is set and the bearer token does not match. If CRON_SECRET is missing or empty in an environment, the route continues and calls settleCommissions with the service client.
Other cron-style routes in this repo fail closed when the cron secret is not configured, so this route should do the same.
Steps to reproduce
- Run the app with
CRON_SECRET unset or empty.
- Send
POST /api/affiliates/settle without a valid bearer secret.
- The route proceeds into settlement instead of returning 401.
Expected behavior
The route should return 401 when CRON_SECRET is missing, and it should not create the service client or call settleCommissions unless the configured bearer secret is present.
Fix direction
Fail closed when CRON_SECRET is unset and add a route regression test covering both missing config and missing bearer auth.
Bug description
POST /api/affiliates/settleis documented as protected byCRON_SECRET, but the guard only rejects whenCRON_SECRETis set and the bearer token does not match. IfCRON_SECRETis missing or empty in an environment, the route continues and callssettleCommissionswith the service client.Other cron-style routes in this repo fail closed when the cron secret is not configured, so this route should do the same.
Steps to reproduce
CRON_SECRETunset or empty.POST /api/affiliates/settlewithout a valid bearer secret.Expected behavior
The route should return 401 when
CRON_SECRETis missing, and it should not create the service client or callsettleCommissionsunless the configured bearer secret is present.Fix direction
Fail closed when
CRON_SECRETis unset and add a route regression test covering both missing config and missing bearer auth.