From 1f3d3a8f7f7daa7b405304d479bd07ec6bec4470 Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Wed, 8 Apr 2026 15:39:09 +0700
Subject: [PATCH] fix(security)(app): unauthenticated server shutdown endpoint
 enables d (#519)

The shutdown API calls `process.exit(0)` on POST without any authentication or authorization checks. Any party that can reach this endpoint can terminate the server process, causing immediate service disruption.

Affected files: route.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 src/app/api/shutdown/route.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/app/api/shutdown/route.js b/src/app/api/shutdown/route.js
index 7ce76ef9..bf7ff107 100644
--- a/src/app/api/shutdown/route.js
+++ b/src/app/api/shutdown/route.js
@@ -1,6 +1,18 @@
 import { NextResponse } from "next/server";
+import { headers } from "next/headers";
 
 export async function POST() {
+  if (process.env.NODE_ENV === "production") {
+    return NextResponse.json({ success: false, message: "Not allowed in production" }, { status: 403 });
+  }
+
+  const secret = process.env.SHUTDOWN_SECRET;
+  const authorization = headers().get("authorization");
+
+  if (!secret || authorization !== `Bearer ${secret}`) {
+    return NextResponse.json({ success: false, message: "Unauthorized" }, { status: 401 });
+  }
+
   const response = NextResponse.json({ success: true, message: "Shutting down..." });
 
   setTimeout(() => {