What happened?
app/api/deploy/vercel/route.ts allows authenticated users to optionally supply their own Vercel API key. When none is provided, the route falls back to the server's master token:
const { files, name, userApiKey } = await req.json();
// Try user key first, fallback to Editron Master Key
const token = userApiKey || process.env.VERCEL_MASTER_TOKEN;Any authenticated user who omits userApiKey (or sends it as null, "", or undefined) will trigger a deployment using VERCEL_MASTER_TOKEN. The route does not inform the user that the server's credentials are being used, nor does it restrict who can trigger master-token deployments.
Steps to Reproduce
- Sign in to Editron.
- Send
POST /api/deploy/vercel with a valid files array and name, but omit userApiKey or set it to null.
- The deployment is triggered using
VERCEL_MASTER_TOKEN.
- The response returns a live Vercel deployment URL belonging to the master account.
Expected Behavior
If the user does not provide their own Vercel API key, the endpoint should return a clear error requiring them to supply one. The master token should not be exposed as a silent fallback for arbitrary authenticated users.
Actual Behavior
The master Vercel token is used for every user who does not supply their own key. Any authenticated Editron user can create unlimited deployments on the server operator's Vercel account, consuming bandwidth and build quota, without the server operator's explicit consent per deployment.
Root Cause Analysis
The || fallback pattern treats a missing or empty userApiKey as permission to use the server's credentials. There is no role check, no rate limit, and no audit log distinguishing master-token deployments from user-token deployments.
Suggested Fix
Require the user to supply their own key and remove the master token fallback for unauthenticated-key requests:
const token = userApiKey?.trim();
if (!token) {
return NextResponse.json(
{ error: "A Vercel API key is required. Please provide your own token in Settings." },
{ status: 400 }
);
}If a master-token fallback is intentional (e.g. for free-tier users), document it explicitly and add rate limiting per user to prevent quota exhaustion.
Affected File
app/api/deploy/vercel/route.ts
Environment
- Framework: Next.js (App Router)
- Auth:
next-auth session
Checklist
What happened?
app/api/deploy/vercel/route.tsallows authenticated users to optionally supply their own Vercel API key. When none is provided, the route falls back to the server's master token:Any authenticated user who omits
userApiKey(or sends it asnull,"", orundefined) will trigger a deployment usingVERCEL_MASTER_TOKEN. The route does not inform the user that the server's credentials are being used, nor does it restrict who can trigger master-token deployments.Steps to Reproduce
POST /api/deploy/vercelwith a validfilesarray andname, but omituserApiKeyor set it tonull.VERCEL_MASTER_TOKEN.Expected Behavior
If the user does not provide their own Vercel API key, the endpoint should return a clear error requiring them to supply one. The master token should not be exposed as a silent fallback for arbitrary authenticated users.
Actual Behavior
The master Vercel token is used for every user who does not supply their own key. Any authenticated Editron user can create unlimited deployments on the server operator's Vercel account, consuming bandwidth and build quota, without the server operator's explicit consent per deployment.
Root Cause Analysis
The
||fallback pattern treats a missing or emptyuserApiKeyas permission to use the server's credentials. There is no role check, no rate limit, and no audit log distinguishing master-token deployments from user-token deployments.Suggested Fix
Require the user to supply their own key and remove the master token fallback for unauthenticated-key requests:
If a master-token fallback is intentional (e.g. for free-tier users), document it explicitly and add rate limiting per user to prevent quota exhaustion.
Affected File
app/api/deploy/vercel/route.tsEnvironment
next-authsessionChecklist