From 1e5416f4b6446ad133f2c2605879812423937e8c Mon Sep 17 00:00:00 2001
From: SrIzan10 <66965250+SrIzan10@users.noreply.github.com>
Date: Fri, 13 Mar 2026 08:52:20 +0100
Subject: [PATCH] fix: ensure scheme is correct

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 apps/web/src/app/api/metrics/route.ts | 35 +++++++++++++++++++++------
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/apps/web/src/app/api/metrics/route.ts b/apps/web/src/app/api/metrics/route.ts
index 563b214..b52c140 100644
--- a/apps/web/src/app/api/metrics/route.ts
+++ b/apps/web/src/app/api/metrics/route.ts
@@ -21,19 +21,38 @@ export async function GET(req: NextRequest) {
 
 // source: https://vancelucas.com/blog/how-to-add-http-basic-auth-to-next-js/
 function isAuthenticated(req: NextRequest) {
-  const authheader = req.headers.get('authorization') || req.headers.get('Authorization');
+  const authheader = req.headers.get('authorization') ?? req.headers.get('Authorization');
 
   if (!authheader) {
     return false;
   }
 
-  const auth = Buffer.from(authheader.split(' ')[1], 'base64').toString().split(':');
-  const user = auth[0];
-  const pass = auth[1];
-
-  if (user == process.env.METRICS_USER && pass == process.env.METRICS_PASS) {
-    return true;
-  } else {
+  const parts = authheader.split(' ');
+  if (parts.length !== 2) {
     return false;
   }
+
+  const scheme = parts[0];
+  const encoded = parts[1];
+
+  if (scheme !== 'Basic' || !encoded) {
+    return false;
+  }
+
+  let decoded: string;
+  try {
+    decoded = Buffer.from(encoded, 'base64').toString();
+  } catch {
+    return false;
+  }
+
+  const separatorIndex = decoded.indexOf(':');
+  if (separatorIndex === -1) {
+    return false;
+  }
+
+  const user = decoded.substring(0, separatorIndex);
+  const pass = decoded.substring(separatorIndex + 1);
+
+  return user === process.env.METRICS_USER && pass === process.env.METRICS_PASS;
 }
\ No newline at end of file