makearmy/makearmy-app
1
0
Fork 0
Code Issues 11 Pull requests Projects Releases Packages Wiki Activity Actions
makearmy-app/middleware.ts

210 lines
7.2 KiB
TypeScript
Raw Blame History

// middleware.ts
import { NextResponse, NextRequest } from "next/server";
/**
* Public pages that should remain reachable without being signed in.
* Everything else is considered protected (including most /api/*).
*/
const PUBLIC_PAGES = new Set<string>([
"/", // ← splash page is public
"/auth/sign-in",
"/auth/sign-up",
]);
/**
* API paths that are explicitly allowed without auth.
* Keep this list tiny. If you don't need any public APIs, leave it empty.
*/
const PUBLIC_API_PREFIXES: string[] = [
"/api/auth", // login/refresh/callback endpoints
// 🔹 Allow the file server endpoints (read-only)
"/api/files/list",
"/api/files/raw",
"/api/files/download",
];
/** Directus base (used to remotely validate the token after restarts). */
const DIRECTUS = (process.env.NEXT_PUBLIC_API_BASE_URL || process.env.DIRECTUS_URL || "").replace(/\/$/, "");
type MapResult = { pathname: string; query?: Record<string, string> };
/** Helper: does the path start with any prefix in a list? */
function startsWithAny(pathname: string, prefixes: string[]) {
return prefixes.some((p) => pathname.startsWith(p));
}
/** Helper: are we about to redirect to the same URL? */
function isSameUrl(req: NextRequest, mapped: MapResult) {
const dest = new URL(req.url);
dest.pathname = mapped.pathname;
if (mapped.query) {
for (const [k, v] of Object.entries(mapped.query)) dest.searchParams.set(k, v);
}
return dest.href === req.url;
}
/** Decode JWT exp (seconds since epoch). We don't verify signature here. */
function jwtExp(token: string): number | null {
try {
const [, payload] = token.split(".");
if (!payload) return null;
const json = JSON.parse(atob(payload.replace(/-/g, "+").replace(/_/g, "/")));
return typeof json.exp === "number" ? json.exp : null;
} catch {
return null;
}
}
/**
* Build redirect to /auth/sign-in?next=<original>.
* Only set reauth=1 (and clear cookies) when opts.reauth === true.
*/
function kickToSignIn(req: NextRequest, opts?: { reauth?: boolean }) {
const wantReauth = !!opts?.reauth;
const orig = new URL(req.url);
const next = orig.pathname + (orig.search || "");
const url = new URL(req.url);
url.pathname = "/auth/sign-in";
url.search = "";
if (wantReauth) url.searchParams.set("reauth", "1");
url.searchParams.set("next", next);
const res = NextResponse.redirect(url);
// Only clear auth markers in true re-auth scenarios
if (wantReauth) {
res.cookies.set("ma_at", "", { maxAge: 0, path: "/" });
res.cookies.set("ma_v", "", { maxAge: 0, path: "/" }); // throttle marker
// res.cookies.set("ma_rt", "", { maxAge: 0, path: "/" }); // if you use refresh tokens
}
return res;
}
export async function middleware(req: NextRequest) {
const url = req.nextUrl.clone();
const { pathname } = url;
// ── 0) Root must never redirect (no mapping, no gating).
if (pathname === "/") return NextResponse.next();
// ── 1) Legacy → Portal mapping (before auth gating)
const mapped = legacyMap(pathname);
if (mapped && !isSameUrl(req, mapped)) {
url.pathname = mapped.pathname;
if (mapped.query) {
for (const [k, v] of Object.entries(mapped.query)) url.searchParams.set(k, v);
}
return NextResponse.redirect(url);
}
// ── 2) Auth gating
const token = req.cookies.get("ma_at")?.value ?? "";
const isAuthRoute = pathname.startsWith("/auth/");
const isProtected = !isPublicPath(pathname);
const forceAuth =
isAuthRoute &&
(url.searchParams.get("reauth") === "1" || url.searchParams.get("force") === "1");
if (!token && isProtected) {
return kickToSignIn(req, { reauth: false });
}
if (token) {
const exp = jwtExp(token);
const expired = !exp || exp * 1000 <= Date.now();
if (isAuthRoute && !expired && !forceAuth) {
url.pathname = "/portal";
url.search = "";
return NextResponse.redirect(url);
}
if (isProtected) {
if (expired) {
return kickToSignIn(req, { reauth: true });
}
if (DIRECTUS) {
const nowMinute = Math.floor(Date.now() / 60000).toString();
const lastValidated = req.cookies.get("ma_v")?.value;
if (lastValidated !== nowMinute) {
try {
const r = await fetch(`${DIRECTUS}/users/me?fields=id`, {
headers: {
Authorization: `Bearer ${token}`,
Accept: "application/json",
},
cache: "no-store",
});
if (!r.ok) {
return kickToSignIn(req, { reauth: true });
}
const res = NextResponse.next();
res.cookies.set("ma_v", nowMinute, {
path: "/",
httpOnly: false,
sameSite: "lax",
maxAge: 90,
});
return res;
} catch {
return kickToSignIn(req, { reauth: true });
}
}
}
}
}
return NextResponse.next();
}
function legacyMap(pathname: string): MapResult | null {
if (pathname === "/" || pathname.startsWith("/portal")) return null;
// detail mappings elided for brevity…
const listRules: Array<[RegExp, MapResult]> = [
[/^\/background-remover\/?$/i, { pathname: "/portal/utilities", query: { t: "background-remover" } }],
[/^\/laser-toolkit\/?$/i, { pathname: "/portal/utilities", query: { t: "laser-toolkit" } }],
[/^\/files\/?$/i, { pathname: "/portal/utilities", query: { t: "files" } }],
[/^\/buying-guide\/?$/i, { pathname: "/portal/buying-guide" }],
[/^\/lasers\/?$/i, { pathname: "/portal/laser-sources" }],
[/^\/projects\/?$/i, { pathname: "/portal/projects" }],
[/^\/my\/rigs\/?$/i, { pathname: "/portal/rigs", query: { t: "my" } }],
];
for (const [re, dest] of listRules) {
if (re.test(pathname)) return dest;
}
return null;
}
function isPublicPath(pathname: string): boolean {
if (PUBLIC_PAGES.has(pathname)) return true;
if (
pathname.startsWith("/_next/") ||
pathname.startsWith("/static/") ||
pathname.startsWith("/images/") ||
pathname === "/favicon.ico" ||
pathname === "/robots.txt" ||
pathname === "/sitemap.xml"
) {
return true;
}
if (pathname.startsWith("/api/")) {
return startsWithAny(pathname, PUBLIC_API_PREFIXES);
}
return false;
}
export const config = {
matcher: ["/((?!_next/static|_next/image|favicon.ico|robots.txt|sitemap.xml|images|static).*)"],
};
Reference in a new issue View git blame Copy permalink