duo-keyboard-koalition.vercel.app/middleware.ts at main · Duo-Keyboard-Koalition/duo-keyboard-koalition.vercel.app · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
import { NextResponse, type NextRequest } from "next/server"
import { createServerClient } from "@supabase/ssr"

// Routes that do NOT require authentication
const PUBLIC_PATHS = ["/", "/auth/callback", "/unauthorized"]

// API routes that are intentionally public (opt-in allowlist)
const PUBLIC_API_PATHS = ["/api/health", "/api/contact", "/api/report"]

function isPublicRoute(pathname: string): boolean {
  if (PUBLIC_PATHS.some((p) => pathname === p)) return true
  if (PUBLIC_API_PATHS.some((p) => pathname === p)) return true
  if (pathname.startsWith("/_next/") || pathname.startsWith("/favicon")) return true
  return false
}

export async function middleware(request: NextRequest) {
  const { pathname } = new URL(request.url)

  let response = NextResponse.next({
    request: { headers: request.headers },
  })

  const supabase = createServerClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookies: {
        get(name) {
          return request.cookies.get(name)?.value
        },
        set(name, value, options) {
          request.cookies.set({ name, value, ...options })
          response = NextResponse.next({ request: { headers: request.headers } })
          response.cookies.set({ name, value, ...options })
        },
        remove(name, options) {
          request.cookies.set({ name, value: "", ...options })
          response = NextResponse.next({ request: { headers: request.headers } })
          response.cookies.set({ name, value: "", ...options })
        },
      },
    }
  )

  // Refresh session on every request (keeps cookie fresh)
  const {
    data: { user },
    error,
  } = await supabase.auth.getUser()

  if (isPublicRoute(pathname)) {
    return response
  }

  // Protected route — require authenticated user
  if (!user || error) {
    // For API routes, return 401 JSON instead of redirect
    if (pathname.startsWith("/api/")) {
      return NextResponse.json({ error: "Unauthorized" }, { status: 401 })
    }
    return NextResponse.redirect(new URL("/unauthorized", request.url))
  }

  return response
}

export const config = {
  matcher: [
    "/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
  ],
}