-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
74 lines (62 loc) · 2.33 KB
/
middleware.ts
File metadata and controls
74 lines (62 loc) · 2.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';
/**
* Middleware for authentication and route protection
*
* Protects sensitive routes like dashboard, monitoring, and reports
* Can be extended to add rate limiting, CORS, etc.
*/
export function middleware(request: NextRequest) {
const { pathname } = request.nextUrl;
// Protected routes
const isProtectedRoute =
pathname.startsWith('/dashboard') ||
pathname.startsWith('/api/metrics') ||
pathname.startsWith('/api/reports');
// Check if route needs authentication
if (isProtectedRoute) {
// In development, allow access without authentication
if (process.env.NODE_ENV === 'development' && process.env.SKIP_AUTH === 'true') {
return NextResponse.next();
}
// Check for session/auth token
// This is a simple example - replace with your actual auth logic
const authToken = request.cookies.get('auth-token')?.value;
const sessionToken = request.cookies.get('next-auth.session-token')?.value;
// If using NextAuth
if (!sessionToken && !authToken) {
// Redirect to login for page routes
if (!pathname.startsWith('/api')) {
const loginUrl = new URL('/auth/signin', request.url);
loginUrl.searchParams.set('callbackUrl', pathname);
return NextResponse.redirect(loginUrl);
}
// Return 401 for API routes
return NextResponse.json(
{ error: 'Unauthorized' },
{ status: 401 }
);
}
}
// Add security headers
const response = NextResponse.next();
response.headers.set('X-Frame-Options', 'DENY');
response.headers.set('X-Content-Type-Options', 'nosniff');
response.headers.set('X-XSS-Protection', '1; mode=block');
response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
// CORS headers for API routes
if (pathname.startsWith('/api')) {
response.headers.set('Access-Control-Allow-Origin', process.env.ALLOWED_ORIGIN || '*');
response.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
response.headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization');
}
return response;
}
// Configure which routes middleware runs on
export const config = {
matcher: [
'/dashboard/:path*',
'/api/metrics/:path*',
'/api/reports/:path*',
],
};