-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathproxy.ts
More file actions
124 lines (108 loc) · 4.3 KB
/
proxy.ts
File metadata and controls
124 lines (108 loc) · 4.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
import { createServerClient } from '@supabase/ssr'
import { NextResponse, type NextRequest } from 'next/server'
/**
* LMXEngine Middleware
* Unified security and session management layer.
*/
export default async function middleware(request: NextRequest) {
let response = NextResponse.next({
request: {
headers: request.headers,
},
})
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
if (!supabaseUrl || !supabaseAnonKey) {
return response;
}
const supabase = createServerClient(
supabaseUrl,
supabaseAnonKey,
{
cookies: {
getAll() {
return request.cookies.getAll()
},
setAll(cookiesToSet) {
cookiesToSet.forEach(({ name, value }) => request.cookies.set(name, value))
response = NextResponse.next({
request: {
headers: request.headers,
},
})
cookiesToSet.forEach(({ name, value, options }) =>
response.cookies.set(name, value, options)
)
},
},
}
)
// Using getUser() is the secure way to check auth, but we handle the specific "refresh_token_not_found" error.
const { data: { user }, error } = await supabase.auth.getUser()
// 1. Handle Refresh Token Error / Missing Session
if (error && error.code === 'refresh_token_not_found') {
// Clear cookies and bounce to login if trying to access protected routes
const isProtected = request.nextUrl.pathname.startsWith('/admin') || request.nextUrl.pathname.startsWith('/checkout');
if (isProtected) {
const redirectResponse = NextResponse.redirect(new URL('/login', request.url))
// Attempt to clear session cookies
redirectResponse.cookies.delete('sb-access-token')
redirectResponse.cookies.delete('sb-refresh-token')
return redirectResponse
}
}
// 2. Admin Portal Protection
if (request.nextUrl.pathname.startsWith('/admin')) {
if (!user) {
return NextResponse.redirect(new URL('/login', request.url))
}
const { data: profile } = await supabase
.from('profiles')
.select('role')
.eq('id', user.id)
.single()
if (!profile || profile.role !== 'admin') {
return NextResponse.redirect(new URL('/', request.url))
}
}
// 3. Checkout Flow Protection
if (request.nextUrl.pathname.startsWith('/checkout')) {
if (!user) {
return NextResponse.redirect(new URL(`/login?next=${request.nextUrl.pathname}`, request.url))
}
}
// 4. Login Redirect Logic
if (user && request.nextUrl.pathname.startsWith('/login')) {
return NextResponse.redirect(new URL('/', request.url))
}
// 5. Kill Switch (Store Enabled Check)
if (!request.nextUrl.pathname.startsWith('/admin') &&
!request.nextUrl.pathname.startsWith('/api') &&
!request.nextUrl.pathname.startsWith('/login') &&
!request.nextUrl.pathname.startsWith('/_next') &&
!request.nextUrl.pathname.startsWith('/maintenance')) {
// Use service role or public check for settings?
// profiles RLS is based on is_admin(), so for public we need to ensure site_settings is public.
const { data: settings } = await supabase
.from('site_settings')
.select('setting_value')
.eq('setting_key', 'store_enabled')
.single();
if (settings && settings.setting_value === false) {
return NextResponse.redirect(new URL('/maintenance', request.url));
}
}
return response
}
export const config = {
matcher: [
/*
* Match all request paths except for the ones starting with:
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico (favicon file)
* - api/webhooks (Stripe needs public access)
*/
'/((?!_next/static|_next/image|favicon.ico|api/webhooks|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
],
}