refactor(proxy): enhance authentication middleware with improved token handling and cookie management

[xun082]

PR 描述

PR 类型

• 🐛 Bug 修复
• ✨ 新功能
• 💄 UI/UX 改进
• ♻️ 重构
• 🚀 性能优化
• 📝 文档更新
• 🔄 其他

Issue 关联

Closes #

其他信息

[netlify]

❌ Deploy Preview for ornate-blancmange-89db6b failed. Why did it fail? →

Name	Link
🔨 Latest commit	9c74530
🔍 Latest deploy log	https://app.netlify.com/projects/ornate-blancmange-89db6b/deploys/69845e188e24550008beaabe

[gemini-code-assist]

Summary of Changes

Hello @xun082, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the application's authentication middleware by refactoring its token and cookie management logic for improved robustness and readability. Concurrently, it simplifies the Next.js configuration by removing outdated or redundant settings, aiming for a leaner and more maintainable project setup.

Highlights

• Authentication Middleware Refinement: The proxy.ts file has been significantly refactored to improve token handling and cookie management within the authentication middleware. This includes introducing constants for cookie names and expiry, new helper functions for clarity, and robust validation for tokens.
• Next.js Configuration Simplification: The next.config.ts file has undergone a major cleanup, removing numerous commented-out sections, deprecated configurations, and extensive webpack optimizations. This streamlines the build process and configuration.
• Development Script Update: The dev script in package.json has been simplified, removing the explicit --webpack flag, indicating a shift towards Next.js's default development bundler.

Changelog

• apps/DocFlow/next.config.ts
  • Removed extensive webpack optimization configurations, modular import settings, and development indicators.
  • Simplified image optimization settings by removing unoptimized and remotePatterns.
  • Streamlined experimental.optimizePackageImports by removing @tiptap/react, @tiptap/core, and @tanstack/react-query.
  • Removed Sentry configuration comments and related webpack settings.
• apps/DocFlow/package.json
  • Updated the dev script to next dev, removing the explicit --webpack flag.
• apps/DocFlow/src/proxy.ts
  • Introduced constants (AUTH_COOKIES, DEFAULT_TOKEN_EXPIRY_MS, INVALID_TOKEN_VALUES) for better maintainability.
  • Added AuthCookies interface for type safety.
  • Refactored isValidToken, clearAuthCookies, redirectToAuth, and isTokenExpired into more modular and robust helper functions.
  • Implemented new helper functions extractAuthCookies and buildAuthUrl.
  • Enhanced redirectToAuth to include an optional reason for logging in development.
  • The main proxy function now leverages these refactored helpers for clearer authentication flow.

Activity

• The pull request was created by xun082.
• The PR description indicates a 'refactor' type.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

您好！这次对 proxy.ts 认证中间件的重构非常出色，代码结构、可读性和可维护性都得到了极大的提升，值得称赞。然而，在审查中我发现了一些需要您关注的问题：首先，next.config.ts 文件中移除了一个关键的 webpack 优化配置，这可能会对生产环境的性能造成负面影响，我在文件中留下了详细评论。其次，在 proxy.ts 的 token 过期逻辑中发现了两个潜在的安全漏洞，我也在代码中提出了具体的修改建议。请您重点关注这些 critical 和 high 级别的反馈。

[gemini-code-assist]

此 nextConfig 对象中的 webpack 配置属性已被移除。该配置包含了针对生产构建的重要性能优化，特别是通过 splitChunks 实现的自定义代码分割策略，为 tiptap 等大型依赖创建了专门的块，这对于优化初始加载时间至关重要。移除此配置可能会导致默认分块策略下的初始包体积增大，从而降低加载性能。

请问移除此配置的原因是什么？如果此举是故意的，建议对生产构建进行性能分析，以验证其影响。此外，这是一个重大的变更，似乎与此 PR 的主要目标（重构代理中间件）无关，建议在 PR 描述中加以说明或在单独的 PR 中处理。

[gemini-code-assist]

这里存在一个安全隐患。当 timestamp cookie 缺失时，函数返回 false，这意味着 token 被视为永不过期。正确的做法应该是“安全失败”（fail-closed），即在无法验证时间戳的情况下，将 token 视为已过期以强制重新认证。

Suggested change

	return false;
	return true;

[gemini-code-assist]

当前实现中，如果 expiresIn cookie 存在但值为非数字字符串（例如 'abc'），Number(expiresIn) 会得到 NaN，导致 expiryMs 也为 NaN。now - authTime > NaN 的比较结果始终为 false，这使得 token 永不被判定为过期，存在安全风险。代码应更健壮地处理无效的 expiresIn 值，例如回退到默认值。

Suggested change

	const expiryMs = expiresIn ? Number(expiresIn) * 1000 : DEFAULT_TOKEN_EXPIRY_MS;
	const expiryMs = (Number(expiresIn) * 1000) || DEFAULT_TOKEN_EXPIRY_MS;