forked from tscircuit/chat.tscircuit.com
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
110 lines (91 loc) · 3.37 KB
/
middleware.ts
File metadata and controls
110 lines (91 loc) · 3.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
import { NextResponse } from "next/server"
import type { NextRequest } from "next/server"
import * as jose from "jose"
import type { SessionData } from "@/app/(auth)/auth-store"
// This middleware runs on every request
export function middleware(request: NextRequest) {
// Get the pathname from the URL
const { pathname } = request.nextUrl
// Allow public routes to bypass authentication checks
if (pathname.startsWith("/login") || pathname.startsWith("/_next")) {
return NextResponse.next()
}
// Check for session token in cookies
const sessionToken = request.cookies.get("session_token")?.value
// Check for session token in URL query parameter (for OAuth redirects)
const url = request.nextUrl.clone()
const urlSessionToken = url.searchParams.get("session_token")
// If token is in URL, verify it and set a cookie
if (urlSessionToken) {
try {
const decoded = jose.decodeJwt<SessionData>(urlSessionToken)
// Check if token is valid
if (decoded && decoded.exp * 1000 > Date.now()) {
// Clean the URL by removing the session_token parameter
url.searchParams.delete("session_token")
// Create a new response with the cleaned URL
const response = NextResponse.redirect(url)
// Set the token in a cookie
response.cookies.set({
name: "session_token",
value: urlSessionToken,
httpOnly: true,
secure: process.env.NODE_ENV === "production",
sameSite: "lax",
maxAge: 60 * 60 * 24 * 7, // 1 week
path: "/",
})
return response
}
} catch (error) {
// Invalid token in URL
console.error("Invalid session token in URL:", error)
}
}
if (pathname.startsWith("/api/")) {
// Allow public read access to documents for shared chats
if (pathname.startsWith("/api/document") && request.method === "GET") {
return NextResponse.next()
}
if (!sessionToken) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 })
}
try {
const decoded = jose.decodeJwt<SessionData>(sessionToken)
// Check if token is expired
if (decoded.exp * 1000 < Date.now()) {
return NextResponse.json({ error: "Token expired" }, { status: 401 })
}
// Valid token for API routes, continue
return NextResponse.next()
} catch (error) {
return NextResponse.json({ error: "Invalid token" }, { status: 401 })
}
}
// For non-API routes, redirect to login if no valid token
if (!sessionToken) {
return NextResponse.redirect(new URL("/login", request.url))
}
try {
const decoded = jose.decodeJwt<SessionData>(sessionToken)
// Check if token is expired
if (decoded.exp * 1000 < Date.now()) {
// Token expired, redirect to login
const response = NextResponse.redirect(new URL("/login", request.url))
response.cookies.delete("session_token")
return response
}
// Valid token, let the request proceed
return NextResponse.next()
} catch (error) {
// Invalid token, redirect to login
console.error("Invalid session token:", error)
const response = NextResponse.redirect(new URL("/login", request.url))
response.cookies.delete("session_token")
return response
}
}
// Configure which paths the middleware runs on
export const config = {
matcher: ["/", "/:id", "/api/:path*", "/login"],
}