Skip to content

Commit 75e88db

Browse files
drhemaclaude
drhema
and
claude
committed
fix: remove conflicting middleware.ts, enhance proxy.ts auth
- Delete middleware.ts (Next.js 16 uses proxy.ts instead) - Add JWT verification for page routes (not just token existence) - Protect root / and all app pages (stats, skills, mcp, openbook) - Clear invalid cookies on expired JWT Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 2fd3ce8 commit 75e88db

2 files changed

Lines changed: 12 additions & 63 deletions

File tree

src/middleware.ts

Lines changed: 0 additions & 61 deletions
This file was deleted.

src/proxy.ts

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,12 +55,22 @@ export async function proxy(req: NextRequest) {
5555
}
5656
}
5757

58-
// Protect app pages (redirect to login)
59-
if (pathname.startsWith('/chat') || pathname.startsWith('/vibecoder') || pathname.startsWith('/settings')) {
58+
// Protect app pages (redirect to login if no valid token)
59+
if (pathname === '/' || pathname.startsWith('/chat') || pathname.startsWith('/vibecoder') || pathname.startsWith('/settings') || pathname.startsWith('/stats') || pathname.startsWith('/skills') || pathname.startsWith('/mcp') || pathname.startsWith('/openbook')) {
6060
const token = req.cookies.get('vibecoder-token')?.value
6161
if (!token) {
6262
return NextResponse.redirect(new URL('/login', req.url))
6363
}
64+
// Also verify JWT for pages (not just existence)
65+
if (JWT_SECRET) {
66+
try {
67+
await jwtVerify(token, JWT_SECRET)
68+
} catch {
69+
const response = NextResponse.redirect(new URL('/login', req.url))
70+
response.cookies.delete('vibecoder-token')
71+
return response
72+
}
73+
}
6474
}
6575

6676
return addSecurityHeaders(NextResponse.next())

0 commit comments

Comments
 (0)