-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.js
More file actions
41 lines (32 loc) · 1.3 KB
/
middleware.js
File metadata and controls
41 lines (32 loc) · 1.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import NextAuth from "next-auth"
import { authConfig } from "./auth.config"
export const { auth } = NextAuth(authConfig)
const ALLOWED_ORIGIN = process.env.NEXTAUTH_URL || 'http://localhost:3000';
/** Routes that mutate state and should only accept same-origin requests */
const CSRF_PROTECTED = ['/api/payments', '/api/bookings'];
export default auth((req) => {
const { pathname, origin } = req.nextUrl;
// ── CSRF / Origin check on mutating API routes ──
if (CSRF_PROTECTED.some(p => pathname.startsWith(p))) {
const requestOrigin = req.headers.get('origin');
if (requestOrigin && requestOrigin !== ALLOWED_ORIGIN) {
return new Response(JSON.stringify({ error: 'Forbidden' }), {
status: 403,
headers: { 'Content-Type': 'application/json' },
});
}
}
// ── Auth / role guards ──
const isLoggedIn = !!req.auth;
const isProtected = pathname.startsWith('/booking') || pathname.startsWith('/admin');
const isAdminRoute = pathname.startsWith('/admin');
if (isProtected && !isLoggedIn) {
return Response.redirect(new URL('/login', origin));
}
if (isAdminRoute && req.auth?.user?.role !== 'admin') {
return Response.redirect(new URL('/', origin));
}
})
export const config = {
matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
}