-
Notifications
You must be signed in to change notification settings - Fork 112
Expand file tree
/
Copy pathmiddleware.ts
More file actions
164 lines (144 loc) · 4.64 KB
/
middleware.ts
File metadata and controls
164 lines (144 loc) · 4.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
import { authkit } from "@workos-inc/authkit-nextjs";
import { NextRequest, NextResponse, NextFetchEvent } from "next/server";
import { isRateLimitError } from "@/lib/api/response";
const UNAUTHENTICATED_PATHS = new Set([
"/",
"/login",
"/signup",
"/logout",
"/api/clear-auth-cookies",
"/api/auth/desktop-callback",
"/api/extra-usage/webhook",
"/api/fraud/webhook",
"/api/subscription/webhook",
"/callback",
"/desktop-login",
"/desktop-callback",
"/auth-error",
"/privacy-policy",
"/terms-of-service",
"/download",
"/manifest.json",
]);
function getRedirectUri(): string | undefined {
if (process.env.VERCEL_ENV === "preview" && process.env.VERCEL_URL) {
return `https://${process.env.VERCEL_URL}/callback`;
}
return undefined;
}
function isDesktopApp(request: NextRequest): boolean {
const userAgent = request.headers.get("user-agent") || "";
return userAgent.includes("HackerAI-Desktop");
}
function isUnauthenticatedPath(pathname: string): boolean {
if (UNAUTHENTICATED_PATHS.has(pathname)) {
return true;
}
if (pathname.startsWith("/share/")) {
return true;
}
return false;
}
function isBrowserRequest(request: NextRequest): boolean {
const accept = request.headers.get("accept") ?? "";
return accept.includes("text/html");
}
const SESSION_HEADER = "x-workos-session";
export default async function middleware(
request: NextRequest,
_event: NextFetchEvent,
) {
const pathname = request.nextUrl.pathname;
// Desktop app: redirect unauthenticated users to desktop-specific error page
if (isDesktopApp(request)) {
const hasSession = request.cookies.has("wos-session");
if (!hasSession && !isUnauthenticatedPath(pathname)) {
return NextResponse.redirect(
new URL("/desktop-callback?error=unauthenticated", request.url),
);
}
}
let refreshHitRateLimit = false;
const hadSessionCookie = request.cookies.has("wos-session");
const { session, headers, authorizationUrl } = await authkit(request, {
redirectUri: getRedirectUri(),
eagerAuth: true,
onSessionRefreshError: ({ error }) => {
if (isRateLimitError(error)) {
refreshHitRateLimit = true;
console.warn(
"[Auth Middleware] WorkOS rate limit hit during session refresh",
);
}
},
});
const requestHeaders = buildRequestHeaders(request, headers);
const responseHeaders = buildResponseHeaders(headers);
if (session.user || isUnauthenticatedPath(pathname)) {
return NextResponse.next({
request: { headers: requestHeaders },
headers: responseHeaders,
});
}
// If rate-limited (not a real session expiry), don't redirect to login
if (hadSessionCookie && refreshHitRateLimit) {
if (!isBrowserRequest(request)) {
const rateLimitHeaders = new Headers(responseHeaders);
rateLimitHeaders.set("Retry-After", "5");
return NextResponse.json(
{ code: "rate_limited", message: "Please retry shortly." },
{ status: 503, headers: rateLimitHeaders },
);
}
// For browser requests, let through rather than forcing a confusing login redirect
return NextResponse.next({
request: { headers: requestHeaders },
headers: responseHeaders,
});
}
if (!isBrowserRequest(request)) {
return NextResponse.json(
{
code: "unauthorized:auth",
message: "You need to sign in before continuing.",
cause: "Session expired or invalid",
},
{ status: 401, headers: responseHeaders },
);
}
if (!authorizationUrl) {
console.error("[Auth Middleware] authorizationUrl unavailable", {
pathname,
hasSession: !!session.user,
});
const errorUrl = new URL("/auth-error", request.url);
errorUrl.searchParams.set("code", "503");
return NextResponse.redirect(errorUrl, { headers: responseHeaders });
}
return NextResponse.redirect(authorizationUrl, { headers: responseHeaders });
}
function buildRequestHeaders(
request: NextRequest,
authkitHeaders: Headers,
): Headers {
const merged = new Headers(request.headers);
authkitHeaders.forEach((value, key) => {
if (key.startsWith("x-")) {
merged.set(key, value);
}
});
return merged;
}
function buildResponseHeaders(authkitHeaders: Headers): Headers {
const responseHeaders = new Headers(authkitHeaders);
responseHeaders.delete(SESSION_HEADER);
return responseHeaders;
}
export const config = {
matcher: [
// Skip Next.js internals and all static files, unless found in search params
"/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)",
// Always run for API routes
"/(api|trpc)(.*)",
],
};