From 5f040866065b1e363d293f82c5106cd3a68e3584 Mon Sep 17 00:00:00 2001 From: Jeff Emmett Date: Wed, 25 Feb 2026 13:19:47 -0800 Subject: [PATCH] feat: add space subdomain routing and ownership support - Traefik wildcard HostRegexp for .r*.online subdomains - Middleware subdomain extraction and path rewriting - Provision endpoint with owner_did acknowledgement - Registry enforces space ownership via EncryptID JWT Co-Authored-By: Claude Opus 4.6 --- app/api/internal/provision/route.ts | 6 +++- middleware.ts | 45 ++++++++++++++++++++++++----- 2 files changed, 42 insertions(+), 9 deletions(-) diff --git a/app/api/internal/provision/route.ts b/app/api/internal/provision/route.ts index d5e7b3c..e6ae7ee 100644 --- a/app/api/internal/provision/route.ts +++ b/app/api/internal/provision/route.ts @@ -4,6 +4,9 @@ import { NextResponse } from "next/server"; * Internal provision endpoint — called by rSpace Registry when activating * this app for a space. No auth required (only reachable from Docker network). * + * Payload: { space, description, admin_email, public, owner_did } + * The owner_did identifies who registered the space via the registry. + * * rfunds has no server-side database — spaces are managed client-side. * This endpoint acknowledges the provisioning request. */ @@ -13,5 +16,6 @@ export async function POST(request: Request) { if (!space) { return NextResponse.json({ error: "Missing space name" }, { status: 400 }); } - return NextResponse.json({ status: "ok", space, message: "rfunds is client-side, no provisioning needed" }); + const ownerDid: string = body.owner_did || ""; + return NextResponse.json({ status: "ok", space, owner_did: ownerDid, message: "rfunds space acknowledged" }); } diff --git a/middleware.ts b/middleware.ts index df1148d..83127f1 100644 --- a/middleware.ts +++ b/middleware.ts @@ -3,18 +3,46 @@ import type { NextRequest } from 'next/server' import { isDemoRequest } from '@encryptid/sdk/server/nextjs' /** - * Middleware to protect /space routes. + * Middleware to handle subdomain-based space routing and protect /space routes. * - * Client-side auth enforcement: the space page itself checks auth state via - * Zustand store. This middleware adds a cookie-based check for server-rendered - * requests — if no encryptid_token cookie is present on /space, redirect to - * the home page with a login hint. + * Subdomain routing: + * - rfunds.online -> home/landing page + * - www.rfunds.online -> home/landing page + * - .rfunds.online -> rewrite to /s/ * - * Demo spaces (ENCRYPTID_DEMO_SPACES env var) bypass auth. + * Auth protection: + * - /space routes require auth (cookie or Bearer token) + * - Demo spaces (ENCRYPTID_DEMO_SPACES env var) bypass auth + * + * Also handles localhost for development. */ export function middleware(request: NextRequest) { + const url = request.nextUrl.clone() + const hostname = request.headers.get('host') || '' const { pathname } = request.nextUrl + // --- Subdomain routing --- + let subdomain: string | null = null + + // Match production: .rfunds.online + const match = hostname.match(/^([a-z0-9][a-z0-9-]*[a-z0-9]|[a-z0-9])\.\w+\.online/) + if (match && match[1] !== 'www') { + subdomain = match[1] + } else if (hostname.includes('localhost')) { + // Development: .localhost:port + const parts = hostname.split('.localhost')[0].split('.') + if (parts.length > 0 && parts[0] !== 'localhost') { + subdomain = parts[parts.length - 1] + } + } + + // If we have a subdomain, rewrite root path to space page + if (subdomain && subdomain.length > 0 && pathname === '/') { + url.pathname = `/s/${subdomain}` + return NextResponse.rewrite(url) + } + + // --- Auth protection for /space routes --- // Only protect /space routes (not /tbff which is a public demo) if (pathname.startsWith('/space')) { // Demo spaces get anonymous access — SDK provides synthetic claims @@ -30,7 +58,6 @@ export function middleware(request: NextRequest) { const bearerToken = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : null if (!token && !bearerToken) { - const url = request.nextUrl.clone() url.pathname = '/' url.searchParams.set('login', 'required') url.searchParams.set('return', pathname) @@ -42,5 +69,7 @@ export function middleware(request: NextRequest) { } export const config = { - matcher: ['/space/:path*'], + matcher: [ + '/((?!_next/static|_next/image|favicon.ico|.*\\..*|api).*)', + ], }