46 lines
1.6 KiB
TypeScript
46 lines
1.6 KiB
TypeScript
import { NextResponse } from 'next/server'
|
|
import type { NextRequest } from 'next/server'
|
|
|
|
/**
|
|
* Middleware to protect /space routes.
|
|
*
|
|
* Client-side auth enforcement: the space page itself checks auth state via
|
|
* Zustand store. This middleware adds a cookie-based check for server-rendered
|
|
* requests — if no encryptid_token cookie is present on /space, redirect to
|
|
* the home page with a login hint.
|
|
*
|
|
* Note: Since rfunds uses client-side Zustand persistence (localStorage),
|
|
* the primary auth gate is in the SpacePage component itself. This middleware
|
|
* serves as an additional layer for direct URL access.
|
|
*/
|
|
export function middleware(request: NextRequest) {
|
|
const { pathname } = request.nextUrl
|
|
|
|
// Only protect /space routes (not /tbff which is a public demo)
|
|
if (pathname.startsWith('/space')) {
|
|
// Check for auth token in cookie (set by client after login)
|
|
const token = request.cookies.get('encryptid_token')?.value
|
|
|
|
// Also check Authorization header for API-style access
|
|
const authHeader = request.headers.get('authorization')
|
|
const bearerToken = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : null
|
|
|
|
if (!token && !bearerToken) {
|
|
// No auth — redirect to home with login hint
|
|
// The client-side auth store is the primary gate, but this catches
|
|
// direct navigation before hydration
|
|
const url = request.nextUrl.clone()
|
|
url.pathname = '/'
|
|
url.searchParams.set('login', 'required')
|
|
url.searchParams.set('return', pathname)
|
|
return NextResponse.redirect(url)
|
|
}
|
|
}
|
|
|
|
return NextResponse.next()
|
|
}
|
|
|
|
export const config = {
|
|
matcher: ['/space/:path*'],
|
|
}
|