-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
103 lines (89 loc) · 3.46 KB
/
middleware.ts
File metadata and controls
103 lines (89 loc) · 3.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'
import { getToken } from 'next-auth/jwt'
// Security middleware for all routes
export async function middleware(request: NextRequest) {
const pathname = request.nextUrl.pathname
// Protected routes requiring authentication
const protectedRoutes = [
'/dashboard',
'/org',
'/api/history',
'/api/watchlist',
'/api/api-keys',
'/api/export',
'/api/organizations',
]
// Admin routes
const adminRoutes = ['/admin', '/api/admin']
// Business+ routes (require BUSINESS or ENTERPRISE tier)
const businessRoutes = ['/dashboard/api-keys', '/api/api-keys', '/org', '/api/organizations']
const isProtectedRoute = protectedRoutes.some(route => pathname.startsWith(route))
const isAdminRoute = adminRoutes.some(route => pathname.startsWith(route))
const isBusinessRoute = businessRoutes.some(route => pathname.startsWith(route))
// Auth check for protected routes
if (isProtectedRoute || isAdminRoute || isBusinessRoute) {
const token = await getToken({
req: request,
secret: process.env.NEXTAUTH_SECRET
})
// Not authenticated
if (!token) {
if (pathname.startsWith('/api/')) {
return new NextResponse(
JSON.stringify({ error: 'Unauthorized' }),
{ status: 401, headers: { 'Content-Type': 'application/json' } }
)
}
const signInUrl = new URL('/auth/signin', request.url)
signInUrl.searchParams.set('callbackUrl', pathname)
return NextResponse.redirect(signInUrl)
}
// Admin check
if (isAdminRoute && token.role !== 'ADMIN') {
return new NextResponse(
JSON.stringify({ error: 'Admin access required' }),
{ status: 403, headers: { 'Content-Type': 'application/json' } }
)
}
// Business tier check
if (isBusinessRoute && (token.tier === 'FREE' || token.tier === 'PRO')) {
if (pathname.startsWith('/api/')) {
return new NextResponse(
JSON.stringify({ error: 'Business tier required' }),
{ status: 403, headers: { 'Content-Type': 'application/json' } }
)
}
return NextResponse.redirect(new URL('/pricing?feature=api', request.url))
}
}
// Security headers
const response = NextResponse.next()
response.headers.set('X-Content-Type-Options', 'nosniff')
response.headers.set('X-Frame-Options', 'DENY')
response.headers.set('X-XSS-Protection', '1; mode=block')
response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
response.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
response.headers.set(
'Permissions-Policy',
'camera=(), microphone=(), geolocation=()'
)
// CSP header - allow unsafe-eval for development (framer-motion needs it)
if (process.env.NODE_ENV === 'development') {
response.headers.set(
'Content-Security-Policy',
"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https:;"
)
}
// Block access to sensitive paths
if (pathname.includes('/_next/') && pathname.includes('.env')) {
return new NextResponse('Forbidden', { status: 403 })
}
return response
}
export const config = {
matcher: [
// Match all paths except static files and auth routes
'/((?!_next/static|_next/image|favicon.ico|icon-.*\\.png|manifest.json|api/auth).*)',
],
}