-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
99 lines (89 loc) · 3.88 KB
/
Copy pathmiddleware.ts
File metadata and controls
99 lines (89 loc) · 3.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
// Copyright (c) 2026 Interactor, Inc.
// SPDX-License-Identifier: AGPL-3.0-or-later
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
export function middleware(request: NextRequest) {
const { pathname } = request.nextUrl;
// On *.interactor.com, all auth UI lives on auth.interactor.com. Redirect
// local auth pages to the SSO route which initiates the OIDC flow directly.
const hostname = request.headers.get("host") ?? "";
const isInteractorDomain =
hostname === "interactor.com" || hostname.endsWith(".interactor.com");
if (isInteractorDomain) {
const authPaths = ["/login", "/register", "/reset-password", "/forgot-password"];
if (authPaths.some((p) => pathname.startsWith(p))) {
const callbackUrl = request.nextUrl.searchParams.get("callbackUrl") ?? "/dashboard";
return NextResponse.redirect(
new URL(`/auth/sso?callbackUrl=${encodeURIComponent(callbackUrl)}`, request.url),
);
}
}
// Skip auth for public paths
const isPublicPath =
pathname.startsWith("/login") ||
pathname.startsWith("/register") ||
pathname.startsWith("/forgot-password") ||
pathname.startsWith("/reset-password") ||
pathname.startsWith("/verify-email") ||
pathname.startsWith("/auth/sso") ||
pathname.startsWith("/auth/callback") ||
pathname.startsWith("/auth/invite") ||
pathname.startsWith("/auth/project-invite") ||
pathname.startsWith("/pricing") ||
pathname.startsWith("/shared") ||
pathname.startsWith("/api/auth") ||
pathname.startsWith("/api/health") ||
pathname.startsWith("/api/webhooks") ||
pathname === "/openapi.json" ||
pathname === "/api/v1/openapi.json" ||
pathname.startsWith("/install/");
if (isPublicPath) {
return NextResponse.next();
}
// Check for session token
const sessionToken =
request.cookies.get("authjs.session-token")?.value ||
request.cookies.get("__Secure-authjs.session-token")?.value ||
request.cookies.get("next-auth.session-token")?.value ||
request.cookies.get("__Secure-next-auth.session-token")?.value;
// Redirect authenticated users from root (/) to their last known project.
// /dashboard is intentional navigation and must never be redirected away.
if (pathname === "/" && sessionToken) {
const lastUrl = request.cookies.get("ib-last-url")?.value;
if (lastUrl && lastUrl.startsWith("/o/")) {
return NextResponse.redirect(new URL(lastUrl, request.url));
}
}
if (!sessionToken && !pathname.startsWith("/api")) {
const loginPath = isInteractorDomain ? "/auth/sso" : "/login";
return NextResponse.redirect(new URL(loginPath, request.url));
}
// Strip any client-supplied spoofing of internal chrome-bypass signals before
// re-adding them server-side so they cannot be injected by the browser.
const reqHeaders = new Headers(request.headers);
reqHeaders.delete("x-agent-frame");
if (request.nextUrl.searchParams.get("_agent") === "1") {
reqHeaders.set("x-agent-frame", "1");
}
const response = NextResponse.next({ request: { headers: reqHeaders } });
// Prevent bfcache from serving stale authenticated pages after sign-out
if (!pathname.startsWith("/api")) {
response.headers.set("Cache-Control", "no-store, max-age=0");
}
// Remember the last org/project page the user visited so login can restore it.
// Exclude settings sub-tree — same reason profile settings isn't stored.
if (pathname.startsWith("/o/") && !/\/settings(\/|$)/.test(pathname) && !request.nextUrl.searchParams.has("_agent")) {
response.cookies.set("pm-last-path", pathname, {
path: "/",
maxAge: 60 * 60 * 24 * 30, // 30 days
sameSite: "lax",
httpOnly: false, // must be readable by the login page client JS
});
}
return response;
}
export const config = {
matcher: [
"/((?!_next/static|_next/image|favicon.ico|.*\\.(?:png|jpg|jpeg|gif|webp|svg|ico)$).*)",
],
};