Address comments

Author: maparent

apps/website/app/(home)/auth/token/route.ts

@@ -9,6 +9,11 @@ export const GET = async (request: NextRequest): Promise<NextResponse> => {
   try {
     if (typeof token !== "string") throw new Error("Please provide a token");
     if (typeof url !== "string") throw new Error("Please provide a single URL");
+    if (
+      url.indexOf("://") >= 0 &&
+      !url.startsWith(request.nextUrl.origin + "/")
+    )
+      throw new Error("Absolute URLs should be within the application");
 
     const client = await createClient();
     const result = await client.rpc("get_secret_token", {

apps/website/proxy.ts

@@ -6,13 +6,7 @@ export const proxy = async (request: NextRequest) =>
 
 export const config = {
   matcher: [
-    /*
-     * Match all request paths except for the ones starting with:
-     * - _next/static (static files)
-     * - _next/image (image optimization files)
-     * - favicon.ico (favicon file)
-     * Feel free to modify this pattern to include more paths.
-     */
-    "/((?!_next/static|_next/image|favicon.ico|docs|blog|nextra|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
+    /* Only apply to /auth paths */
+    "/(auth/.*)",
   ],
 };