-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
150 lines (131 loc) · 4.06 KB
/
middleware.ts
File metadata and controls
150 lines (131 loc) · 4.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
import { withAuth } from 'next-auth/middleware';
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';
// Routes that require authentication
const protectedRoutes = [
'/admin',
'/admin/rbac',
'/dashboard',
'/doctor',
'/nurse',
'/pharmacist',
'/receptionist',
'/lab-tech',
'/emergency',
];
// Routes that require specific permissions
const permissionRequiredRoutes: Record<string, string[]> = {
'/admin/rbac': ['admin.roles.manage', 'admin.users.read'],
'/admin': ['admin.roles.manage'],
'/emergency': ['emergency.read', 'emergency.create', 'emergency.request'],
};
// Role-based route restrictions
const roleRouteMap: Record<string, string[]> = {
'ADMIN': ['/admin', '/emergency'],
'DOCTOR': ['/doctor', '/emergency'],
'NURSE': ['/nurse', '/emergency'],
'PHARMACIST': ['/pharmacist'],
'RECEPTIONIST': ['/receptionist', '/emergency'],
'LAB_TECH': ['/lab-tech'],
'EMERGENCY': ['/emergency'],
};
export default withAuth(
function middleware(request: NextRequest) {
const pathname = request.nextUrl.pathname;
const token = (request as any).nextauth?.token;
const userRole = token?.role as string;
// Enforce role-based route access
if (userRole && roleRouteMap[userRole]) {
const allowedPaths = roleRouteMap[userRole];
const isAllowedPath = allowedPaths.some(path => pathname.startsWith(path));
// If user is trying to access a dashboard that isn't theirs, redirect
const isDashboardRoute = ['/admin', '/doctor', '/nurse', '/pharmacist', '/receptionist', '/lab-tech', '/emergency'].some(path => pathname.startsWith(path));
if (isDashboardRoute && !isAllowedPath) {
// Redirect to user's correct dashboard
const correctPath = allowedPaths[0];
return NextResponse.redirect(new URL(correctPath, request.url));
}
}
// Check if route requires specific permissions
for (const [route, requiredPerms] of Object.entries(permissionRequiredRoutes)) {
if (pathname.startsWith(route)) {
const userPermissions = (token?.permissions as string[]) || [];
const hasPermission = requiredPerms.some(perm => userPermissions.includes(perm));
if (!hasPermission) {
return NextResponse.redirect(new URL('/unauthorized', request.url));
}
}
}
return NextResponse.next();
},
{
callbacks: {
authorized: ({ token, req }) => {
const pathname = req.nextUrl.pathname;
// Allow public routes
if (pathname === '/' || pathname === '/login') {
return true;
}
// Protected routes require authentication
if (protectedRoutes.some(route => pathname.startsWith(route))) {
return !!token;
}
return true;
},
},
pages: {
signIn: '/login',
},
}
);
export const config = {
matcher: [
/*
* Match all request paths except for the ones starting with:
* - api (API routes)
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico (favicon file)
* - public (public folder)
*/
'/((?!api|_next/static|_next/image|favicon.ico|public).*)',
],
};
}
}
}
return NextResponse.next();
},
{
callbacks: {
authorized: ({ token, req }) => {
const pathname = req.nextUrl.pathname;
// Allow public routes
if (pathname === '/' || pathname === '/login') {
return true;
}
// Protected routes require authentication
if (protectedRoutes.some(route => pathname.startsWith(route))) {
return !!token;
}
return true;
},
},
pages: {
signIn: '/login',
},
}
);
export const config = {
matcher: [
/*
* Match all request paths except for the ones starting with:
* - api (API routes)
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico (favicon file)
* - public (public folder)
*/
'/((?!api|_next/static|_next/image|favicon.ico|public).*)',
],
};