-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmiddleware.ts
More file actions
53 lines (45 loc) · 1.52 KB
/
middleware.ts
File metadata and controls
53 lines (45 loc) · 1.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import { NextResponse, type NextRequest } from "next/server";
import { jwtVerify } from "jose";
const JWT_SECRET = new TextEncoder().encode(
process.env.SESSION_SECRET || "dough-default-secret-change-me"
);
const COOKIE_NAME = "dough-session";
export async function middleware(request: NextRequest) {
const token = request.cookies.get(COOKIE_NAME)?.value;
const isLoginPage = request.nextUrl.pathname.startsWith("/login");
const isApiAuth = request.nextUrl.pathname.startsWith("/api/auth");
const isEvents = request.nextUrl.pathname === "/api/events";
const isSynciSync = request.nextUrl.pathname === "/api/synci/sync";
// Allow auth API, SSE events, cron endpoints, and static assets
if (isApiAuth || isEvents || isSynciSync) {
return NextResponse.next();
}
// Check session
let isValid = false;
if (token) {
try {
await jwtVerify(token, JWT_SECRET);
isValid = true;
} catch {
isValid = false;
}
}
// Redirect unauthenticated to login
if (!isValid && !isLoginPage) {
const url = request.nextUrl.clone();
url.pathname = "/login";
return NextResponse.redirect(url);
}
// Redirect authenticated away from login
if (isValid && isLoginPage) {
const url = request.nextUrl.clone();
url.pathname = "/dashboard";
return NextResponse.redirect(url);
}
return NextResponse.next();
}
export const config = {
matcher: [
"/((?!_next/static|_next/image|favicon\\.ico|favicon\\.png|manifest\\.json|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|json)$).*)",
],
};