ankhbayar/Assist_Design
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Assist_Design/apps/portal/src/proxy.ts
barsa ff9ee10860 Merge main into alt-design 
Resolved merge conflicts between main and alt-design branches.

Key decisions:
- BFF: Adopted SIM-first workflow from main (PA05-18 → PA02-01 → PA05-05 → WHMCS)
- BFF: Kept FreebitFacade pattern, added new services (AccountRegistration, VoiceOptions, SemiBlack)
- BFF: Fixed freebit-usage.service.ts bug (quotaKb → quotaMb)
- BFF: Merged rate limiting + HTTP status parsing in WHMCS error handler
- Portal: Took main's UI implementations
- Deleted: TV page, SignupForm, ServicesGrid (as per main)
- Added whmcsRegistrationUrl to field-maps.ts (was missing after file consolidation)

TODO post-merge:
- Refactor order-fulfillment-orchestrator.service.ts to use buildTransactionSteps abstraction
- Fix ESLint errors from main's code (skipped pre-commit for merge)
2026-02-03 16:12:05 +09:00

136 lines
4.4 KiB
TypeScript
Raw Blame History

import { NextRequest, NextResponse } from "next/server";
/**
* Next.js 16 Proxy (replaces deprecated Middleware)
*
* Handles:
* 1. Optimistic auth checks - redirects unauthenticated users to login
* 2. CSP nonce generation for inline script protection
* 3. Security headers
*
* @see https://nextjs.org/docs/app/guides/authentication
* @see https://nextjs.org/docs/app/guides/content-security-policy
* @see https://nextjs.org/docs/messages/middleware-to-proxy
*/
/**
* Public paths that don't require authentication.
* These routes are accessible without auth cookies.
*/
const PUBLIC_PATHS = ["/auth/", "/", "/services", "/about", "/contact", "/vpn-configuration"];
/**
* Check if a path is public (doesn't require authentication)
*/
function isPublicPath(pathname: string): boolean {
return PUBLIC_PATHS.some(publicPath => {
if (publicPath.endsWith("/")) {
// Path prefix match (e.g., /auth/ matches /auth/login)
return pathname.startsWith(publicPath);
}
// Exact match
return pathname === publicPath;
});
}
/**
* Build Content Security Policy header
*/
function buildCSP(nonce: string, isDev: boolean): string {
if (isDev) {
// Development: More permissive for HMR and dev tools
return [
"default-src 'self'",
"script-src 'self' 'unsafe-eval' 'unsafe-inline'", // HMR needs eval
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https:",
"font-src 'self' data:",
"connect-src 'self' https: http://localhost:* ws://localhost:*",
"frame-src 'self' https://www.google.com",
"frame-ancestors 'none'",
].join("; ");
}
// Production: Strict CSP with nonce
// 'strict-dynamic' allows scripts loaded by nonced scripts to execute.
// Next 16 applies the nonce to its own inline scripts, so 'unsafe-inline'
// is not required in script-src when the nonce is present.
return [
"default-src 'self'",
`script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`,
"style-src 'self' 'unsafe-inline'", // Next.js requires this for styled-jsx
"img-src 'self' data: https:",
"font-src 'self' data:",
"connect-src 'self' https:",
"frame-src 'self' https://www.google.com",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
"object-src 'none'",
"upgrade-insecure-requests",
].join("; ");
}
export function proxy(request: NextRequest) {
const { pathname } = request.nextUrl;
// --- Auth Check ---
// Skip auth for public routes
if (!isPublicPath(pathname)) {
// Check for auth cookies (optimistic check - BFF validates the token)
const hasAccessToken = request.cookies.has("access_token");
const hasRefreshToken = request.cookies.has("refresh_token");
if (!hasAccessToken && !hasRefreshToken) {
// No auth cookies present - redirect to login
const loginUrl = new URL("/auth/login", request.url);
loginUrl.searchParams.set("next", pathname);
return NextResponse.redirect(loginUrl);
}
}
// --- CSP & Security Headers ---
// Generate a random nonce for this request
const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
const isDev = process.env["NODE_ENV"] === "development";
const cspHeader = buildCSP(nonce, isDev);
// Clone the request headers and add nonce
const requestHeaders = new Headers(request.headers);
requestHeaders.set("x-nonce", nonce);
// Create response with updated headers
const response = NextResponse.next({
request: {
headers: requestHeaders,
},
});
// Set CSP header on response
response.headers.set("Content-Security-Policy", cspHeader);
// Add additional security headers
response.headers.set("X-Frame-Options", "DENY");
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
response.headers.set("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
return response;
}
// Apply proxy to all routes except static assets
export const config = {
matcher: [
/*
* Match all request paths except:
* - api (API routes)
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico, sitemap.xml, robots.txt (metadata files)
* - _health (health check endpoint)
* - Static assets (svg, png, jpg, etc.)
*/
"/((?!api|_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt|_health|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|woff|woff2|ttf|eot)$).*)",
],
};
Reference in New Issue View Git Blame Copy Permalink