-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathproxy.ts
More file actions
156 lines (134 loc) · 5.59 KB
/
proxy.ts
File metadata and controls
156 lines (134 loc) · 5.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
import { NextRequest, NextResponse } from "next/server";
import { betterFetch } from "@better-fetch/fetch";
import { APP_COOKIE_KEYS } from "@/constants/app";
import { PROTECTED_ROUTES, PUBLIC_ROUTES, ROUTE_GAMES, ROUTE_SIGN_IN } from "@/constants/routes";
import { Session } from "@/lib/auth";
import { getCurrentLocale } from "@/lib/locale";
import linguiConfig from "@/lingui.config";
export default async function proxy(request: NextRequest) {
const { pathname } = request.nextUrl;
const host: string | null = request.headers.get("host");
const protocol: string = request.headers.get("x-forwarded-proto") || "http";
const origin: string = `${protocol}://${host}`;
// ---------------------------------------------
// Fetch session
// ---------------------------------------------
const { data: session } = await betterFetch<Session>("/api/auth/get-session", {
baseURL: request.nextUrl.origin,
headers: {
cookie: request.headers.get("cookie") || "",
},
});
// ---------------------------------------------
// Access control
// ---------------------------------------------
const pathnameParts: string[] = pathname.split("/");
const maybeLocale: string = pathnameParts[1];
const pathnameNoLocale: string = linguiConfig.locales.includes(maybeLocale)
? `/${pathnameParts.slice(2).join("/")}` || "/"
: pathname;
const isPublicRoute: boolean = PUBLIC_ROUTES.some((route: string) => pathnameNoLocale.startsWith(route));
const isProtectedRoute: boolean = PROTECTED_ROUTES.some((route: string) => pathnameNoLocale.startsWith(route));
if (session) {
if (isPublicRoute) {
return NextResponse.redirect(new URL(ROUTE_GAMES.PATH, origin));
}
} else {
if (isProtectedRoute) {
return NextResponse.redirect(new URL(ROUTE_SIGN_IN.PATH, origin));
}
}
// ---------------------------------------------
// Content Security Policy (CSP)
// ---------------------------------------------
const nonce: string = Buffer.from(crypto.randomUUID()).toString("base64");
const devCspHeader: string = `
default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;
script-src * 'unsafe-inline' 'unsafe-eval' data: blob:;
style-src * 'unsafe-inline' 'unsafe-eval' data: blob:;
connect-src *;
img-src * data: blob:;
font-src * data:;
object-src *;
frame-ancestors *;
`;
const prodCspHeader: string = `
default-src 'self';
script-src 'self' 'nonce-${nonce}' 'strict-dynamic';
style-src 'self' 'nonce-${nonce}';
img-src 'self' blob: data:;
font-src 'self';
object-src 'none';
base-uri 'self';
form-action 'self';
frame-ancestors 'none';
connect-src 'self' https://www.google-analytics.com;
upgrade-insecure-requests;
`;
const cspHeader: string = process.env.NODE_ENV === "production" ? prodCspHeader : devCspHeader;
const contentSecurityPolicyHeader: string = cspHeader.replace(/\s{2,}/g, " ").trim();
const requestHeaders: Headers = new Headers(request.headers);
requestHeaders.set("Content-Security-Policy", contentSecurityPolicyHeader);
requestHeaders.set("x-nonce", nonce);
const response: NextResponse = NextResponse.next({
request: {
headers: requestHeaders,
},
});
response.headers.set("Content-Security-Policy", contentSecurityPolicyHeader);
// ---------------------------------------------
// CORS
// ---------------------------------------------
response.headers.set("Access-Control-Allow-Credentials", "true");
response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
response.headers.set("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
const trustedOrigins: string[] = (process.env.TRUSTED_ORIGINS || "").split(",").map((origin: string) => origin.trim());
if (origin && trustedOrigins.includes(origin)) {
response.headers.set("Access-Control-Allow-Origin", origin);
} else {
response.headers.set("Access-Control-Allow-Origin", trustedOrigins[0] || "*");
}
// ---------------------------------------------
// Localization
// ---------------------------------------------
const cookieLocale: string | undefined = request.cookies.get(APP_COOKIE_KEYS.LOCALE)?.value;
const locale: string = getCurrentLocale(request, session);
const pathnameLocale: string = pathname.split("/")[1];
if (!linguiConfig.locales.includes(pathnameLocale)) {
// Redirect if there is no locale
request.nextUrl.pathname = `/${locale}${pathname}`;
// e.g. incoming request is /sign-in
// The new URL is now /en/sign-in
return NextResponse.redirect(request.nextUrl);
}
// Sync locale cookie
if (pathnameLocale !== cookieLocale) {
// If the locale in the cookie doesn't match the pathname locale, update the cookie
response.cookies.set(APP_COOKIE_KEYS.LOCALE, pathnameLocale, {
httpOnly: true,
path: "/",
maxAge: 60 * 60 * 24 * 30, // Cache for 30 days
secure: process.env.NODE_ENV === "production",
});
}
return response;
}
export const config = {
matcher: [
{
/*
* Match all request paths except for the ones starting with:
* - api (API routes)
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico, sitemap.xml, robots.txt, manifest.webmanifest (metadata files)
* - media files (svg, png, jpg, jpeg, gif, webp, webm)
*/
source: "/((?!api|_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt|manifest.webmanifest|.*\\..*).*)",
missing: [
{ type: "header", key: "next-router-prefetch" },
{ type: "header", key: "purpose", value: "prefetch" },
],
},
],
};