-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathproxy.ts
More file actions
89 lines (78 loc) · 3.16 KB
/
proxy.ts
File metadata and controls
89 lines (78 loc) · 3.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
import { createServerClient } from '@supabase/ssr';
import { NextResponse, type NextRequest } from 'next/server';
/**
* Middleware for handling authentication and session management
* Uses Supabase's new asymmetric JWT signing keys system for secure authentication
*/
export async function proxy(request: NextRequest) {
let supabaseResponse = NextResponse.next({
request,
});
// Check if environment variables exist - fail fast if not
if (!process.env.NEXT_PUBLIC_SUPABASE_URL || !process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY) {
console.error('Missing Supabase environment variables');
return supabaseResponse;
}
const supabase = createServerClient(process.env.NEXT_PUBLIC_SUPABASE_URL, process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY, {
cookies: {
getAll() {
return request.cookies.getAll();
},
setAll(cookiesToSet: { name: string; value: string; options?: Record<string, unknown> }[]) {
cookiesToSet.forEach(({ name, value }) => request.cookies.set(name, value));
supabaseResponse = NextResponse.next({
request,
});
cookiesToSet.forEach(({ name, value, options }) =>
supabaseResponse.cookies.set(name, value, {
...options,
// Ensure secure cookie options in production
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
}),
);
},
},
});
// IMPORTANT: auth.getUser() automatically verifies JWT using Supabase's new asymmetric signing keys
// Do not add custom JWT verification - the @supabase/ssr package handles this securely
const {
data: { user },
} = await supabase.auth.getUser();
const { pathname } = request.nextUrl;
// Define public routes that don't require authentication
const publicRoutes = ['/', '/login', '/register', '/forgot-password', '/reset-password'];
const isPublicRoute = publicRoutes.some((route) => {
if (route === '/') {
return pathname === '/'; // Only exact match for root
}
return pathname === route || pathname.startsWith(route + '/');
});
// API routes and auth callback are handled separately - allow them through
if (pathname.startsWith('/api/') || pathname.startsWith('/auth/')) {
return supabaseResponse;
}
// If user is authenticated and trying to access auth pages, redirect to dashboard
if (user && (pathname === '/login' || pathname === '/register' || pathname === '/forgot-password')) {
return NextResponse.redirect(new URL('/dashboard', request.url));
}
// If user is not authenticated and trying to access protected routes
if (!user && !isPublicRoute) {
const loginUrl = new URL('/login', request.url);
loginUrl.searchParams.set('redirectTo', pathname);
return NextResponse.redirect(loginUrl);
}
return supabaseResponse;
}
export const config = {
matcher: [
/*
* Match all request paths except for the ones starting with:
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico (favicon file)
* - public files (images, etc.)
*/
'/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
],
};