import { createServerClient } from '@supabase/ssr'; import { NextResponse, type NextRequest } from 'next/server'; // Path prefixes that are reachable without a completed MFA step-up. These are // the auth flow itself, the MFA enrollment/challenge surface, their supporting // APIs, and public email templates. Everything else (including the root path) // requires aal2 once the user is authenticated. const MFA_ALLOWLIST = [ '/login', '/signup', '/auth', '/security', '/api/auth', '/api/security', '/email-templates', ]; function isMfaAllowlisted(path: string): boolean { return MFA_ALLOWLIST.some( (prefix) => path === prefix || path.startsWith(`${prefix}/`), ); } export async function middleware(request: NextRequest) { let response = NextResponse.next({ request }); const supabase = createServerClient( process.env.NEXT_PUBLIC_SUPABASE_URL!, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!, { cookies: { getAll() { return request.cookies.getAll(); }, setAll(toSet) { toSet.forEach(({ name, value }) => request.cookies.set(name, value)); response = NextResponse.next({ request }); toSet.forEach(({ name, value, options }) => response.cookies.set(name, value, options), ); }, }, }, ); const { data: { user }, } = await supabase.auth.getUser(); const path = request.nextUrl.pathname; // Carry any cookies Supabase rotated onto the working `response` over to a // deny/redirect response, so a refreshed session/refresh token is always // persisted — otherwise a fresh NextResponse would drop them and a // concurrent request could spuriously 401. Also stamp `no-store` so these // short-circuit responses are never cached by intermediaries or the browser. const withCookies = (res: NextResponse): NextResponse => { response.cookies.getAll().forEach((cookie) => res.cookies.set(cookie)); res.headers.set('Cache-Control', 'no-store'); return res; }; const redirectTo = (pathname: string, search = ''): NextResponse => { const url = request.nextUrl.clone(); url.pathname = pathname; url.search = search; return withCookies(NextResponse.redirect(url)); }; // Defense-in-depth: guard the admin surface here in addition to the // per-route requireAdmin()/requireAdminApi() checks. if (path.startsWith('/admin') || path.startsWith('/api/admin')) { if (!user) { if (path.startsWith('/api/admin')) { return withCookies( NextResponse.json({ error: 'unauthorized' }, { status: 401 }), ); } return redirectTo('/login'); } if (user.app_metadata?.role !== 'admin') { if (path.startsWith('/api/admin')) { return withCookies( NextResponse.json({ error: 'forbidden' }, { status: 403 }), ); } return redirectTo('/dashboard'); } } // Mandatory MFA gate for every authenticated request outside the allowlist. if (user && !isMfaAllowlisted(path)) { const [{ data: aal }, { data: factors }] = await Promise.all([ supabase.auth.mfa.getAuthenticatorAssuranceLevel(), supabase.auth.mfa.listFactors(), ]); const verifiedCount = factors?.all.filter((f) => f.status === 'verified').length ?? 0; if (verifiedCount === 0) { // No second factor at all → force enrollment. return redirectTo('/security/enroll'); } if (aal?.nextLevel === 'aal2' && aal?.currentLevel === 'aal1') { // Has a factor but session is only aal1 → force step-up, preserving the // originally requested destination. const next = encodeURIComponent(`${path}${request.nextUrl.search}`); return redirectTo('/security/challenge', `?next=${next}`); } } return response; } export const config = { matcher: [ '/((?!_next/static|_next/image|favicon.ico|api/tunnel/claim).*)', '/admin/:path*', '/api/admin/:path*', ], };