Gerhard Scheikl
1adb6e7b3f
The defense-in-depth admin guard in middleware short-circuits before the route handlers' jsonNoStore runs, so its 401/403 JSON denials (and auth redirects) were served without Cache-Control: no-store. Stamp no-store in withCookies so every admin deny/redirect response is non-cacheable, completing Finding #4 for the middleware-originated admin responses.
79 lines
2.6 KiB
TypeScript
79 lines
2.6 KiB
TypeScript
import { createServerClient } from '@supabase/ssr';
|
|
import { NextResponse, type NextRequest } from 'next/server';
|
|
|
|
export async function middleware(request: NextRequest) {
|
|
let response = NextResponse.next({ request });
|
|
|
|
const supabase = createServerClient(
|
|
process.env.NEXT_PUBLIC_SUPABASE_URL!,
|
|
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
|
|
{
|
|
cookies: {
|
|
getAll() {
|
|
return request.cookies.getAll();
|
|
},
|
|
setAll(toSet) {
|
|
toSet.forEach(({ name, value }) => request.cookies.set(name, value));
|
|
response = NextResponse.next({ request });
|
|
toSet.forEach(({ name, value, options }) =>
|
|
response.cookies.set(name, value, options),
|
|
);
|
|
},
|
|
},
|
|
},
|
|
);
|
|
|
|
const {
|
|
data: { user },
|
|
} = await supabase.auth.getUser();
|
|
|
|
// Defense-in-depth: guard the admin surface here in addition to the
|
|
// per-route requireAdmin()/requireAdminApi() checks.
|
|
const path = request.nextUrl.pathname;
|
|
if (path.startsWith('/admin') || path.startsWith('/api/admin')) {
|
|
// Carry any cookies Supabase rotated onto the working `response` over to a
|
|
// deny/redirect response, so a refreshed session/refresh token is always
|
|
// persisted — otherwise a fresh NextResponse would drop them and a
|
|
// concurrent request could spuriously 401. Also stamp `no-store` so these
|
|
// admin deny/redirect responses (which short-circuit before the route's
|
|
// own jsonNoStore runs) are never cached by intermediaries or the browser.
|
|
const withCookies = (res: NextResponse): NextResponse => {
|
|
response.cookies.getAll().forEach((cookie) => res.cookies.set(cookie));
|
|
res.headers.set('Cache-Control', 'no-store');
|
|
return res;
|
|
};
|
|
if (!user) {
|
|
if (path.startsWith('/api/admin')) {
|
|
return withCookies(
|
|
NextResponse.json({ error: 'unauthorized' }, { status: 401 }),
|
|
);
|
|
}
|
|
const url = request.nextUrl.clone();
|
|
url.pathname = '/login';
|
|
url.search = '';
|
|
return withCookies(NextResponse.redirect(url));
|
|
}
|
|
if (user.app_metadata?.role !== 'admin') {
|
|
if (path.startsWith('/api/admin')) {
|
|
return withCookies(
|
|
NextResponse.json({ error: 'forbidden' }, { status: 403 }),
|
|
);
|
|
}
|
|
const url = request.nextUrl.clone();
|
|
url.pathname = '/dashboard';
|
|
url.search = '';
|
|
return withCookies(NextResponse.redirect(url));
|
|
}
|
|
}
|
|
|
|
return response;
|
|
}
|
|
|
|
export const config = {
|
|
matcher: [
|
|
'/((?!_next/static|_next/image|favicon.ico|api/tunnel/claim).*)',
|
|
'/admin/:path*',
|
|
'/api/admin/:path*',
|
|
],
|
|
};
|