LinumIQ/linumiq_net-web_app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e14e9097006553130a04f99438a142af5b133539
linumiq_net-web_app/middleware.ts
T

122 lines
3.9 KiB
TypeScript
Raw Blame History

import { createServerClient } from '@supabase/ssr';
import { NextResponse, type NextRequest } from 'next/server';
// Path prefixes that are reachable without a completed MFA step-up. These are
// the auth flow itself, the MFA enrollment/challenge surface, their supporting
// APIs, and public email templates. Everything else (including the root path)
// requires aal2 once the user is authenticated.
const MFA_ALLOWLIST = [
'/login',
'/signup',
'/auth',
'/security',
'/api/auth',
'/api/security',
'/email-templates',
];
function isMfaAllowlisted(path: string): boolean {
return MFA_ALLOWLIST.some(
(prefix) => path === prefix || path.startsWith(`${prefix}/`),
);
}
export async function middleware(request: NextRequest) {
let response = NextResponse.next({ request });
const supabase = createServerClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
{
cookies: {
getAll() {
return request.cookies.getAll();
},
setAll(toSet) {
toSet.forEach(({ name, value }) => request.cookies.set(name, value));
response = NextResponse.next({ request });
toSet.forEach(({ name, value, options }) =>
response.cookies.set(name, value, options),
);
},
},
},
);
const {
data: { user },
} = await supabase.auth.getUser();
const path = request.nextUrl.pathname;
// Carry any cookies Supabase rotated onto the working `response` over to a
// deny/redirect response, so a refreshed session/refresh token is always
// persisted — otherwise a fresh NextResponse would drop them and a
// concurrent request could spuriously 401. Also stamp `no-store` so these
// short-circuit responses are never cached by intermediaries or the browser.
const withCookies = (res: NextResponse): NextResponse => {
response.cookies.getAll().forEach((cookie) => res.cookies.set(cookie));
res.headers.set('Cache-Control', 'no-store');
return res;
};
const redirectTo = (pathname: string, search = ''): NextResponse => {
const url = request.nextUrl.clone();
url.pathname = pathname;
url.search = search;
return withCookies(NextResponse.redirect(url));
};
// Defense-in-depth: guard the admin surface here in addition to the
// per-route requireAdmin()/requireAdminApi() checks.
if (path.startsWith('/admin') || path.startsWith('/api/admin')) {
if (!user) {
if (path.startsWith('/api/admin')) {
return withCookies(
NextResponse.json({ error: 'unauthorized' }, { status: 401 }),
);
}
return redirectTo('/login');
}
if (user.app_metadata?.role !== 'admin') {
if (path.startsWith('/api/admin')) {
return withCookies(
NextResponse.json({ error: 'forbidden' }, { status: 403 }),
);
}
return redirectTo('/dashboard');
}
}
// Mandatory MFA gate for every authenticated request outside the allowlist.
if (user && !isMfaAllowlisted(path)) {
const [{ data: aal }, { data: factors }] = await Promise.all([
supabase.auth.mfa.getAuthenticatorAssuranceLevel(),
supabase.auth.mfa.listFactors(),
]);
const verifiedCount =
factors?.all.filter((f) => f.status === 'verified').length ?? 0;
if (verifiedCount === 0) {
// No second factor at all → force enrollment.
return redirectTo('/security/enroll');
}
if (aal?.nextLevel === 'aal2' && aal?.currentLevel === 'aal1') {
// Has a factor but session is only aal1 → force step-up, preserving the
// originally requested destination.
const next = encodeURIComponent(`${path}${request.nextUrl.search}`);
return redirectTo('/security/challenge', `?next=${next}`);
}
}
return response;
}
export const config = {
matcher: [
'/((?!_next/static|_next/image|favicon.ico|api/tunnel/claim).*)',
'/admin/:path*',
'/api/admin/:path*',
],
};
Reference in New Issue View Git Blame Copy Permalink