pingvin-share/frontend/src/middleware.ts

import jwtDecode from "jwt-decode";
import { NextRequest, NextResponse } from "next/server";
import configService from "./services/config.service";

// This middleware redirects based on different conditions:
// - Authentication state
// - Setup status
// - Admin privileges

export const config = {
  matcher: "/((?!api|static|.*\\..*|_next).*)",
};

export async function middleware(request: NextRequest) {
  // Get config from backend
  const config = await (
    await fetch("http://localhost:8080/api/configs")
  ).json();

  const getConfig = (key: string) => {
    return configService.get(key, config);
  };

  const containsRoute = (routes: string[], url: string) => {
    for (const route of routes) {
      if (new RegExp("^" + route.replace(/\*/g, ".*") + "$").test(url))
        return true;
    }
    return false;
  };

  const route = request.nextUrl.pathname;
  let user: { isAdmin: boolean } | null = null;
  const accessToken = request.cookies.get("access_token")?.value;

  try {
    const claims = jwtDecode<{ exp: number; isAdmin: boolean }>(
      accessToken as string
    );
    if (claims.exp * 1000 > Date.now()) {
      user = claims;
    }
  } catch {
    user = null;
  }

  const unauthenticatedRoutes = ["/auth/signIn", "/"];
  let publicRoutes = ["/share/*", "/upload/*"];
  const setupStatusRegisteredRoutes = ["/auth/*", "/admin/setup"];
  const adminRoutes = ["/admin/*"];
  const accountRoutes = ["/account/*"];

  if (getConfig("ALLOW_REGISTRATION")) {
    unauthenticatedRoutes.push("/auth/signUp");
  }

  if (getConfig("ALLOW_UNAUTHENTICATED_SHARES")) {
    publicRoutes = ["*"];
  }

  const isPublicRoute = containsRoute(publicRoutes, route);
  const isUnauthenticatedRoute = containsRoute(unauthenticatedRoutes, route);
  const isAdminRoute = containsRoute(adminRoutes, route);
  const isAccountRoute = containsRoute(accountRoutes, route);
  const isSetupStatusRegisteredRoute = containsRoute(
    setupStatusRegisteredRoutes,
    route
  );

  // prettier-ignore
  const rules = [
    // Setup status
    {
      condition: getConfig("SETUP_STATUS") == "STARTED" && route != "/auth/signUp",
      path: "/auth/signUp",
    },
    {
      condition: getConfig("SETUP_STATUS") == "REGISTERED" && !isSetupStatusRegisteredRoute,
      path: user ? "/admin/setup" : "/auth/signIn",
    },
     // Authenticated state
     {
      condition: user && isUnauthenticatedRoute,
      path: "/upload",
    },
    // Unauthenticated state
    {
      condition: !user && !isPublicRoute && !isUnauthenticatedRoute,
      path: "/auth/signIn",
    },
    {
      condition: !user && isAccountRoute,
      path: "/upload",
    },
    // Admin privileges
    {
      condition: isAdminRoute && !user?.isAdmin,
      path: "/upload",
    },
    // Home page
    {
      condition: (!getConfig("SHOW_HOME_PAGE") || user) && route == "/",
      path: "/upload",
    },
  ];

  for (const rule of rules) {
    if (rule.condition)
      return NextResponse.redirect(new URL(rule.path, request.url));
  }
}
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`import jwtDecode from "jwt-decode";`
			`import { NextRequest, NextResponse } from "next/server";`
			`import configService from "./services/config.service";`

			`// This middleware redirects based on different conditions:`
			`// - Authentication state`
			`// - Setup status`
			`// - Admin privileges`

			`export const config = {`
			`matcher: "/((?!api\|static\|.\\..\|_next).*)",`
			`};`

			`export async function middleware(request: NextRequest) {`
			`// Get config from backend`
			`const config = await (`
			`await fetch("http://localhost:8080/api/configs")`
			`).json();`

			`const getConfig = (key: string) => {`
			`return configService.get(key, config);`
			`};`

			`const containsRoute = (routes: string[], url: string) => {`
			`for (const route of routes) {`
			`if (new RegExp("^" + route.replace(/\/g, ".") + "$").test(url))`
			`return true;`
			`}`
			`return false;`
			`};`

			`const route = request.nextUrl.pathname;`
			`let user: { isAdmin: boolean } \| null = null;`
			`const accessToken = request.cookies.get("access_token")?.value;`

			`try {`
			`const claims = jwtDecode<{ exp: number; isAdmin: boolean }>(`
			`accessToken as string`
			`);`
			`if (claims.exp * 1000 > Date.now()) {`
			`user = claims;`
			`}`
			`} catch {`
			`user = null;`
			`}`

			`const unauthenticatedRoutes = ["/auth/signIn", "/"];`
			`let publicRoutes = ["/share/", "/upload/"];`
			`const setupStatusRegisteredRoutes = ["/auth/*", "/admin/setup"];`
			`const adminRoutes = ["/admin/*"];`
			`const accountRoutes = ["/account/*"];`

			`if (getConfig("ALLOW_REGISTRATION")) {`
			`unauthenticatedRoutes.push("/auth/signUp");`
			`}`

			`if (getConfig("ALLOW_UNAUTHENTICATED_SHARES")) {`
			`publicRoutes = ["*"];`
			`}`

			`const isPublicRoute = containsRoute(publicRoutes, route);`
			`const isUnauthenticatedRoute = containsRoute(unauthenticatedRoutes, route);`
			`const isAdminRoute = containsRoute(adminRoutes, route);`
			`const isAccountRoute = containsRoute(accountRoutes, route);`
			`const isSetupStatusRegisteredRoute = containsRoute(`
			`setupStatusRegisteredRoutes,`
			`route`
			`);`

			`// prettier-ignore`
			`const rules = [`
			`// Setup status`
			`{`
			`condition: getConfig("SETUP_STATUS") == "STARTED" && route != "/auth/signUp",`
			`path: "/auth/signUp",`
			`},`
			`{`
			`condition: getConfig("SETUP_STATUS") == "REGISTERED" && !isSetupStatusRegisteredRoute,`
			`path: user ? "/admin/setup" : "/auth/signIn",`
			`},`
			`// Authenticated state`
			`{`
			`condition: user && isUnauthenticatedRoute,`
			`path: "/upload",`
			`},`
			`// Unauthenticated state`
			`{`
			`condition: !user && !isPublicRoute && !isUnauthenticatedRoute,`
			`path: "/auth/signIn",`
			`},`
			`{`
			`condition: !user && isAccountRoute,`
			`path: "/upload",`
			`},`
			`// Admin privileges`
			`{`
			`condition: isAdminRoute && !user?.isAdmin,`
			`path: "/upload",`
			`},`
			`// Home page`
			`{`
			`condition: (!getConfig("SHOW_HOME_PAGE") \|\| user) && route == "/",`
			`path: "/upload",`
			`},`
			`];`

			`for (const rule of rules) {`
			`if (rule.condition)`
			`return NextResponse.redirect(new URL(rule.path, request.url));`
			`}`
			`}`