forked from jzakotnik/openlibry
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathproxy.ts
More file actions
66 lines (59 loc) · 1.81 KB
/
proxy.ts
File metadata and controls
66 lines (59 loc) · 1.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import { withAuth } from "next-auth/middleware";
import { NextRequest, NextResponse } from "next/server";
export default withAuth(
function proxy(req: NextRequest) {
const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
const cspHeader = `
default-src 'self' 'nonce-${nonce}' 'unsafe-eval' 'unsafe-inline';
script-src 'self' 'unsafe-eval' 'unsafe-inline';
style-src 'self' 'unsafe-inline' 'unsafe-eval';
img-src 'self' blob: data:;
font-src 'self';
object-src 'none';
base-uri 'self';
form-action 'self';
frame-ancestors 'none';
block-all-mixed-content;
upgrade-insecure-requests;
`;
const requestHeaders = new Headers(req.headers);
if (process.env.SECURITY_HEADERS != "insecure") {
requestHeaders.set("x-nonce", nonce);
requestHeaders.set(
"Content-Security-Policy",
cspHeader.replace(/\s{2,}/g, " ").trim(),
);
}
return NextResponse.next({
headers: requestHeaders,
request: {
headers: requestHeaders,
},
});
},
{
callbacks: {
authorized: ({ req, token }) => {
const { pathname } = req.nextUrl;
// Routes explicitly excluded from authentication.
// Keep this list narrow — every entry here is a public attack surface.
const isPublicRoute =
pathname === "/publicbookview" ||
pathname === "/catalog" ||
pathname.startsWith("/api/images") ||
pathname === "/api/version" ||
pathname.startsWith("/api/public/");
if (isPublicRoute) return true;
if (
token === null &&
pathname !== "/auth/login" &&
pathname !== "/auth/error" &&
process.env.AUTH_ENABLED == "true"
) {
return false;
}
return true;
},
},
},
);