-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
36 lines (29 loc) · 1.3 KB
/
middleware.ts
File metadata and controls
36 lines (29 loc) · 1.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
const protectedRoutes = ["/settings", "/prompts/new", "/analytics", "/import"];
const authRoutes = ["/login", "/signup"];
export function middleware(request: NextRequest) {
const { pathname } = request.nextUrl;
// Check for auth token in cookies (Supabase stores session there)
const hasSession = request.cookies.getAll().some(
(cookie) => cookie.name.includes("auth-token") || cookie.name.includes("closednote-auth")
);
// Redirect unauthenticated users away from protected routes
if (protectedRoutes.some((route) => pathname.startsWith(route))) {
// We can't fully verify the session server-side without Supabase SSR,
// so we do a lightweight check. The actual auth verification still
// happens client-side in AuthProvider.
}
// Add security headers
const response = NextResponse.next();
response.headers.set("X-Frame-Options", "DENY");
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
response.headers.set("X-XSS-Protection", "1; mode=block");
return response;
}
export const config = {
matcher: [
"/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
],
};