Skip to content

Add proxy-level guard for API requests #318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TaiVanNgo merged 11 commits into from
Mar 25, 2026
+2,188 −73
Merged

Add proxy-level guard for API requests #318

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
e533b1f
feat(abuse-protection): implement OTP abuse protection system with Re…
khangronky Mar 15, 2026
4e41f15
feat(api-proxy-guard): update rate limits and route policies for meet…
khangronky Mar 15, 2026
72d6b21
Merge branch 'main' into feat/api-proxy-guard
khangronky Mar 17, 2026
42b1cfa
Merge branch 'main' into feat/api-proxy-guard
khangronky Mar 18, 2026
e37b584
Merge branch 'main' into feat/api-proxy-guard
khangronky Mar 21, 2026
3b30301
Merge branch 'main' into feat/api-proxy-guard
khangronky Mar 22, 2026
ffd4a4f
feat(redis): add Redis stack for local testing with serverless HTTP s…
khangronky Mar 22, 2026
48e9eaa
feat(redis): add Redis app configuration and dependencies
khangronky Mar 22, 2026
21603bc
Merge branch 'main' into feat/api-proxy-guard
khangronky Mar 23, 2026
f9cdc13
feat(rate-limit): Add UUID generation for blocked IPs and refactor l…
khangronky Mar 23, 2026
102cad7
feat(abuse-protection): Add new abuse event types for API authenticat…
khangronky Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions apps/web/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,6 @@
"@tanstack/react-query": "^5.90.21",
"@tanstack/react-table": "^8.21.3",
"@tldraw/sync": "^4.4.1",
"@upstash/qstash": "^2.9.0",
"@upstash/ratelimit": "^2.0.8",
"@vercel/analytics": "^1.6.1",
"@vercel/edge": "^1.2.2",
"@vercel/kv": "^3.0.0",
Expand Down
15 changes: 12 additions & 3 deletions apps/web/src/proxy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { match } from '@formatjs/intl-localematcher';
import { updateSession } from '@ncthub/supabase/next/proxy';
import type { SupabaseUser } from '@ncthub/supabase/next/user';
import { guardApiProxyRequest } from '@ncthub/utils/api-proxy-guard';
import Negotiator from 'negotiator';
import type { NextRequest } from 'next/server';
import { NextResponse } from 'next/server';
Expand All @@ -9,12 +10,20 @@ import { LOCALE_COOKIE_NAME, PUBLIC_PATHS } from './constants/common';
import { defaultLocale, type Locale, supportedLocales } from './i18n/routing';

export async function proxy(req: NextRequest): Promise<NextResponse> {
if (req.nextUrl.pathname.startsWith('/api')) {
const guardResponse = await guardApiProxyRequest(req, {
prefixBase: 'proxy:web:api',
});
if (guardResponse) {
return guardResponse;
}

return NextResponse.next();
}

// Make sure user session is always refreshed
const { res, user } = await updateSession(req);

// If current path starts with /api, return without redirecting
if (req.nextUrl.pathname.startsWith('/api')) return res;

// Handle special cases for public paths
const { res: nextRes, redirect } = handleRedirect({ req, res, user });
if (redirect) return nextRes;
Expand Down
20 changes: 8 additions & 12 deletions bun.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions packages/utils/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
"packageManager": "[email protected]",
"dependencies": {
"@ncthub/supabase": "workspace:*",
"@upstash/ratelimit": "^2.0.8",
"@upstash/redis": "^1.37.0",
"clsx": "^2.1.1",
"next": "16.1.6",
"react": "^19.2.4",
Expand Down
29 changes: 29 additions & 0 deletions packages/utils/src/abuse-protection/__tests__/edge.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
import { describe, expect, it } from 'vitest';
import { extractIPFromRequest } from '../edge';

describe('abuse-protection edge', () => {
describe('extractIPFromRequest', () => {
it('prefers cf-connecting-ip over x-forwarded-for', () => {
const headers = new Headers();
headers.set('cf-connecting-ip', '203.0.113.10');
headers.set('x-forwarded-for', '198.51.100.10, 10.0.0.1');

expect(extractIPFromRequest(headers)).toBe('203.0.113.10');
});

it('falls back to true-client-ip before generic proxy headers', () => {
const headers = new Headers();
headers.set('true-client-ip', '203.0.113.20');
headers.set('x-forwarded-for', '198.51.100.20, 10.0.0.1');

expect(extractIPFromRequest(headers)).toBe('203.0.113.20');
});

it('falls back to x-forwarded-for when cloud proxy headers are absent', () => {
const headers = new Headers();
headers.set('x-forwarded-for', '198.51.100.30, 10.0.0.1');

expect(extractIPFromRequest(headers)).toBe('198.51.100.30');
});
});
});
Loading
Loading