link-stack/apps/link/middleware.ts

import { NextResponse } from "next/server";
import { withAuth, NextRequestWithAuth } from "next-auth/middleware";

const rewriteURL = (
  request: NextRequestWithAuth,
  originBaseURL: string,
  destinationBaseURL: string,
  headers: any = {},
) => {
  let path = request.url.replace(originBaseURL, "");
  if (path.startsWith("/")) {
    path = path.slice(1);
  }
  const destinationURL = `${destinationBaseURL}/${path}`;
  console.log(`Rewriting ${request.url} to ${destinationURL}`);
  const requestHeaders = new Headers(request.headers);
  for (const [key, value] of requestHeaders.entries()) {
    console.log(`${key}: ${value}`);
  }

  requestHeaders.delete("x-forwarded-user");
  requestHeaders.delete("x-forwarded-roles");
  requestHeaders.delete("connection");

  for (const [key, value] of Object.entries(headers)) {
    requestHeaders.set(key, value as string);
  }

  return NextResponse.rewrite(new URL(destinationURL), {
    request: { headers: requestHeaders },
  });
};

const checkRewrites = async (request: NextRequestWithAuth) => {
  const linkBaseURL = process.env.LINK_URL ?? "http://localhost:3000";
  const zammadURL = process.env.ZAMMAD_URL ?? "http://zammad-nginx:8080";
  const opensearchBaseURL =
    process.env.OPENSEARCH_DASHBOARDS_URL ??
    "http://opensearch-dashboards:5601";

  const zammadPaths = [
    "/zammad",
    "/auth/sso",
    "/assets",
    "/mobile",
    "/graphql",
    "/cable",
  ];
  const { token } = request.nextauth;
  const email = token?.email?.toLowerCase() ?? "unknown";
  const roles = (token?.roles as string[]) ?? [];
  let headers = {
    "x-forwarded-user": email,
    "x-forwarded-roles": roles.join(","),
  };

  if (request.nextUrl.pathname.startsWith("/dashboards")) {
    return rewriteURL(
      request,
      `${linkBaseURL}/dashboards`,
      opensearchBaseURL,
      headers,
    );
  } else if (request.nextUrl.pathname.startsWith("/zammad")) {
    return rewriteURL(request, `${linkBaseURL}/zammad`, zammadURL, headers);
  } else if (zammadPaths.some((p) => request.nextUrl.pathname.startsWith(p))) {
    return rewriteURL(request, linkBaseURL, zammadURL, headers);
  } else if (request.nextUrl.pathname.startsWith("/api/v1")) {
    if (email && email !== "unknown") {
      return NextResponse.next();
    } else {
      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
    }
  } else {
    const isDev = process.env.NODE_ENV === "development";
    const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
    const cspHeader = `
    default-src 'self';
    frame-src 'self' https://digiresilience.org;
    connect-src 'self';
    script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${isDev ? "'unsafe-eval'" : ""};
    style-src 'self' 'unsafe-inline';
    img-src 'self' blob: data:;
    font-src 'self';
    object-src 'none';
    base-uri 'self';
    form-action 'self';
    frame-ancestors 'self';
    upgrade-insecure-requests;
`;
    const contentSecurityPolicyHeaderValue = cspHeader
      .replace(/\s{2,}/g, " ")
      .trim();

    const requestHeaders = new Headers(request.headers);
    requestHeaders.set("x-nonce", nonce);
    requestHeaders.set(
      "Content-Security-Policy",
      contentSecurityPolicyHeaderValue,
    );

    const response = NextResponse.next({
      request: {
        headers: requestHeaders,
      },
    });

    response.headers.set(
      "Content-Security-Policy",
      contentSecurityPolicyHeaderValue,
    );

    return response;
  }
};

export default withAuth(checkRewrites, {
  callbacks: {
    authorized: ({ token, req }) => {
      if (process.env.SETUP_MODE === "true") {
        return true;
      }

      const path = req.nextUrl.pathname;
      const roles: any = token?.roles ?? [];

      if (path.startsWith("/login")) {
        return true;
      }

      if (path.startsWith("/admin") && !roles.includes("admin")) {
        return false;
      }

      if (roles.includes("admin") || roles.includes("agent")) {
        return true;
      }

      return false;
    },
  },
});

export const config = {
  matcher: [
    "/((?!ws|wss|api/signal|api/whatsapp|_next/static|_next/image|favicon.ico).*)",
  ],
};
WIP 5 2024-03-20 17:51:21 +01:00			`import { NextResponse } from "next/server";`
Changes from live 2023-06-05 14:48:23 +00:00			`import { withAuth, NextRequestWithAuth } from "next-auth/middleware";`
Use NextJS middleware for proxying 2023-05-30 09:05:40 +00:00
WIP 5 2024-03-20 17:51:21 +01:00			`const rewriteURL = (`
			`request: NextRequestWithAuth,`
			`originBaseURL: string,`
			`destinationBaseURL: string,`
			`headers: any = {},`
			`) => {`
Bug fixes #2 2024-10-17 22:39:08 +02:00			`let path = request.url.replace(originBaseURL, "");`
			`if (path.startsWith("/")) {`
			`path = path.slice(1);`
			`}`
			const destinationURL = `${destinationBaseURL}/${path}`;
Use NextJS middleware for proxying 2023-05-30 09:05:40 +00:00			console.log(`Rewriting ${request.url} to ${destinationURL}`);
Cleanup live changes 2023-06-05 15:00:46 +00:00			`const requestHeaders = new Headers(request.headers);`
Login, logout and middleware updates 2024-12-13 16:37:20 +01:00			`for (const [key, value] of requestHeaders.entries()) {`
			console.log(`${key}: ${value}`);
			`}`

Clean up middleware, add security-headers to non-Zammad pages 2024-09-04 12:09:28 +02:00			`requestHeaders.delete("x-forwarded-user");`
Opensearch embed changes 2024-11-28 08:27:20 +01:00			`requestHeaders.delete("x-forwarded-roles");`
Clean up middleware, add security-headers to non-Zammad pages 2024-09-04 12:09:28 +02:00			`requestHeaders.delete("connection");`
Zammad send fixes, update deps 2024-08-14 10:51:12 +02:00
Cleanup live changes 2023-06-05 15:00:46 +00:00			`for (const [key, value] of Object.entries(headers)) {`
Flatten 2023-08-25 07:11:33 +00:00			`requestHeaders.set(key, value as string);`
Cleanup live changes 2023-06-05 15:00:46 +00:00			`}`
Zammad send fixes, update deps 2024-08-14 10:51:12 +02:00
WIP 5 2024-03-20 17:51:21 +01:00			`return NextResponse.rewrite(new URL(destinationURL), {`
			`request: { headers: requestHeaders },`
			`});`
Use NextJS middleware for proxying 2023-05-30 09:05:40 +00:00			`};`

Changes from live 2023-06-05 14:48:23 +00:00			`const checkRewrites = async (request: NextRequestWithAuth) => {`
Cleanup live changes 2023-06-05 15:00:46 +00:00			`const linkBaseURL = process.env.LINK_URL ?? "http://localhost:3000";`
			`const zammadURL = process.env.ZAMMAD_URL ?? "http://zammad-nginx:8080";`
Opensearch embed changes 2024-11-28 08:27:20 +01:00			`const opensearchBaseURL =`
			`process.env.OPENSEARCH_DASHBOARDS_URL ??`
			`"http://opensearch-dashboards:5601";`
Clean up middleware, add security-headers to non-Zammad pages 2024-09-04 12:09:28 +02:00
Zammad send fixes, update deps 2024-08-14 10:51:12 +02:00			`const zammadPaths = [`
			`"/zammad",`
			`"/auth/sso",`
			`"/assets",`
			`"/mobile",`
			`"/graphql",`
			`"/cable",`
			`];`
Flatten 2023-08-25 07:11:33 +00:00			`const { token } = request.nextauth;`
WIP 5 2024-03-20 17:51:21 +01:00			`const email = token?.email?.toLowerCase() ?? "unknown";`
Opensearch embed changes 2024-11-28 08:27:20 +01:00			`const roles = (token?.roles as string[]) ?? [];`
			`let headers = {`
			`"x-forwarded-user": email,`
			`"x-forwarded-roles": roles.join(","),`
			`};`
WIP 5 2024-03-20 17:51:21 +01:00
Opensearch embed changes 2024-11-28 08:27:20 +01:00			`if (request.nextUrl.pathname.startsWith("/dashboards")) {`
			`return rewriteURL(`
			`request,`
			`${linkBaseURL}/dashboards`,
			`opensearchBaseURL,`
			`headers,`
			`);`
			`} else if (request.nextUrl.pathname.startsWith("/zammad")) {`
Whatsapp send and Zammad autologin fixes 2023-09-08 16:34:13 +02:00			return rewriteURL(request, `${linkBaseURL}/zammad`, zammadURL, headers);
WIP 5 2024-03-20 17:51:21 +01:00			`} else if (zammadPaths.some((p) => request.nextUrl.pathname.startsWith(p))) {`
Whatsapp send and Zammad autologin fixes 2023-09-08 16:34:13 +02:00			`return rewriteURL(request, linkBaseURL, zammadURL, headers);`
Login, logout and middleware updates 2024-12-13 16:37:20 +01:00			`} else if (request.nextUrl.pathname.startsWith("/api/v1")) {`
			`if (email && email !== "unknown") {`
			`return NextResponse.next();`
			`} else {`
			`return NextResponse.json({ error: "Unauthorized" }, { status: 401 });`
			`}`
Clean up middleware, add security-headers to non-Zammad pages 2024-09-04 12:09:28 +02:00			`} else {`
			`const isDev = process.env.NODE_ENV === "development";`
			`const nonce = Buffer.from(crypto.randomUUID()).toString("base64");`
			const cspHeader = `
			`default-src 'self';`
Opensearch embed changes 2024-11-28 08:27:20 +01:00			`frame-src 'self' https://digiresilience.org;`
Clean up middleware, add security-headers to non-Zammad pages 2024-09-04 12:09:28 +02:00			`connect-src 'self';`
			`script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${isDev ? "'unsafe-eval'" : ""};`
			`style-src 'self' 'unsafe-inline';`
			`img-src 'self' blob: data:;`
			`font-src 'self';`
			`object-src 'none';`
			`base-uri 'self';`
			`form-action 'self';`
Login, logout and middleware updates 2024-12-13 16:37:20 +01:00			`frame-ancestors 'self';`
Clean up middleware, add security-headers to non-Zammad pages 2024-09-04 12:09:28 +02:00			`upgrade-insecure-requests;`
			`;
			`const contentSecurityPolicyHeaderValue = cspHeader`
			`.replace(/\s{2,}/g, " ")`
			`.trim();`

			`const requestHeaders = new Headers(request.headers);`
			`requestHeaders.set("x-nonce", nonce);`
			`requestHeaders.set(`
			`"Content-Security-Policy",`
			`contentSecurityPolicyHeaderValue,`
			`);`
Flatten 2023-08-25 07:11:33 +00:00
Clean up middleware, add security-headers to non-Zammad pages 2024-09-04 12:09:28 +02:00			`const response = NextResponse.next({`
			`request: {`
			`headers: requestHeaders,`
			`},`
			`});`

			`response.headers.set(`
			`"Content-Security-Policy",`
			`contentSecurityPolicyHeaderValue,`
			`);`

			`return response;`
			`}`
Use NextJS middleware for proxying 2023-05-30 09:05:40 +00:00			`};`
Build and type fixes 2023-05-24 20:27:57 +00:00
WIP 5 2024-03-20 17:51:21 +01:00			`export default withAuth(checkRewrites, {`
			`callbacks: {`
			`authorized: ({ token, req }) => {`
			`if (process.env.SETUP_MODE === "true") {`
			`return true;`
			`}`
Build and type fixes 2023-05-24 20:27:57 +00:00
Clean up middleware, add security-headers to non-Zammad pages 2024-09-04 12:09:28 +02:00			`const path = req.nextUrl.pathname;`
WIP 5 2024-03-20 17:51:21 +01:00			`const roles: any = token?.roles ?? [];`
Dependency cleanup 2024-08-07 12:02:33 +02:00
Only allow single NextAuth provider, Login middleware updates 2024-09-27 14:52:44 +02:00			`if (path.startsWith("/login")) {`
			`return true;`
			`}`

Dependency cleanup 2024-08-07 12:02:33 +02:00			`if (path.startsWith("/admin") && !roles.includes("admin")) {`
			`return false;`
			`}`

WIP 5 2024-03-20 17:51:21 +01:00			`if (roles.includes("admin") \|\| roles.includes("agent")) {`
			`return true;`
			`}`
Make all versions of next and react match 2023-05-25 06:30:36 +00:00
WIP 5 2024-03-20 17:51:21 +01:00			`return false;`
			`},`
			`},`
			`});`
Flatten 2023-08-25 07:11:33 +00:00
			`export const config = {`
Allow api calls to signal/whatsapp 2024-12-19 22:43:17 +01:00			`matcher: [`
			`"/((?!ws\|wss\|api/signal\|api/whatsapp\|_next/static\|_next/image\|favicon.ico).*)",`
			`],`
Flatten 2023-08-25 07:11:33 +00:00			`};`