sr2/link-stack
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Clean up middleware, add security-headers to non-Zammad pages

Browse source
This commit is contained in:
Darren Clarke 2024-09-04 12:09:28 +02:00
parent 027aac3a92
commit 8c6e954fdf
9 changed files with 81 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

74
apps/link/middleware.ts
View file

@ -10,11 +10,12 @@ const rewriteURL = (
const destinationURL = request.url.replace(originBaseURL, destinationBaseURL);
console.log(`Rewriting ${request.url} to ${destinationURL}`);
const requestHeaders = new Headers(request.headers);
requestHeaders.delete("x-forwarded-user");
requestHeaders.delete("connection");
for (const [key, value] of Object.entries(headers)) {
requestHeaders.set(key, value as string);
}
requestHeaders.delete("connection");
return NextResponse.rewrite(new URL(destinationURL), {
request: { headers: requestHeaders },
@ -24,11 +25,9 @@ const rewriteURL = (
const checkRewrites = async (request: NextRequestWithAuth) => {
const linkBaseURL = process.env.LINK_URL ?? "http://localhost:3000";
const zammadURL = process.env.ZAMMAD_URL ?? "http://zammad-nginx:8080";
const opensearchDashboardsURL =
process.env.OPENSEARCH_DASHBOARDS_URL ?? "http://macmini:5601";
const zammadPaths = [
"/zammad",
"/api/v1",
"/auth/sso",
"/assets",
"/mobile",
@ -39,28 +38,50 @@ const checkRewrites = async (request: NextRequestWithAuth) => {
const email = token?.email?.toLowerCase() ?? "unknown";
let headers = { "x-forwarded-user": email };
if (request.nextUrl.pathname.startsWith("/dashboards")) {
const roles: string[] = (token?.roles as string[]) ?? [];
const leafcutterRole = roles.includes("admin")
? "leafcutter_admin"
: "leafcutter_user";
headers["x-forwarded-roles"] = leafcutterRole;
// headers["secruitytenant"] = "global";
// headers["x-forwarded-for"] = 'link';
return rewriteURL(
request,
`${linkBaseURL}/dashboards`,
opensearchDashboardsURL,
headers,
);
} else if (request.nextUrl.pathname.startsWith("/zammad")) {
if (request.nextUrl.pathname.startsWith("/zammad")) {
return rewriteURL(request, `${linkBaseURL}/zammad`, zammadURL, headers);
} else if (zammadPaths.some((p) => request.nextUrl.pathname.startsWith(p))) {
return rewriteURL(request, linkBaseURL, zammadURL, headers);
}
} else {
const isDev = process.env.NODE_ENV === "development";
const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
const cspHeader = `
default-src 'self';
connect-src 'self';
script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${isDev ? "'unsafe-eval'" : ""};
style-src 'self' 'unsafe-inline';
img-src 'self' blob: data:;
font-src 'self';
object-src 'none';
base-uri 'self';
form-action 'self';
frame-ancestors 'none';
upgrade-insecure-requests;
`;
const contentSecurityPolicyHeaderValue = cspHeader
.replace(/\s{2,}/g, " ")
.trim();
return NextResponse.next();
const requestHeaders = new Headers(request.headers);
requestHeaders.set("x-nonce", nonce);
requestHeaders.set(
"Content-Security-Policy",
contentSecurityPolicyHeaderValue,
);
const response = NextResponse.next({
request: {
headers: requestHeaders,
},
});
response.headers.set(
"Content-Security-Policy",
contentSecurityPolicyHeaderValue,
);
return response;
}
};
export default withAuth(checkRewrites, {
@ -69,12 +90,11 @@ export default withAuth(checkRewrites, {
},
callbacks: {
authorized: ({ token, req }) => {
const path = req.nextUrl.pathname;
if (process.env.SETUP_MODE === "true") {
return true;
}
const path = req.nextUrl.pathname;
const roles: any = token?.roles ?? [];
if (path.startsWith("/admin") && !roles.includes("admin")) {
@ -91,7 +111,9 @@ export default withAuth(checkRewrites, {
});
export const config = {
matcher: [
"/((?!ws|wss|api/v1|api/signal|api/whatsapp|api/facebook|_next/static|_next/image|favicon.ico).*)",
matcher: ["/((?!ws|wss|api|_next/static|_next/image|favicon.ico).*)"],
missing: [
{ type: "header", key: "next-router-prefetch" },
{ type: "header", key: "purpose", value: "prefetch" },
],
};