Mist, jetzt vielleicht

proxy.ts

@@ -0,0 +1,50 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { jwtVerify } from 'jose';
+
+const SESSION_COOKIE_NAME = 'auth_session';
+
+export async function proxy(request: NextRequest) {
+  const { pathname } = request.nextUrl;
+
+  // Wenn AUTH_USERS nicht gesetzt, alles durchlassen
+  if (!process.env.AUTH_USERS) {
+    return NextResponse.next();
+  }
+
+  // /login und /api/check sind öffentlich
+  const publicPaths = ['/login', '/api/check'];
+  if (publicPaths.some(p => pathname.startsWith(p))) {
+    return NextResponse.next();
+  }
+
+  const sessionCookie = request.cookies.get(SESSION_COOKIE_NAME);
+  if (!sessionCookie) {
+    return NextResponse.redirect(new URL('/login', request.url));
+  }
+
+  try {
+    const secretKey = process.env.AUTH_SECRET || 'default-secret-change-in-production';
+    const key = new TextEncoder().encode(secretKey);
+    const { payload } = await jwtVerify(sessionCookie.value, key, {
+      algorithms: ['HS256'],
+    });
+
+    if (payload.expiresAt && (payload.expiresAt as number) < Date.now()) {
+      const response = NextResponse.redirect(new URL('/login', request.url));
+      response.cookies.delete(SESSION_COOKIE_NAME);
+      return response;
+    }
+
+    return NextResponse.next();
+  } catch {
+    const response = NextResponse.redirect(new URL('/login', request.url));
+    response.cookies.delete(SESSION_COOKIE_NAME);
+    return response;
+  }
+}
+
+export const config = {
+  matcher: [
+    '/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
+  ],
+};