51 lines
1.5 KiB
TypeScript
51 lines
1.5 KiB
TypeScript
import { NextRequest, NextResponse } from 'next/server';
|
|
import { jwtVerify } from 'jose';
|
|
|
|
const SESSION_COOKIE_NAME = 'auth_session';
|
|
|
|
export async function proxy(request: NextRequest) {
|
|
const { pathname } = request.nextUrl;
|
|
|
|
// Wenn AUTH_USERS nicht gesetzt, alles durchlassen
|
|
if (!process.env.AUTH_USERS) {
|
|
return NextResponse.next();
|
|
}
|
|
|
|
// /login und /api/check sind öffentlich
|
|
const publicPaths = ['/login', '/api/check'];
|
|
if (publicPaths.some(p => pathname.startsWith(p))) {
|
|
return NextResponse.next();
|
|
}
|
|
|
|
const sessionCookie = request.cookies.get(SESSION_COOKIE_NAME);
|
|
if (!sessionCookie) {
|
|
return NextResponse.redirect(new URL('/login', request.url));
|
|
}
|
|
|
|
try {
|
|
const secretKey = process.env.AUTH_SECRET || 'default-secret-change-in-production';
|
|
const key = new TextEncoder().encode(secretKey);
|
|
const { payload } = await jwtVerify(sessionCookie.value, key, {
|
|
algorithms: ['HS256'],
|
|
});
|
|
|
|
if (payload.expiresAt && (payload.expiresAt as number) < Date.now()) {
|
|
const response = NextResponse.redirect(new URL('/login', request.url));
|
|
response.cookies.delete(SESSION_COOKIE_NAME);
|
|
return response;
|
|
}
|
|
|
|
return NextResponse.next();
|
|
} catch {
|
|
const response = NextResponse.redirect(new URL('/login', request.url));
|
|
response.cookies.delete(SESSION_COOKIE_NAME);
|
|
return response;
|
|
}
|
|
}
|
|
|
|
export const config = {
|
|
matcher: [
|
|
'/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
|
|
],
|
|
};
|