-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathproxy.ts
More file actions
93 lines (79 loc) · 3.54 KB
/
proxy.ts
File metadata and controls
93 lines (79 loc) · 3.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
// Next.js 16 renamed `middleware.ts` to `proxy.ts` (export `proxy`).
// Three jobs:
// 1. Refresh the Supabase session cookie on every request (so RSC / Server
// Actions see a fresh JWT).
// 2. Redirect unauthenticated users away from app routes to /login.
// 3. Once signed in, gate the app behind /connect-canvas until the user has
// connected their UCSC Canvas — onboarding step right after magic link.
import { NextResponse, type NextRequest } from 'next/server';
import { createServerClient } from '@supabase/ssr';
// Always pass through. Static assets, route handlers (which enforce their own
// auth), and Supabase auth callbacks must never be intercepted.
const PASSTHROUGH_PREFIXES = ['/auth/', '/_next/', '/api/'];
// Visible without a session.
const SIGNED_OUT_ALLOWED = new Set(['/login', '/']);
// Visible to a signed-in user who hasn't connected Canvas yet.
const ONBOARDING_ALLOWED = new Set(['/connect-canvas']);
export async function proxy(request: NextRequest) {
const response = NextResponse.next({ request });
const supabase = createServerClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
{
cookies: {
getAll() {
return request.cookies.getAll();
},
setAll(cookiesToSet) {
cookiesToSet.forEach(({ name, value, options }) => {
request.cookies.set(name, value);
response.cookies.set(name, value, options);
});
},
},
},
);
const path = request.nextUrl.pathname;
if (PASSTHROUGH_PREFIXES.some((p) => path.startsWith(p))) {
return response;
}
// Routing decision uses getSession() rather than getUser(): we only need to
// know whether a session cookie exists, and getSession() reads cookies
// locally instead of round-tripping to Supabase's auth API on every nav.
// The auth API call is the failure mode we kept tripping over during the
// demo — a transient 5xx or network blip there would null out `user` and
// bounce a logged-in tester back to /login mid-tour. Page-level RSC still
// calls getUser() before rendering anything sensitive, so we don't lose
// any guarantees by trusting the cookie at the routing layer.
const {
data: { session },
} = await supabase.auth.getSession();
// Not signed in → only / and /login are reachable.
if (!session) {
if (SIGNED_OUT_ALLOWED.has(path)) return response;
const loginUrl = new URL('/login', request.url);
loginUrl.searchParams.set('next', path);
return NextResponse.redirect(loginUrl);
}
// Signed in: check whether they've completed Canvas onboarding. We only
// intercept GETs so server-action POSTs (sign-out, magic-link send, etc.)
// can still execute on their original target route.
if (request.method === 'GET' && !ONBOARDING_ALLOWED.has(path)) {
const { data: profile, error: profileError } = await supabase
.from('profiles')
.select('canvas_connected')
.eq('id', session.user.id)
.maybeSingle();
// If the profile read errored (RLS misconfig, cold connection), let the
// page through and rely on its own auth check rather than redirecting
// a legitimate user to /connect-canvas.
if (!profileError && profile && profile.canvas_connected !== true) {
return NextResponse.redirect(new URL('/connect-canvas', request.url));
}
}
return response;
}
export const config = {
// Run on everything except static assets & favicons.
matcher: ['/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico)$).*)'],
};