frontend/src/middleware.ts

import { jwtDecode } from "jwt-decode";
import { NextRequest, NextResponse } from "next/server";
import configService from "./services/config.service";

// This middleware redirects based on different conditions:
// - Authentication state
// - Setup status
// - Admin privileges

export const config = {
  matcher: "/((?!api|static|.*\\..*|_next).*)",
};

export async function middleware(request: NextRequest) {
  const routes = {
    unauthenticated: new Routes(["/auth/*", "/"]),
    public: new Routes(["/share/*", "/s/*", "/upload/*", "/error"]),
    admin: new Routes(["/admin/*"]),
    account: new Routes(["/account*"]),
    disabled: new Routes([]),
  };

  // Get config from backend
  const apiUrl = process.env.API_URL || "http://localhost:8080";
  const config = await (await fetch(`${apiUrl}/api/configs`)).json();

  const getConfig = (key: string) => {
    return configService.get(key, config);
  };

  const route = request.nextUrl.pathname;
  let user: { isAdmin: boolean } | null = null;
  const accessToken = request.cookies.get("access_token")?.value;

  try {
    const claims = jwtDecode<{ exp: number; isAdmin: boolean }>(
      accessToken as string,
    );
    if (claims.exp * 1000 > Date.now()) {
      user = claims;
    }
  } catch {
    user = null;
  }

  if (!getConfig("share.allowRegistration")) {
    routes.disabled.routes.push("/auth/signUp");
  }

  if (getConfig("share.allowUnauthenticatedShares")) {
    routes.public.routes = ["*"];
  }

  if (!getConfig("smtp.enabled")) {
    routes.disabled.routes.push("/auth/resetPassword*");
  }

  // prettier-ignore
  const rules = [
    // Disabled routes
    {
      condition: routes.disabled.contains(route),
      path: "/",
    },
     // Authenticated state
     {
      condition: user && routes.unauthenticated.contains(route) && !getConfig("share.allowUnauthenticatedShares"),
      path: "/upload",
    },
    // Unauthenticated state
    {
      condition: !user && !routes.public.contains(route) && !routes.unauthenticated.contains(route),
      path: "/auth/signIn",
    },
    {
      condition: !user && routes.account.contains(route),
      path: "/upload",
    },
    // Admin privileges
    {
      condition: routes.admin.contains(route) && !user?.isAdmin,
      path: "/upload",
    },
    // Home page
    {
      condition: (!getConfig("general.showHomePage") || user) && route == "/",
      path: "/upload",
    },
  ];
  for (const rule of rules) {
    if (rule.condition) {
      let { path } = rule;

      if (path == "/auth/signIn") {
        path = path + "?redirect=" + encodeURIComponent(route);
      }
      return NextResponse.redirect(new URL(path, request.url));
    }
  }
}

// Helper class to check if a route matches a list of routes
class Routes {
  // eslint-disable-next-line no-unused-vars
  constructor(public routes: string[]) {}

  contains(_route: string) {
    for (const route of this.routes) {
      if (new RegExp("^" + route.replace(/\*/g, ".*") + "$").test(_route))
        return true;
    }
    return false;
  }
}
chore: dump dependencies 2024-09-18 11:04:06 +02:00			`import { jwtDecode } from "jwt-decode";`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`import { NextRequest, NextResponse } from "next/server";`
			`import configService from "./services/config.service";`

			`// This middleware redirects based on different conditions:`
			`// - Authentication state`
			`// - Setup status`
			`// - Admin privileges`

			`export const config = {`
			`matcher: "/((?!api\|static\|.\\..\|_next).*)",`
			`};`

			`export async function middleware(request: NextRequest) {`
feat!: reset password with email 2023-02-09 18:17:53 +01:00			`const routes = {`
feat: allow multiple shares with one reverse share link 2023-02-10 11:10:07 +01:00			`unauthenticated: new Routes(["/auth/*", "/"]),`
feat(auth): add OAuth2 login (#276) * feat(auth): add OAuth2 login with GitHub and Google * chore(translations): add files for Japanese * fix(auth): fix link function for GitHub * feat(oauth): basic oidc implementation * feat(oauth): oauth guard * fix: disable image optimizations for logo to prevent caching issues with custom logos * fix: memory leak while downloading large files * chore(translations): update translations via Crowdin (#278) * New translations en-us.ts (Japanese) * New translations en-us.ts (Japanese) * New translations en-us.ts (Japanese) * release: 0.18.2 * doc(translations): Add Japanese README (#279) * Added Japanese README. * Added JAPANESE README link to README.md. * Updated Japanese README. * Updated Environment Variable Table. * updated zh-cn README. * feat(oauth): unlink account * refactor(oauth): make providers extensible * fix(oauth): fix discoveryUri error when toggle google-enabled * feat(oauth): add microsoft and discord as oauth provider * docs(oauth): update README.md * docs(oauth): update oauth2-guide.md * set password to null for new oauth users * New translations en-us.ts (Japanese) (#281) * chore(translations): add Polish files * fix(oauth): fix random username and password * feat(oauth): add totp * fix(oauth): fix totp throttle * fix(oauth): fix qrcode and remove comment * feat(oauth): add error page * fix(oauth): i18n of error page * feat(auth): add OAuth2 login * fix(auth): fix link function for GitHub * feat(oauth): basic oidc implementation * feat(oauth): oauth guard * feat(oauth): unlink account * refactor(oauth): make providers extensible * fix(oauth): fix discoveryUri error when toggle google-enabled * feat(oauth): add microsoft and discord as oauth provider * docs(oauth): update README.md * docs(oauth): update oauth2-guide.md * set password to null for new oauth users * fix(oauth): fix random username and password * feat(oauth): add totp * fix(oauth): fix totp throttle * fix(oauth): fix qrcode and remove comment * feat(oauth): add error page * fix(oauth): i18n of error page * refactor: return null instead of `false` in `getIdOfCurrentUser` functiom * feat: show original oauth error if available * refactor: run formatter * refactor(oauth): error message i18n * refactor(oauth): make OAuth token available someone may use it (to revoke token or get other info etc.) also improved the i18n message * chore(oauth): remove unused import * chore: add database migration * fix: missing python installation for nanoid --------- Co-authored-by: Elias Schneider <login@eliasschneider.com> Co-authored-by: ふうせん <10260662+fusengum@users.noreply.github.com> 2023-10-22 22:09:53 +08:00			`public: new Routes(["/share/", "/s/", "/upload/*", "/error"]),`
feat!: reset password with email 2023-02-09 18:17:53 +01:00			`admin: new Routes(["/admin/*"]),`
feat: custom branding (#112) * add first concept * remove setup status * split config page in multiple components * add custom branding docs * add test email button * fix invalid email from header * add migration * mount images to host * update docs * remove unused endpoint * run formatter 2023-03-04 23:29:00 +01:00			`account: new Routes(["/account*"]),`
feat: allow multiple shares with one reverse share link 2023-02-10 11:10:07 +01:00			`disabled: new Routes([]),`
feat!: reset password with email 2023-02-09 18:17:53 +01:00			`};`

refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`// Get config from backend`
fix: replace middleware backend url with local backend url 2024-01-23 15:22:08 +01:00			`const apiUrl = process.env.API_URL \|\| "http://localhost:8080";`
			const config = await (await fetch(`${apiUrl}/api/configs`)).json();
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00
			`const getConfig = (key: string) => {`
			`return configService.get(key, config);`
			`};`

			`const route = request.nextUrl.pathname;`
			`let user: { isAdmin: boolean } \| null = null;`
			`const accessToken = request.cookies.get("access_token")?.value;`

			`try {`
			`const claims = jwtDecode<{ exp: number; isAdmin: boolean }>(`
fix: user enumaration on forgot password page 2024-02-18 21:46:50 +01:00			`accessToken as string,`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`);`
			`if (claims.exp * 1000 > Date.now()) {`
			`user = claims;`
			`}`
			`} catch {`
			`user = null;`
			`}`

feat: custom branding (#112) * add first concept * remove setup status * split config page in multiple components * add custom branding docs * add test email button * fix invalid email from header * add migration * mount images to host * update docs * remove unused endpoint * run formatter 2023-03-04 23:29:00 +01:00			`if (!getConfig("share.allowRegistration")) {`
feat: allow multiple shares with one reverse share link 2023-02-10 11:10:07 +01:00			`routes.disabled.routes.push("/auth/signUp");`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`}`

feat: custom branding (#112) * add first concept * remove setup status * split config page in multiple components * add custom branding docs * add test email button * fix invalid email from header * add migration * mount images to host * update docs * remove unused endpoint * run formatter 2023-03-04 23:29:00 +01:00			`if (getConfig("share.allowUnauthenticatedShares")) {`
feat!: reset password with email 2023-02-09 18:17:53 +01:00			`routes.public.routes = ["*"];`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`}`

feat: custom branding (#112) * add first concept * remove setup status * split config page in multiple components * add custom branding docs * add test email button * fix invalid email from header * add migration * mount images to host * update docs * remove unused endpoint * run formatter 2023-03-04 23:29:00 +01:00			`if (!getConfig("smtp.enabled")) {`
feat: allow multiple shares with one reverse share link 2023-02-10 11:10:07 +01:00			`routes.disabled.routes.push("/auth/resetPassword*");`
feat!: reset password with email 2023-02-09 18:17:53 +01:00			`}`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00
			`// prettier-ignore`
			`const rules = [`
feat!: reset password with email 2023-02-09 18:17:53 +01:00			`// Disabled routes`
			`{`
feat: allow multiple shares with one reverse share link 2023-02-10 11:10:07 +01:00			`condition: routes.disabled.contains(route),`
feat!: reset password with email 2023-02-09 18:17:53 +01:00			`path: "/",`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`},`
			`// Authenticated state`
			`{`
feat: custom branding (#112) * add first concept * remove setup status * split config page in multiple components * add custom branding docs * add test email button * fix invalid email from header * add migration * mount images to host * update docs * remove unused endpoint * run formatter 2023-03-04 23:29:00 +01:00			`condition: user && routes.unauthenticated.contains(route) && !getConfig("share.allowUnauthenticatedShares"),`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`path: "/upload",`
			`},`
			`// Unauthenticated state`
			`{`
feat!: reset password with email 2023-02-09 18:17:53 +01:00			`condition: !user && !routes.public.contains(route) && !routes.unauthenticated.contains(route),`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`path: "/auth/signIn",`
			`},`
			`{`
feat!: reset password with email 2023-02-09 18:17:53 +01:00			`condition: !user && routes.account.contains(route),`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`path: "/upload",`
			`},`
			`// Admin privileges`
			`{`
feat!: reset password with email 2023-02-09 18:17:53 +01:00			`condition: routes.admin.contains(route) && !user?.isAdmin,`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`path: "/upload",`
			`},`
			`// Home page`
			`{`
feat: custom branding (#112) * add first concept * remove setup status * split config page in multiple components * add custom branding docs * add test email button * fix invalid email from header * add migration * mount images to host * update docs * remove unused endpoint * run formatter 2023-03-04 23:29:00 +01:00			`condition: (!getConfig("general.showHomePage") \|\| user) && route == "/",`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`path: "/upload",`
			`},`
			`];`
			`for (const rule of rules) {`
fix: invalid redirection after jwt expiry 2023-02-06 11:15:46 +01:00			`if (rule.condition) {`
			`let { path } = rule;`

			`if (path == "/auth/signIn") {`
			`path = path + "?redirect=" + encodeURIComponent(route);`
			`}`
			`return NextResponse.redirect(new URL(path, request.url));`
			`}`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`}`
			`}`
feat!: reset password with email 2023-02-09 18:17:53 +01:00
			`// Helper class to check if a route matches a list of routes`
			`class Routes {`
			`// eslint-disable-next-line no-unused-vars`
			`constructor(public routes: string[]) {}`

			`contains(_route: string) {`
			`for (const route of this.routes) {`
			`if (new RegExp("^" + route.replace(/\/g, ".") + "$").test(_route))`
			`return true;`
			`}`
			`return false;`
			`}`
			`}`