fix: use Web Crypto API in middleware (Edge Runtime compat)

2026-04-22 19:12:19 +00:00
parent bdbf0f363e
commit c7fc4d6e8e
2 changed files with 12 additions and 9 deletions
--- a/middleware.ts
+++ b/middleware.ts
@@ -1,11 +1,18 @@
 import { NextResponse } from 'next/server'
 import type { NextRequest } from 'next/server'
-import * as crypto from 'crypto'

-export function middleware(request: NextRequest) {
+async function hmacSha256(secret: string, message: string): Promise<string> {
+  const enc = new TextEncoder()
+  const key = await crypto.subtle.importKey(
+    'raw', enc.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']
+  )
+  const sig = await crypto.subtle.sign('HMAC', key, enc.encode(message))
+  return Array.from(new Uint8Array(sig)).map(b => b.toString(16).padStart(2, '0')).join('')
+}
+
+export async function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl

-  // Allow auth API and static assets
  if (
    pathname.startsWith('/api/auth') ||
    pathname.startsWith('/_next') ||
@@ -18,15 +25,12 @@ export function middleware(request: NextRequest) {
  const token = request.cookies.get('auth_token')?.value
  const pin = process.env.APP_PIN || '1234'
  const secret = process.env.APP_SECRET || 'smart-home-default-secret-change-me'
-  const expectedToken = crypto.createHmac('sha256', secret).update(pin).digest('hex')
+  const expectedToken = await hmacSha256(secret, pin)

  if (token !== expectedToken) {
-    // For API routes, return 401
    if (pathname.startsWith('/api/')) {
      return NextResponse.json({ error: 'unauthorized' }, { status: 401 })
    }
-
-    // For page requests, rewrite to show login (handled client-side)
    const url = request.nextUrl.clone()
    url.searchParams.set('locked', '1')
    return NextResponse.rewrite(url)