39 lines
1.5 KiB
TypeScript
39 lines
1.5 KiB
TypeScript
import { NextResponse } from 'next/server'
|
|
import type { NextRequest } from 'next/server'
|
|
|
|
export async function middleware(request: NextRequest) {
|
|
const { pathname } = request.nextUrl
|
|
|
|
// Only protect API routes. /api/voice/event, /api/voice/tools/*, /api/voice/timer
|
|
// have their own bearer-token auth (VOICE_API_KEY) and bypass the cookie check.
|
|
const isVoiceBearer =
|
|
pathname === '/api/voice/event' ||
|
|
pathname.startsWith('/api/voice/tools/') ||
|
|
pathname === '/api/voice/timer'
|
|
if (!pathname.startsWith('/api/') || pathname.startsWith('/api/auth') || pathname.startsWith('/api/spotify') || pathname.startsWith('/api/settings') || isVoiceBearer) {
|
|
return NextResponse.next()
|
|
}
|
|
|
|
// Internal loopback bypass: tool endpoints shell out to other API routes.
|
|
// They pass x-voice-internal with the same VOICE_API_KEY — safe because
|
|
// only processes on the same host (the tablet container itself) know the key.
|
|
const internal = request.headers.get('x-voice-internal')
|
|
if (internal && internal === process.env.VOICE_API_KEY) {
|
|
return NextResponse.next()
|
|
}
|
|
|
|
// Check auth by forwarding to auth check
|
|
const token = request.cookies.get('auth_token')?.value
|
|
if (!token) {
|
|
return NextResponse.json({ error: 'unauthorized' }, { status: 401 })
|
|
}
|
|
|
|
// Let the request through — individual API routes can do further validation if needed
|
|
// The auth cookie existence is sufficient since it is httpOnly and set by server
|
|
return NextResponse.next()
|
|
}
|
|
|
|
export const config = {
|
|
matcher: ['/api/:path*'],
|
|
}
|