akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
3a4807b5cda30cb18870f4e4416b3a041070651b
caddy-proxy-manager/proxy.ts
fuomag9 3a16d6e9b1 Replace next-auth with Better Auth, migrate DB columns to camelCase 
- Replace next-auth v5 beta with better-auth v1.6.2 (stable releases)
- Add multi-provider OAuth support with admin UI configuration
- New oauthProviders table with encrypted secrets (AES-256-GCM)
- Env var bootstrap (OAUTH_*) syncs to DB, UI-created providers fully editable
- OAuth provider REST API: GET/POST/PUT/DELETE /api/v1/oauth-providers
- Settings page "Authentication Providers" section for admin management
- Account linking uses new accounts table (multi-provider per user)
- Username plugin for credentials sign-in (replaces email@localhost pattern)
- bcrypt password compatibility (existing hashes work)
- Database-backed sessions via Kysely adapter (bun:sqlite direct)
- Configurable rate limiting via AUTH_RATE_LIMIT_* env vars
- All DB columns migrated from snake_case to camelCase
- All TypeScript types/models migrated to camelCase properties
- Removed casing: "snake_case" from Drizzle config
- Callback URL format: {baseUrl}/api/auth/oauth2/callback/{providerId}
- package-lock.json removed and gitignored (using bun.lock)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-12 21:11:48 +02:00

98 lines
3.1 KiB
TypeScript
Raw Blame History

import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
import crypto from "node:crypto";
import { auth } from "@/src/lib/auth";
/**
* Next.js Proxy for route protection.
* Provides defense-in-depth by checking authentication at the edge
* before requests reach page components.
*
* Note: Proxy always runs on Node.js runtime.
*/
const isDev = process.env.NODE_ENV === "development";
/**
* Build a nonce-based Content-Security-Policy per request.
* Next.js reads the nonce from the CSP request header and applies it
* to all inline scripts it generates.
*/
function buildCsp(nonce: string): string {
const directives = [
"default-src 'self'",
isDev
? `script-src 'self' 'nonce-${nonce}' 'unsafe-eval' https://cdn.jsdelivr.net`
: `script-src 'self' 'nonce-${nonce}' https://cdn.jsdelivr.net`,
// style-src still needs 'unsafe-inline' for React JSX inline style props
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net",
"font-src 'self' https://fonts.gstatic.com",
"img-src 'self' data: blob:",
"worker-src blob:",
"connect-src 'self'",
"frame-ancestors 'none'",
];
return directives.join("; ");
}
export default async function middleware(req: NextRequest) {
const pathname = req.nextUrl.pathname;
// Allow public routes
if (
pathname === "/login" ||
pathname === "/portal" ||
pathname.startsWith("/api/auth") ||
pathname === "/api/health" ||
pathname === "/api/instances/sync" ||
pathname.startsWith("/api/v1/") ||
pathname.startsWith("/api/forward-auth/")
) {
return NextResponse.next();
}
// Check authentication for protected routes
const session = await auth(req);
const isAuthenticated = !!session?.user;
// Redirect unauthenticated users to login
if (!isAuthenticated && !pathname.startsWith("/login")) {
const loginUrl = new URL("/login", req.url);
return NextResponse.redirect(loginUrl);
}
// Generate per-request nonce for CSP
const nonce = crypto.randomBytes(16).toString("base64");
const csp = buildCsp(nonce);
// Set CSP as a request header so Next.js can read the nonce
const requestHeaders = new Headers(req.headers);
requestHeaders.set("Content-Security-Policy", csp);
const response = NextResponse.next({
request: { headers: requestHeaders },
});
// Also set CSP as a response header for browser enforcement
response.headers.set("Content-Security-Policy", csp);
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("X-Frame-Options", "DENY");
response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
response.headers.set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=()");
return response;
}
export const config = {
matcher: [
/*
* Match all request paths except for the ones starting with:
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico (favicon file)
* - public folder
*/
"/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
],
};
Reference in New Issue View Git Blame Copy Permalink