letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
221ae5784e36c131db86ff0731914b62ae58a45a
pn-new-crm/src/proxy.ts
Matt 221ae5784e chore(autonomous-session): consolidate uncommitted work from prior session 
Bundles the prior autonomous-session output that was sitting unstaged:

- Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances)
- country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that
  never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk
  after the per-subpath dynamic-import approach silently failed in webpack)
- Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index,
  redirects (ocr to ai, reports to dashboard, invitations to users),
  docs/admin-ia-proposal.md
- Per-template email tester (registry + endpoint + UI on Email admin page)
- Cancel-document mode picker (delete-from-Documenso vs keep-for-audit)
- Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers
- Customize-widgets per-region sortables at xl+ (charts/rails/feed); single
  flat sortable below xl when the layout stacks; per-viewport saved orders
- Audit doc updates capturing each shipped item
- Lint fixes: react-compiler immutability in DonutChart (reduce instead of
  let-reassign), set-state-in-effect disables in CountryFlag and
  UploadForSigning preview-bytes effect, unused 'confirm' destructures in
  interest contract + reservation tabs, unescaped apostrophe in test-template
  card copy
2026-05-23 00:52:59 +02:00

240 lines
9.6 KiB
TypeScript
Raw Blame History

import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';
/**
* Per-request CSP nonce - drops `'unsafe-inline'` from script-src in
* prod by giving every inline script a unique nonce that Next reads
* from the `content-security-policy` REQUEST header and threads through
* its RSC bootstrap + Server Actions. build-auditor H1.
*
* Dev keeps `'unsafe-inline' 'unsafe-eval'` because Next HMR injects
* runtime-evaluated scripts the nonce mechanism doesn't reach.
* style-src stays at `'unsafe-inline'` because Tailwind/Radix runtime
* style injection has no nonce story yet (revisit when Tailwind v5
* ships a nonce-able API).
*/
function buildCspWithNonce(nonce: string, isProd: boolean): string {
const scriptSrc = isProd
? `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`
: "script-src 'self' 'unsafe-inline' 'unsafe-eval' http://unpkg.com https://unpkg.com";
const connectSrc = isProd
? "connect-src 'self' ws: wss: https:"
: "connect-src 'self' ws: wss: https: http://unpkg.com https://unpkg.com";
return [
"default-src 'self'",
scriptSrc,
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: blob: https:",
"font-src 'self' data:",
connectSrc,
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
"object-src 'none'",
].join('; ');
}
function generateNonce(): string {
// crypto.randomUUID is collision-free across requests; base64-encode
// to match the CSP spec shape (no `-`/`_`-only restrictions for
// CSP3 nonce values, but base64 stays safe across HTTP header
// serialization).
return Buffer.from(crypto.randomUUID()).toString('base64');
}
/**
* Paths that do not require an authenticated session.
* Checked with startsWith, so /auth/ covers /auth/callback etc.
*/
const PUBLIC_PATHS: string[] = [
'/login',
'/reset-password',
'/set-password',
'/auth/',
'/api/auth/',
'/api/public/',
'/api/health',
'/api/webhooks/',
// First-run / cold-start: the unauthenticated /setup and /login pages
// call /api/v1/bootstrap/status to decide whether to render the setup
// form. The route handlers self-protect via hasAnySuperAdmin().
'/setup',
'/api/v1/bootstrap/',
'/scan',
// §7.1: public sales-playbook docs (deal pulse, etc) so the "Full
// guide" link inside the in-app popover is reachable without a
// session - and shareable to external collaborators.
'/docs/',
// M-R01: portal allowlist narrowed from blanket `/portal/` to the
// unauthenticated entry-point routes only. Other `/portal/*` paths
// now flow through the middleware backstop below which redirects to
// `/portal/login` when the portal_session cookie is missing. Closes
// the silent-bypass class where a new portal route landed without
// its own session check.
'/portal/login',
'/portal/activate',
'/portal/reset-password',
// Portal API endpoints handle their own session checks (better-auth).
'/api/portal/',
// Token-gated email-change endpoints. The confirm/cancel links land in
// a fresh browser (the user may not be signed in on this device), so
// they need to bypass the session 401 gate. The endpoints validate a
// signed sha256-hashed token instead - that's the auth.
'/api/v1/me/email/confirm/',
'/api/v1/me/email/cancel/',
];
function isPublicPath(pathname: string): boolean {
// Per-port PWA manifests sit under `/<portSlug>/scan/manifest.webmanifest`
// and need to be fetchable without a session - browsers fetch them eagerly
// during install / first paint. The manifest only contains port name +
// icon paths, no sensitive data, so making it public is safe.
if (pathname.endsWith('/scan/manifest.webmanifest')) return true;
return PUBLIC_PATHS.some((prefix) => pathname === prefix || pathname.startsWith(prefix));
}
function isApiRoute(pathname: string): boolean {
return pathname.startsWith('/api/');
}
const STATE_CHANGING_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
/**
* SameSite=Lax cookies block top-level cross-site POSTs in modern browsers,
* but defense-in-depth: every state-changing request to a session-authed
* `/api/v1/**` endpoint must originate from the same origin as the app.
* Webhooks (`/api/webhooks/**`) and public posts (`/api/public/**`) are
* exempt because they're called by external systems with no session
* cookie. Auth flows (`/api/auth/**`) and portal (`/api/portal/**`) handle
* their own origin/CSRF checks via better-auth.
*/
function isOriginCheckedPath(pathname: string): boolean {
if (!pathname.startsWith('/api/v1/')) return false;
return true;
}
function originAllowed(request: NextRequest): boolean {
const origin = request.headers.get('origin');
const referer = request.headers.get('referer');
// Same-origin fetch from the app sends both Origin AND a matching host.
// Use request.nextUrl.origin (the deployed origin) as the source of truth.
const expectedOrigin = request.nextUrl.origin;
if (origin) return origin === expectedOrigin;
if (referer) {
try {
return new URL(referer).origin === expectedOrigin;
} catch {
return false;
}
}
// Neither header present: most browser fetches always send Origin on
// POST/PUT/PATCH/DELETE, so this likely means a same-origin server-side
// call (e.g. Next.js internal fetch). Allow.
return true;
}
/**
* Apply per-request CSP to a NextResponse. Skipped for API routes
* (they don't render HTML so script-src is irrelevant) and for
* already-built responses that have set their own CSP (e.g. redirects
* where the static next.config CSP applies).
*/
function applyCsp(response: NextResponse, nonce: string, pathname: string): NextResponse {
if (isApiRoute(pathname)) return response;
const isProd = process.env.NODE_ENV === 'production';
response.headers.set('Content-Security-Policy', buildCspWithNonce(nonce, isProd));
response.headers.set('x-nonce', nonce);
return response;
}
export function proxy(request: NextRequest): NextResponse {
const { pathname } = request.nextUrl;
// Mint a per-request nonce up-front so HTML responses can carry it.
// Cheap (one UUID + base64) so we always do it; the apply step
// skips API routes that don't need it.
const nonce = generateNonce();
const isProd = process.env.NODE_ENV === 'production';
// CSRF defense-in-depth: state-changing requests to authed /api/v1
// endpoints must come from the app's own origin. Skipped in dev so
// LAN testing (e.g. real iPhone hitting the Mac via 192.168.x.x while
// a Mac browser tab is loaded from localhost) doesn't trip on the
// origin mismatch. Production keeps the check.
if (
process.env.NODE_ENV !== 'development' &&
STATE_CHANGING_METHODS.has(request.method) &&
isOriginCheckedPath(pathname) &&
!originAllowed(request)
) {
return NextResponse.json(
{ error: 'Cross-origin state-changing request rejected' },
{ status: 403 },
);
}
// Always allow public paths through
if (isPublicPath(pathname)) {
// Forward the nonce in the REQUEST header so Next's RSC bootstrap
// can read it via `headers()` and stamp it onto every inline
// <script>. The browser-facing CSP is set on the response below.
const requestHeaders = new Headers(request.headers);
requestHeaders.set('content-security-policy', buildCspWithNonce(nonce, isProd));
requestHeaders.set('x-nonce', nonce);
return applyCsp(NextResponse.next({ request: { headers: requestHeaders } }), nonce, pathname);
}
// M-R01: portal pages use a distinct cookie (`portal_session`) from
// the CRM (`pn-crm.session_token`). Backstop here so any future
// /portal/* page that forgets its own session check gets caught.
if (pathname.startsWith('/portal/')) {
const portalSession = request.cookies.get('portal_session');
if (!portalSession?.value) {
const loginUrl = new URL('/portal/login', request.url);
loginUrl.searchParams.set('redirect', pathname + request.nextUrl.search);
return NextResponse.redirect(loginUrl);
}
const requestHeaders = new Headers(request.headers);
requestHeaders.set('content-security-policy', buildCspWithNonce(nonce, isProd));
requestHeaders.set('x-nonce', nonce);
return applyCsp(NextResponse.next({ request: { headers: requestHeaders } }), nonce, pathname);
}
const sessionToken = request.cookies.get('pn-crm.session_token');
if (!sessionToken?.value) {
if (isApiRoute(pathname)) {
// API routes return 401 JSON - never redirect
return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
}
// Page routes redirect to /login, preserving the intended destination
const loginUrl = new URL('/login', request.url);
loginUrl.searchParams.set('redirect', pathname + request.nextUrl.search);
return NextResponse.redirect(loginUrl);
}
const requestHeaders = new Headers(request.headers);
requestHeaders.set('content-security-policy', buildCspWithNonce(nonce, isProd));
requestHeaders.set('x-nonce', nonce);
return applyCsp(NextResponse.next({ request: { headers: requestHeaders } }), nonce, pathname);
}
export const config = {
matcher: [
/*
* Match all request paths except:
* - _next/static (static files)
* - _next/image (Next.js image optimisation)
* - favicon.ico (browser tab icon)
* - /images/ (public image assets)
* - manifest.json (PWA manifest - must be unauthed for installability)
* - icon-*.png (PWA + apple-touch icons referenced by manifest)
* - apple-touch-icon (iOS home-screen icon)
*/
'/((?!_next/static|_next/image|favicon\\.ico|images/|manifest\\.json|icon-|apple-touch-icon).*)',
],
};
Reference in New Issue View Git Blame Copy Permalink