-
Notifications
You must be signed in to change notification settings - Fork 200
/
middleware.ts
77 lines (71 loc) · 2.38 KB
/
middleware.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import { NextResponse, type NextRequest } from "next/server";
const corsOptions: {
allowedMethods: string[];
allowedOrigins: string[];
allowedHeaders: string[];
exposedHeaders: string[];
maxAge?: number;
credentials: boolean;
} = {
allowedMethods: (process.env?.ALLOWED_METHODS || "").split(","),
allowedOrigins: (process.env?.ALLOWED_ORIGIN || "").split(","),
allowedHeaders: (process.env?.ALLOWED_HEADERS || "").split(","),
exposedHeaders: (process.env?.EXPOSED_HEADERS || "").split(","),
maxAge:
(process.env?.PREFLIGHT_MAX_AGE &&
parseInt(process.env?.PREFLIGHT_MAX_AGE)) ||
undefined, // 60 * 60 * 24 * 30, // 30 days
credentials: process.env?.CREDENTIALS == "true",
};
/**
* Middleware function that handles CORS configuration for API routes.
*
* This middleware function is responsible for setting the appropriate CORS headers
* on the response, based on the configured CORS options. It checks the origin of
* the request and sets the `Access-Control-Allow-Origin` header accordingly. It
* also sets the other CORS-related headers, such as `Access-Control-Allow-Credentials`,
* `Access-Control-Allow-Methods`, `Access-Control-Allow-Headers`, and
* `Access-Control-Expose-Headers`.
*
* The middleware function is configured to be applied to all API routes, as defined
* by the `config` object at the end of the file.
*/
export function middleware(request: NextRequest) {
// Response
const response = NextResponse.next();
// Allowed origins check
const origin = request.headers.get("origin") ?? "";
if (
corsOptions.allowedOrigins.includes("*") ||
corsOptions.allowedOrigins.includes(origin)
) {
response.headers.set("Access-Control-Allow-Origin", origin);
}
// Set default CORS headers
response.headers.set(
"Access-Control-Allow-Credentials",
corsOptions.credentials.toString()
);
response.headers.set(
"Access-Control-Allow-Methods",
corsOptions.allowedMethods.join(",")
);
response.headers.set(
"Access-Control-Allow-Headers",
corsOptions.allowedHeaders.join(",")
);
response.headers.set(
"Access-Control-Expose-Headers",
corsOptions.exposedHeaders.join(",")
);
response.headers.set(
"Access-Control-Max-Age",
corsOptions.maxAge?.toString() ?? ""
);
// Return
return response;
}
// See "Matching Paths" below to learn more
export const config = {
matcher: "/api/authenticate",
};