41 lines
924 B
JavaScript
41 lines
924 B
JavaScript
import { NextResponse } from 'next/server';
|
|
|
|
const csrfCookieName = 'csrf';
|
|
const cookieSecure = process.env.COOKIE_SECURE === 'true';
|
|
|
|
function createToken() {
|
|
const bytes = new Uint8Array(32);
|
|
crypto.getRandomValues(bytes);
|
|
return Array.from(bytes, (byte) => byte.toString(16).padStart(2, '0')).join('');
|
|
}
|
|
|
|
export function proxy(request) {
|
|
const token = request.cookies.get(csrfCookieName)?.value;
|
|
if (token) {
|
|
return NextResponse.next();
|
|
}
|
|
|
|
const nextToken = createToken();
|
|
const requestHeaders = new Headers(request.headers);
|
|
requestHeaders.set('x-csrf-token', nextToken);
|
|
|
|
const response = NextResponse.next({
|
|
request: {
|
|
headers: requestHeaders,
|
|
},
|
|
});
|
|
|
|
response.cookies.set(csrfCookieName, nextToken, {
|
|
httpOnly: true,
|
|
sameSite: 'strict',
|
|
secure: cookieSecure,
|
|
path: '/',
|
|
});
|
|
|
|
return response;
|
|
}
|
|
|
|
export const config = {
|
|
matcher: ['/manage/:path*'],
|
|
};
|