diff --git a/apps/scandic-web/middlewares/webView.ts b/apps/scandic-web/middlewares/webView.ts index b24635bdc..abee15790 100644 --- a/apps/scandic-web/middlewares/webView.ts +++ b/apps/scandic-web/middlewares/webView.ts @@ -69,27 +69,21 @@ export const middleware: NextMiddleware = async (request) => { const authorizationToken = request.headers.get("X-Authorization") const webviewTokenCookie = request.cookies.get("webviewToken") - if ( - (webviewTokenCookie && webviewTokenCookie.value === authorizationToken) || - (webviewTokenCookie && !authorizationToken) - ) { - // If the webviewToken cookie is present and matches the authorization token, - // we can skip decryption and just rewrite the request with the existing cookie. - // OR - // If the webviewToken cookie is present but no authorization token is provided - // we can skip the decryption and see if our cookie is valid. - // This handles when the app is navigating between pages inside the webview - - return handleWebviewRewrite({ - nextUrl, - headers, - decryptedData: null, - lang, - setCookie: false, - }) - } - try { + if (webviewTokenCookie && !authorizationToken) { + // If the webviewToken cookie is present but no authorization token is provided + // we can skip the decryption and see if our cookie is valid. + // This handles when the app is navigating between pages inside the webview + + return handleWebviewRewrite({ + nextUrl, + headers, + decryptedData: null, + lang, + setCookie: false, + }) + } + // Authorization header is required for webviews // It should be base64 encoded if (!authorizationToken) { @@ -111,6 +105,19 @@ export const middleware: NextMiddleware = async (request) => { authorizationToken ) + if (webviewTokenCookie && webviewTokenCookie.value === decryptedData) { + // If the webviewToken cookie is present and matches the authorization token, + // we can skip decryption and just rewrite the request with the existing cookie. + + return handleWebviewRewrite({ + nextUrl, + headers, + decryptedData: null, + lang, + setCookie: false, + }) + } + return handleWebviewRewrite({ nextUrl, headers, @@ -143,14 +150,18 @@ async function handleWebviewRewrite({ const path = nextUrl.pathname if (myStayWebviews.includes(path)) { - return NextResponse.next({ + const res = NextResponse.next({ request: { headers }, - ...(setCookie && { - headers: { - "Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`, - }, - }), }) + if (decryptedData && setCookie) { + res.cookies.set("webviewToken", decryptedData, { + httpOnly: true, + secure: true, + sameSite: "strict", + path: "/", + }) + } + return res } const pathNameWithoutLang = path.replace(`/${lang}/webview`, "") @@ -165,31 +176,39 @@ async function handleWebviewRewrite({ } if (myPagesWebviews.includes(path)) { - return NextResponse.rewrite( + const res = NextResponse.rewrite( new URL(`/${lang}/webview/account-page/${uid}`, nextUrl), { request: { headers }, - ...(setCookie && { - headers: { - "Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`, - }, - }), } ) + if (decryptedData && setCookie) { + res.cookies.set("webviewToken", decryptedData, { + httpOnly: true, + secure: true, + sameSite: "strict", + path: "/", + }) + } + return res } if (loyaltyPagesWebviews.includes(path)) { - return NextResponse.rewrite( + const res = NextResponse.rewrite( new URL(`/${lang}/webview/loyalty-page/${uid}`, nextUrl), { request: { headers }, - ...(setCookie && { - headers: { - "Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`, - }, - }), } ) + if (decryptedData && setCookie) { + res.cookies.set("webviewToken", decryptedData, { + httpOnly: true, + secure: true, + sameSite: "strict", + path: "/", + }) + } + return res } return notFound()