scandic/web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merged in fix/webview-auth-fix (pull request #2833)

Browse Source 
Fix/webview auth fix

* Test

* Merge branch 'master' of bitbucket.org:scandic-swap/web into fix/webview-auth-fix

* Setting cookie instead of headers


Approved-by: Anton Gunnarsson
This commit is contained in:
Linus Flood
2025-09-19 12:55:53 +00:00
parent 7adb9ded46
commit 9c7904c9e0
1 changed files with 57 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
apps/scandic-web/middlewares/webView.ts
View File

@@ -69,27 +69,21 @@ export const middleware: NextMiddleware = async (request) => {
const authorizationToken = request.headers.get("X-Authorization")
const webviewTokenCookie = request.cookies.get("webviewToken")
if (
(webviewTokenCookie && webviewTokenCookie.value === authorizationToken) ||
(webviewTokenCookie && !authorizationToken)
) {
// If the webviewToken cookie is present and matches the authorization token,
// we can skip decryption and just rewrite the request with the existing cookie.
// OR
// If the webviewToken cookie is present but no authorization token is provided
// we can skip the decryption and see if our cookie is valid.
// This handles when the app is navigating between pages inside the webview
return handleWebviewRewrite({
nextUrl,
headers,
decryptedData: null,
lang,
setCookie: false,
})
}
try {
if (webviewTokenCookie && !authorizationToken) {
// If the webviewToken cookie is present but no authorization token is provided
// we can skip the decryption and see if our cookie is valid.
// This handles when the app is navigating between pages inside the webview
return handleWebviewRewrite({
nextUrl,
headers,
decryptedData: null,
lang,
setCookie: false,
})
}
// Authorization header is required for webviews
// It should be base64 encoded
if (!authorizationToken) {
@@ -111,6 +105,19 @@ export const middleware: NextMiddleware = async (request) => {
authorizationToken
)
if (webviewTokenCookie && webviewTokenCookie.value === decryptedData) {
// If the webviewToken cookie is present and matches the authorization token,
// we can skip decryption and just rewrite the request with the existing cookie.
return handleWebviewRewrite({
nextUrl,
headers,
decryptedData: null,
lang,
setCookie: false,
})
}
return handleWebviewRewrite({
nextUrl,
headers,
@@ -143,14 +150,18 @@ async function handleWebviewRewrite({
const path = nextUrl.pathname
if (myStayWebviews.includes(path)) {
return NextResponse.next({
const res = NextResponse.next({
request: { headers },
...(setCookie && {
headers: {
"Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`,
},
}),
})
if (decryptedData && setCookie) {
res.cookies.set("webviewToken", decryptedData, {
httpOnly: true,
secure: true,
sameSite: "strict",
path: "/",
})
}
return res
}
const pathNameWithoutLang = path.replace(`/${lang}/webview`, "")
@@ -165,31 +176,39 @@ async function handleWebviewRewrite({
}
if (myPagesWebviews.includes(path)) {
return NextResponse.rewrite(
const res = NextResponse.rewrite(
new URL(`/${lang}/webview/account-page/${uid}`, nextUrl),
{
request: { headers },
...(setCookie && {
headers: {
"Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`,
},
}),
}
)
if (decryptedData && setCookie) {
res.cookies.set("webviewToken", decryptedData, {
httpOnly: true,
secure: true,
sameSite: "strict",
path: "/",
})
}
return res
}
if (loyaltyPagesWebviews.includes(path)) {
return NextResponse.rewrite(
const res = NextResponse.rewrite(
new URL(`/${lang}/webview/loyalty-page/${uid}`, nextUrl),
{
request: { headers },
...(setCookie && {
headers: {
"Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`,
},
}),
}
)
if (decryptedData && setCookie) {
res.cookies.set("webviewToken", decryptedData, {
httpOnly: true,
secure: true,
sameSite: "strict",
path: "/",
})
}
return res
}
return notFound()