fix: redirect users to /refresh on unauth and mod webview links

2024-05-16 16:57:22 +02:00
parent 777fd1e5b6
commit 9e4f41ee46
29 changed files with 358 additions and 105 deletions
--- a/middlewares/webView.ts
+++ b/middlewares/webView.ts
@@ -5,6 +5,7 @@ import { findLang } from "@/constants/languages"
 import {
  loyaltyPagesWebviews,
  myPagesWebviews,
+  refreshWebviews,
  webviews,
 } from "@/constants/routes/webviews"
 import { env } from "@/env/server"
@@ -19,9 +20,21 @@ export const middleware: NextMiddleware = async (request) => {
  const lang = findLang(nextUrl.pathname)

  const pathNameWithoutLang = nextUrl.pathname.replace(`/${lang}/webview`, "")
+  const headers = new Headers()
+
+  // If user is redirected to /lang/webview/refresh/, the webview token is invalid and we remove the cookie
+  if (refreshWebviews.includes(nextUrl.pathname)) {
+    headers.set(
+      "Set-Cookie",
+      `webviewToken=0; Max-Age=0; Secure; HttpOnly; Path=/; SameSite=Strict;`
+    )
+    return NextResponse.rewrite(new URL(`/${lang}/webview/refresh`, nextUrl), {
+      headers,
+    })
+  }
+
  const searchParams = new URLSearchParams(request.nextUrl.searchParams)
  searchParams.set("uri", pathNameWithoutLang)
-
  const webviewToken = request.cookies.get("webviewToken")
  if (webviewToken) {
    // since the token exists, this is a subsequent visit
@@ -42,27 +55,33 @@ export const middleware: NextMiddleware = async (request) => {
    }
  }

-  // Authorization header is required for webviews
-  // It should be base64 encoded
-  const authorization = request.headers.get("Authorization")!
-  if (!authorization) {
-    return badRequest()
-  }
-
-  // Initialization vector header is required for webviews
-  // It should be base64 encoded
-  const initializationVector = request.headers.get("X-AES-IV")!
-  if (!initializationVector) {
-    return badRequest()
-  }
-
  try {
+    // Authorization header is required for webviews
+    // It should be base64 encoded
+    const authorization = request.headers.get("Authorization")!
+    if (!authorization) {
+      return badRequest()
+    }
+
+    // Initialization vector header is required for webviews
+    // It should be base64 encoded
+    const initializationVector = request.headers.get("X-AES-IV")!
+    if (!initializationVector) {
+      return badRequest()
+    }
+
    const decryptedData = await decryptData(
      env.WEBVIEW_ENCRYPTION_KEY,
      initializationVector,
      authorization
    )

+    headers.set(
+      "Set-Cookie",
+      `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`
+    )
+    headers.set("Cookie", `webviewToken=${decryptedData}`)
+
    if (myPagesWebviews.includes(nextUrl.pathname)) {
      return NextResponse.rewrite(
        new URL(
@@ -70,10 +89,7 @@ export const middleware: NextMiddleware = async (request) => {
          nextUrl
        ),
        {
-          headers: {
-            "Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`,
-            Cookie: `webviewToken=${decryptedData}`,
-          },
+          headers,
        }
      )
    } else if (loyaltyPagesWebviews.includes(nextUrl.pathname)) {
@@ -83,10 +99,7 @@ export const middleware: NextMiddleware = async (request) => {
          nextUrl
        ),
        {
-          headers: {
-            "Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`,
-            Cookie: `webviewToken=${decryptedData}`,
-          },
+          headers,
        }
      )
    }