scandic/web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6b01dd9a8fb3a086ee016195f26f71178ace645a
web/apps/scandic-web/middlewares/webView.ts
Linus Flood 6b01dd9a8f Merged in feat/webview-user-issue (pull request #2793) 
Feat/webview user issue

* Added logging

* Test

* Cleanup


Approved-by: Joakim Jäderberg
2025-09-11 09:22:13 +00:00

203 lines
5.9 KiB
TypeScript
Raw Blame History

import { type NextMiddleware, NextResponse } from "next/server"
import { logger } from "@scandic-hotels/common/logger"
import { findLang } from "@scandic-hotels/common/utils/languages"
import { resolve as resolveEntry } from "@scandic-hotels/trpc/utils/entry"
import {
loyaltyPagesWebviews,
myPagesWebviews,
myStayWebviews,
refreshWebviews,
webviews,
} from "@/constants/routes/webviews"
import { env } from "@/env/server"
import { badRequest, internalServerError, notFound } from "@/server/errors/next"
import { decryptData } from "@/utils/aes"
import { getDefaultRequestHeaders } from "./utils"
import type { Lang } from "@scandic-hotels/common/constants/language"
import type { MiddlewareMatcher } from "@/types/middleware"
export const middleware: NextMiddleware = async (request) => {
const { nextUrl } = request
const lang = findLang(nextUrl.pathname)!
const loginTypeHeader = request.headers.get("loginType")
const loginTypeSearchParam = nextUrl.searchParams.get("loginType")
const adobeMc = nextUrl.searchParams.get("adobe_mc")
const headers = getDefaultRequestHeaders(request)
// LoginType is passed from the mobile app as a header and needs to be passed around with each subsequent
// request within webviews due to tracking. We set the loginType as a header and pass it along to future
// requests, and to read it from TRPC side (which is where the tracking object is created).
// The value is appended to all webview links as a search param, just like adobe_mc.
const loginType = loginTypeHeader || loginTypeSearchParam
if (loginType) {
headers.set("loginType", loginType)
}
// adobe_mc (Experience Cloud ID) needs to be passed around as a search param, which will be read
// from the URL by the tracking SDK. Adobe_mc is passed from the mobile app as a searchParam, and
// then passed to nextjs as a header. In the RSC, the adobe_mc is appended as a searchParam on each webview link.
if (adobeMc) {
headers.set("adobe_mc", adobeMc)
}
// If user is redirected to /lang/webview/refresh/, the webview token is invalid and we remove the cookie
if (refreshWebviews.includes(nextUrl.pathname)) {
return NextResponse.rewrite(
new URL(
`/${lang}/webview/refresh?${nextUrl.searchParams.toString()}`,
nextUrl
),
{
headers: {
"Set-Cookie": `webviewToken=0; Max-Age=0; Secure; HttpOnly; Path=/; SameSite=Strict;`,
},
request: {
headers,
},
}
)
}
const authorizationToken = request.headers.get("X-Authorization")
const webviewTokenCookie = request.cookies.get("webviewToken")
if (
(webviewTokenCookie && webviewTokenCookie.value === authorizationToken) ||
(webviewTokenCookie && !authorizationToken)
) {
// If the webviewToken cookie is present and matches the authorization token,
// we can skip decryption and just rewrite the request with the existing cookie.
// OR
// If the webviewToken cookie is present but no authorization token is provided
// we can skip the decryption and see if our cookie is valid.
// This handles when the app is navigating between pages inside the webview
return handleWebviewRewrite({
nextUrl,
headers,
decryptedData: null,
lang,
setCookie: false,
})
}
try {
// Authorization header is required for webviews
// It should be base64 encoded
if (!authorizationToken) {
logger.error("Authorization header is missing")
return badRequest("Authorization header is missing")
}
// Initialization vector header is required for webviews
// It should be base64 encoded
const initializationVector = request.headers.get("X-AES-IV")!
if (!initializationVector) {
logger.error("initializationVector header is missing")
return badRequest("initializationVector header is missing")
}
const decryptedData = await decryptData(
env.WEBVIEW_ENCRYPTION_KEY,
initializationVector,
authorizationToken
)
return handleWebviewRewrite({
nextUrl,
headers,
decryptedData,
lang,
setCookie: true,
})
} catch (e) {
if (e instanceof Error) {
logger.error(`Error in webView middleware - ${e.name}: ${e.message}`)
}
return badRequest()
}
}
async function handleWebviewRewrite({
nextUrl,
headers,
decryptedData,
lang,
setCookie,
}: {
nextUrl: URL
headers: Headers
decryptedData: string | null
lang: Lang
setCookie: boolean
}) {
const path = nextUrl.pathname
if (myStayWebviews.includes(path)) {
return NextResponse.next({
request: { headers },
...(setCookie && {
headers: {
"Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`,
},
}),
})
}
const pathNameWithoutLang = path.replace(`/${lang}/webview`, "")
const { uid, error } = await resolveEntry(pathNameWithoutLang, lang)
if (error) {
throw internalServerError(error)
}
if (uid) {
headers.set("x-uid", uid)
}
if (myPagesWebviews.includes(path)) {
return NextResponse.rewrite(
new URL(`/${lang}/webview/account-page/${uid}`, nextUrl),
{
request: { headers },
...(setCookie && {
headers: {
"Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`,
},
}),
}
)
}
if (loyaltyPagesWebviews.includes(path)) {
return NextResponse.rewrite(
new URL(`/${lang}/webview/loyalty-page/${uid}`, nextUrl),
{
request: { headers },
...(setCookie && {
headers: {
"Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`,
},
}),
}
)
}
return notFound()
}
export const matcher: MiddlewareMatcher = (request) => {
const { nextUrl } = request
return webviews.includes(nextUrl.pathname)
}
Reference in New Issue View Git Blame Copy Permalink