From bd49f4389b5b3db6473119c3bfe18191fcc1b0a5 Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 00:56:32 +0100 Subject: [PATCH 01/12] [DPCP-62] Alpha: Consolidate in www. (#19) * ar(fix) [DPCP-49]: Add Cache to APIs * ar(fix) [DPCP-49]: Adding Cache Layer * ar(fix) [DPCP-49]: Adding Cache Layer * ar(fix) [DPCP-49]: Adding Cache Layer * ar(fix) [DPCP-49]: Adding Cache Layer * ar(fix) [DPCP-49]: Adding Cache Layer * ar(fix) [DPCP-XX]: Consolidate Domain * ar(fix) [DPCP-XX]: Consolidate Domain --- lib/auth/constants.ts | 8 ++++---- lib/state/providers.tsx | 2 +- middleware.ts | 0 src/app/api/{ => v1}/auth/[...nextauth]/route.ts | 0 src/app/api/{ => v1}/auth/callback/apple/route.ts | 2 +- src/middleware.ts | 8 ++++++-- 6 files changed, 12 insertions(+), 8 deletions(-) delete mode 100644 middleware.ts rename src/app/api/{ => v1}/auth/[...nextauth]/route.ts (100%) rename src/app/api/{ => v1}/auth/callback/apple/route.ts (92%) diff --git a/lib/auth/constants.ts b/lib/auth/constants.ts index 4a4bb2cb..c80682ca 100644 --- a/lib/auth/constants.ts +++ b/lib/auth/constants.ts @@ -20,7 +20,7 @@ import { export const GetSession = async ({ cookies = '' }) => { try { - const response = await fetch(`${process.env.AUTH_URL}/api/auth/session`, { + const response = await fetch(`${process.env.AUTH_URL}/api/v1/auth/session`, { method: 'GET', headers: { Accept: 'application/json', @@ -183,10 +183,10 @@ export const authConfig = { }, trustHost: true, pages: { - signIn: '/signin', + signIn: '/dash/signin', signOut: '/', - error: '/error', // Error code passed in query string as ?error= - verifyRequest: '/verify', // (used for check email message) + error: '/dash/error', // Error code passed in query string as ?error= + verifyRequest: '/dash/verify', // (used for check email message) // newUser: '/' // New users will be directed here on first sign in (leave the property out if not of interest) }, } satisfies NextAuthConfig; diff --git a/lib/state/providers.tsx b/lib/state/providers.tsx index c7864128..73bfcbbe 100644 --- a/lib/state/providers.tsx +++ b/lib/state/providers.tsx @@ -23,7 +23,7 @@ export function RootProviders({ children }: { children: React.ReactNode }) { if (!authState?.initd) return; return ( - + {children} ); diff --git a/middleware.ts b/middleware.ts deleted file mode 100644 index e69de29b..00000000 diff --git a/src/app/api/auth/[...nextauth]/route.ts b/src/app/api/v1/auth/[...nextauth]/route.ts similarity index 100% rename from src/app/api/auth/[...nextauth]/route.ts rename to src/app/api/v1/auth/[...nextauth]/route.ts diff --git a/src/app/api/auth/callback/apple/route.ts b/src/app/api/v1/auth/callback/apple/route.ts similarity index 92% rename from src/app/api/auth/callback/apple/route.ts rename to src/app/api/v1/auth/callback/apple/route.ts index 18e4086b..d66820ae 100644 --- a/src/app/api/auth/callback/apple/route.ts +++ b/src/app/api/v1/auth/callback/apple/route.ts @@ -15,7 +15,7 @@ export async function POST(req: NextRequest) { const searchParams = new URLSearchParams(queryParams); const response = NextResponse.redirect( - `https://${req.headers.get('host')}/api/auth/callback/apple?${searchParams.toString()}`, + `https://${req.headers.get('host')}/api/v1/auth/callback/apple?${searchParams.toString()}`, { status: 302, }, diff --git a/src/middleware.ts b/src/middleware.ts index a9204fea..35b02269 100644 --- a/src/middleware.ts +++ b/src/middleware.ts @@ -17,9 +17,13 @@ export const config = { }; const headers: Record = { - // 'content-type': 'application/json', - 'Access-Control-Allow-Origin': process.env.MAIN_URL || 'https://alpha.dreampip.com', + // 'Access-Control-Allow-Origin': process.env.MAIN_URL || 'https://alpha.dreampip.com', 'Cache-Control': 'maxage=0, s-maxage=300, stale-while-revalidate=300', + // DEV-DEBUG: + // 'content-type': 'application/json', + 'Access-Control-Allow-Origin': 'https://beta.dreampip.com', + 'Access-Control-Allow-Credentials': 'true', + 'Access-Control-Allow-Headers': '*', }; export default async function middleware(request: NextRequest) { From 5c3275562285d83052420f8b87877e248b0a9aa6 Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 02:30:34 +0200 Subject: [PATCH 02/12] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ca7ce41a..494dc68f 100644 --- a/README.md +++ b/README.md @@ -19,3 +19,4 @@ License: HPL3-ECO-AND-ANC 2021—Present Purizu di Angelo Reale Caldeira de Lemos dba DreamPip IT02925300903 + From 1bfe350bd6d2bf695e4422b92b6cef90a4822e8b Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 12:59:16 +0100 Subject: [PATCH 03/12] ar(fix) [DPCP-73]: Fix Auth headers --- README.md | 1 - src/middleware.ts | 8 +++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 494dc68f..ca7ce41a 100644 --- a/README.md +++ b/README.md @@ -19,4 +19,3 @@ License: HPL3-ECO-AND-ANC 2021—Present Purizu di Angelo Reale Caldeira de Lemos dba DreamPip IT02925300903 - diff --git a/src/middleware.ts b/src/middleware.ts index 35b02269..89eb83d6 100644 --- a/src/middleware.ts +++ b/src/middleware.ts @@ -33,9 +33,11 @@ export default async function middleware(request: NextRequest) { // const { success, pending, limit, reset, remaining } = await ratelimit.limit(ip); - Object.keys(headers).forEach((key: string) => { - response.headers.set(key, headers[key]); - }); + if (!request?.url?.includes('auth')) { + Object.keys(headers).forEach((key: string) => { + response.headers.set(key, headers[key]); + }); + } // return success ? response : NextResponse.redirect(new URL('https://www.dreampip.com/404', request.url)); return response ? response : NextResponse.redirect(new URL('https://www.dreampip.com/404', request.url)); From bfd4fb271048e97bd8a852cb9434a189d8bb3a22 Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 13:13:59 +0100 Subject: [PATCH 04/12] ar(fix) [DPCP-73]: Fix Auth headers --- lib/auth/constants.ts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/auth/constants.ts b/lib/auth/constants.ts index c80682ca..80615116 100644 --- a/lib/auth/constants.ts +++ b/lib/auth/constants.ts @@ -180,6 +180,15 @@ export const authConfig = { secure: true, }, }, + csrfToken: { + name: `__Host-next-auth.csrf-token`, + options: { + httpOnly: true, + sameSite: 'none', + path: '/', + secure: true, + }, + }, }, trustHost: true, pages: { From 5e905c49f2c33d533a4a7557761e334312ea195e Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 13:24:16 +0100 Subject: [PATCH 05/12] ar(fix) [DPCP-73]: Fix Auth headers --- lib/auth/constants.ts | 9 --------- 1 file changed, 9 deletions(-) diff --git a/lib/auth/constants.ts b/lib/auth/constants.ts index 80615116..c80682ca 100644 --- a/lib/auth/constants.ts +++ b/lib/auth/constants.ts @@ -180,15 +180,6 @@ export const authConfig = { secure: true, }, }, - csrfToken: { - name: `__Host-next-auth.csrf-token`, - options: { - httpOnly: true, - sameSite: 'none', - path: '/', - secure: true, - }, - }, }, trustHost: true, pages: { From d9e7b350b9fa14ef54f452f459b16817c64f04dc Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 17:56:14 +0100 Subject: [PATCH 06/12] ar(fix) [DPCP-62]: Consolidate Domain --- lib/auth/constants.ts | 9 +++++++++ patches/@auth+core+0.34.2.patch | 36 +++++++++++++++++++++++++++++++++ src/middleware.ts | 6 +++--- 3 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 patches/@auth+core+0.34.2.patch diff --git a/lib/auth/constants.ts b/lib/auth/constants.ts index c80682ca..2eb26104 100644 --- a/lib/auth/constants.ts +++ b/lib/auth/constants.ts @@ -180,6 +180,15 @@ export const authConfig = { secure: true, }, }, + csrfToken: { + name: `authjs.csrf-token`, + options: { + httpOnly: true, + // sameSite: 'none', + path: '/', + // secure: false, + }, + }, }, trustHost: true, pages: { diff --git a/patches/@auth+core+0.34.2.patch b/patches/@auth+core+0.34.2.patch new file mode 100644 index 00000000..6df4b76a --- /dev/null +++ b/patches/@auth+core+0.34.2.patch @@ -0,0 +1,36 @@ +diff --git a/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js b/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js +index a35e8f0..2ca30ca 100644 +--- a/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js ++++ b/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js +@@ -14,15 +14,16 @@ import { MissingCSRF } from "../../../../errors.js"; + * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie + * https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf + */ +-export async function createCSRFToken({ options, cookieValue, isPost, bodyValue, }) { ++export async function createCSRFToken({ options, cookieValue, isPost, bodyValue }) { + if (cookieValue) { + const [csrfToken, csrfTokenHash] = cookieValue.split("|"); ++ const [bodyValueToken] = bodyValue.split("|"); + const expectedCsrfTokenHash = await createHash(`${csrfToken}${options.secret}`); + if (csrfTokenHash === expectedCsrfTokenHash) { + // If hash matches then we trust the CSRF token value + // If this is a POST request and the CSRF Token in the POST request matches + // the cookie we have already verified is the one we have set, then the token is verified! +- const csrfTokenVerified = isPost && csrfToken === bodyValue; ++ const csrfTokenVerified = isPost && csrfToken === bodyValueToken; + return { csrfTokenVerified, csrfToken }; + } + } +diff --git a/node_modules/@auth/core/lib/init.js b/node_modules/@auth/core/lib/init.js +index 5e4e758..4ed39b5 100644 +--- a/node_modules/@auth/core/lib/init.js ++++ b/node_modules/@auth/core/lib/init.js +@@ -107,7 +107,7 @@ export async function init({ authOptions, providerId, action, url, cookies: reqC + options.csrfTokenVerified = true; + } + else { +- const { csrfToken, cookie: csrfCookie, csrfTokenVerified, } = await createCSRFToken({ ++ const { csrfToken, cookie: csrfCookie, csrfTokenVerified } = await createCSRFToken({ + options, + cookieValue: reqCookies?.[options.cookies.csrfToken.name], + isPost, diff --git a/src/middleware.ts b/src/middleware.ts index 89eb83d6..477614ea 100644 --- a/src/middleware.ts +++ b/src/middleware.ts @@ -17,18 +17,18 @@ export const config = { }; const headers: Record = { - // 'Access-Control-Allow-Origin': process.env.MAIN_URL || 'https://alpha.dreampip.com', + 'Access-Control-Allow-Origin': process.env.MAIN_URL || 'https://www.dreampip.com', 'Cache-Control': 'maxage=0, s-maxage=300, stale-while-revalidate=300', // DEV-DEBUG: // 'content-type': 'application/json', - 'Access-Control-Allow-Origin': 'https://beta.dreampip.com', + // 'Access-Control-Allow-Origin': 'http://localhost:2999', 'Access-Control-Allow-Credentials': 'true', 'Access-Control-Allow-Headers': '*', }; export default async function middleware(request: NextRequest) { // You could alternatively limit based on user ID or similar - const response = next(); + const response = NextResponse.next(); const ip = ipAddress(request) || '127.0.0.1'; // const { success, pending, limit, reset, remaining } = await ratelimit.limit(ip); From 02daaf4f894774992830da069ad1b3b87484f5eb Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 18:11:18 +0100 Subject: [PATCH 07/12] ar(fix) [DPCP-62]: Consolidate Domain --- lib/auth/constants.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/auth/constants.ts b/lib/auth/constants.ts index 2eb26104..336d0d52 100644 --- a/lib/auth/constants.ts +++ b/lib/auth/constants.ts @@ -184,9 +184,9 @@ export const authConfig = { name: `authjs.csrf-token`, options: { httpOnly: true, - // sameSite: 'none', + sameSite: 'none', path: '/', - // secure: false, + secure: true, }, }, }, From d63a521678b1c24dad1f8549a53484d0bc2e5d3d Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 18:19:56 +0100 Subject: [PATCH 08/12] ar(fix) [DPCP-62]: Consolidate Domain --- patches/@auth+core+0.34.2.patch | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/patches/@auth+core+0.34.2.patch b/patches/@auth+core+0.34.2.patch index 6df4b76a..04d4f32f 100644 --- a/patches/@auth+core+0.34.2.patch +++ b/patches/@auth+core+0.34.2.patch @@ -1,5 +1,5 @@ diff --git a/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js b/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js -index a35e8f0..2ca30ca 100644 +index a35e8f0..cf5ab1a 100644 --- a/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js +++ b/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js @@ -14,15 +14,16 @@ import { MissingCSRF } from "../../../../errors.js"; @@ -9,8 +9,9 @@ index a35e8f0..2ca30ca 100644 -export async function createCSRFToken({ options, cookieValue, isPost, bodyValue, }) { +export async function createCSRFToken({ options, cookieValue, isPost, bodyValue }) { if (cookieValue) { - const [csrfToken, csrfTokenHash] = cookieValue.split("|"); -+ const [bodyValueToken] = bodyValue.split("|"); +- const [csrfToken, csrfTokenHash] = cookieValue.split("|"); ++ const [csrfToken, csrfTokenHash] = cookieValue.split("|"); ++ const [bodyValueToken] = bodyValue?.split("|") || []; const expectedCsrfTokenHash = await createHash(`${csrfToken}${options.secret}`); if (csrfTokenHash === expectedCsrfTokenHash) { // If hash matches then we trust the CSRF token value @@ -30,7 +31,19 @@ index 5e4e758..4ed39b5 100644 } else { - const { csrfToken, cookie: csrfCookie, csrfTokenVerified, } = await createCSRFToken({ -+ const { csrfToken, cookie: csrfCookie, csrfTokenVerified } = await createCSRFToken({ ++ const { csrfToken, cookie: csrfCookie, csrfTokenVerified, } = await createCSRFToken({ options, cookieValue: reqCookies?.[options.cookies.csrfToken.name], isPost, +diff --git a/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts b/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts +index 337c1d6..8050f34 100644 +--- a/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts ++++ b/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts +@@ -31,6 +31,7 @@ export async function createCSRFToken({ + }: CreateCSRFTokenParams) { + if (cookieValue) { + const [csrfToken, csrfTokenHash] = cookieValue.split("|") ++ const [bodyValueToken] = bodyValue?.split("|") || [] + + const expectedCsrfTokenHash = await createHash( + `${csrfToken}${options.secret}` From 2bb44cf7d4e3a4111789952e049f5a5b12175409 Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 18:22:54 +0100 Subject: [PATCH 09/12] ar(fix) [DPCP-62]: Consolidate Domain --- patches/@auth+core+0.34.2.patch | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/patches/@auth+core+0.34.2.patch b/patches/@auth+core+0.34.2.patch index 04d4f32f..76ec9f18 100644 --- a/patches/@auth+core+0.34.2.patch +++ b/patches/@auth+core+0.34.2.patch @@ -1,5 +1,5 @@ diff --git a/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js b/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js -index a35e8f0..cf5ab1a 100644 +index a35e8f0..12fd7a1 100644 --- a/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js +++ b/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js @@ -14,15 +14,16 @@ import { MissingCSRF } from "../../../../errors.js"; @@ -9,8 +9,7 @@ index a35e8f0..cf5ab1a 100644 -export async function createCSRFToken({ options, cookieValue, isPost, bodyValue, }) { +export async function createCSRFToken({ options, cookieValue, isPost, bodyValue }) { if (cookieValue) { -- const [csrfToken, csrfTokenHash] = cookieValue.split("|"); -+ const [csrfToken, csrfTokenHash] = cookieValue.split("|"); + const [csrfToken, csrfTokenHash] = cookieValue.split("|"); + const [bodyValueToken] = bodyValue?.split("|") || []; const expectedCsrfTokenHash = await createHash(`${csrfToken}${options.secret}`); if (csrfTokenHash === expectedCsrfTokenHash) { @@ -31,12 +30,12 @@ index 5e4e758..4ed39b5 100644 } else { - const { csrfToken, cookie: csrfCookie, csrfTokenVerified, } = await createCSRFToken({ -+ const { csrfToken, cookie: csrfCookie, csrfTokenVerified, } = await createCSRFToken({ ++ const { csrfToken, cookie: csrfCookie, csrfTokenVerified } = await createCSRFToken({ options, cookieValue: reqCookies?.[options.cookies.csrfToken.name], isPost, diff --git a/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts b/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts -index 337c1d6..8050f34 100644 +index 337c1d6..0034f30 100644 --- a/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts +++ b/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts @@ -31,6 +31,7 @@ export async function createCSRFToken({ @@ -47,3 +46,12 @@ index 337c1d6..8050f34 100644 const expectedCsrfTokenHash = await createHash( `${csrfToken}${options.secret}` +@@ -40,7 +41,7 @@ export async function createCSRFToken({ + // If hash matches then we trust the CSRF token value + // If this is a POST request and the CSRF Token in the POST request matches + // the cookie we have already verified is the one we have set, then the token is verified! +- const csrfTokenVerified = isPost && csrfToken === bodyValue ++ const csrfTokenVerified = isPost && csrfToken === bodyValueToken + + return { csrfTokenVerified, csrfToken } + } From e2fada628a5a7f661a5410c8c53bd2892bb8b461 Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 18:28:56 +0100 Subject: [PATCH 10/12] ar(fix) [DPCP-62]: Consolidate Domain --- patches/@auth+core+0.34.2.patch | 44 +++------------------------------ 1 file changed, 3 insertions(+), 41 deletions(-) diff --git a/patches/@auth+core+0.34.2.patch b/patches/@auth+core+0.34.2.patch index 76ec9f18..b1a3fe8a 100644 --- a/patches/@auth+core+0.34.2.patch +++ b/patches/@auth+core+0.34.2.patch @@ -1,13 +1,9 @@ diff --git a/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js b/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js -index a35e8f0..12fd7a1 100644 +index a35e8f0..792a6ce 100644 --- a/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js +++ b/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js -@@ -14,15 +14,16 @@ import { MissingCSRF } from "../../../../errors.js"; - * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie - * https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf - */ --export async function createCSRFToken({ options, cookieValue, isPost, bodyValue, }) { -+export async function createCSRFToken({ options, cookieValue, isPost, bodyValue }) { +@@ -17,12 +17,13 @@ import { MissingCSRF } from "../../../../errors.js"; + export async function createCSRFToken({ options, cookieValue, isPost, bodyValue, }) { if (cookieValue) { const [csrfToken, csrfTokenHash] = cookieValue.split("|"); + const [bodyValueToken] = bodyValue?.split("|") || []; @@ -21,37 +17,3 @@ index a35e8f0..12fd7a1 100644 return { csrfTokenVerified, csrfToken }; } } -diff --git a/node_modules/@auth/core/lib/init.js b/node_modules/@auth/core/lib/init.js -index 5e4e758..4ed39b5 100644 ---- a/node_modules/@auth/core/lib/init.js -+++ b/node_modules/@auth/core/lib/init.js -@@ -107,7 +107,7 @@ export async function init({ authOptions, providerId, action, url, cookies: reqC - options.csrfTokenVerified = true; - } - else { -- const { csrfToken, cookie: csrfCookie, csrfTokenVerified, } = await createCSRFToken({ -+ const { csrfToken, cookie: csrfCookie, csrfTokenVerified } = await createCSRFToken({ - options, - cookieValue: reqCookies?.[options.cookies.csrfToken.name], - isPost, -diff --git a/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts b/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts -index 337c1d6..0034f30 100644 ---- a/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts -+++ b/node_modules/@auth/core/src/lib/actions/callback/oauth/csrf-token.ts -@@ -31,6 +31,7 @@ export async function createCSRFToken({ - }: CreateCSRFTokenParams) { - if (cookieValue) { - const [csrfToken, csrfTokenHash] = cookieValue.split("|") -+ const [bodyValueToken] = bodyValue?.split("|") || [] - - const expectedCsrfTokenHash = await createHash( - `${csrfToken}${options.secret}` -@@ -40,7 +41,7 @@ export async function createCSRFToken({ - // If hash matches then we trust the CSRF token value - // If this is a POST request and the CSRF Token in the POST request matches - // the cookie we have already verified is the one we have set, then the token is verified! -- const csrfTokenVerified = isPost && csrfToken === bodyValue -+ const csrfTokenVerified = isPost && csrfToken === bodyValueToken - - return { csrfTokenVerified, csrfToken } - } From 4b2205ea19dc46abaf215ca0759de215d3fea388 Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 20:33:51 +0100 Subject: [PATCH 11/12] ar(fix) [DPCP-62]: Consolidate Domain --- src/middleware.ts | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/middleware.ts b/src/middleware.ts index 477614ea..4f8ec929 100644 --- a/src/middleware.ts +++ b/src/middleware.ts @@ -3,14 +3,14 @@ import type { NextRequest } from 'next/server'; import { next } from '@vercel/edge'; import { ipAddress } from '@vercel/functions'; -// import { kv } from '@vercel/kv'; +import { kv } from '@vercel/kv'; import { NextResponse } from 'next/server'; -// import { Ratelimit } from '@upstash/ratelimit'; +import { Ratelimit } from '@upstash/ratelimit'; -// const ratelimit = new Ratelimit({ -// redis: kv, -// limiter: Ratelimit.slidingWindow(10, '3 s'), -// }); +const ratelimit = new Ratelimit({ + redis: kv, + limiter: Ratelimit.slidingWindow(10, '3 s'), +}); export const config = { matcher: ['/api/:path*'], @@ -31,7 +31,7 @@ export default async function middleware(request: NextRequest) { const response = NextResponse.next(); const ip = ipAddress(request) || '127.0.0.1'; - // const { success, pending, limit, reset, remaining } = await ratelimit.limit(ip); + const { success, pending, limit, reset, remaining } = await ratelimit.limit(ip); if (!request?.url?.includes('auth')) { Object.keys(headers).forEach((key: string) => { @@ -39,6 +39,6 @@ export default async function middleware(request: NextRequest) { }); } - // return success ? response : NextResponse.redirect(new URL('https://www.dreampip.com/404', request.url)); - return response ? response : NextResponse.redirect(new URL('https://www.dreampip.com/404', request.url)); + return success ? response : NextResponse.redirect(new URL('https://www.dreampip.com/404', request.url)); + // return response ? response : NextResponse.redirect(new URL('https://www.dreampip.com/404', request.url)); } From 2f6e9114a9af7916ede6e7f5ef341bc1acf8b77c Mon Sep 17 00:00:00 2001 From: Angelo Reale <12191809+angeloreale@users.noreply.github.com> Date: Wed, 7 Aug 2024 20:36:44 +0100 Subject: [PATCH 12/12] ar(fix) [DPCP-62]: Consolidate Domain --- src/middleware.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/middleware.ts b/src/middleware.ts index 4f8ec929..d8e78732 100644 --- a/src/middleware.ts +++ b/src/middleware.ts @@ -28,7 +28,7 @@ const headers: Record = { export default async function middleware(request: NextRequest) { // You could alternatively limit based on user ID or similar - const response = NextResponse.next(); + const response = next(); const ip = ipAddress(request) || '127.0.0.1'; const { success, pending, limit, reset, remaining } = await ratelimit.limit(ip);