ciphera-net/pulse
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 15 Wiki Activity
Files
bce56fa64dbc7f2d83ff06372c67443af99e9996
pulse/middleware.ts
Usman Baig b0c15d6464 Fix: allow script.js to load without auth for embedded sites (Shopify) 
- Add /script.js to PUBLIC_ROUTES in middleware
- Fixes 307 redirect to /login when tracking script loads from third-party sites

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-25 21:15:09 +01:00

69 lines
1.9 KiB
TypeScript
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'
const PUBLIC_ROUTES = new Set([
'/',
'/login',
'/signup',
'/auth/callback',
'/pricing',
'/features',
'/about',
'/faq',
'/changelog',
'/installation',
'/script.js', // * Tracking script must load without auth for embedded sites (Shopify, etc.)
])
const PUBLIC_PREFIXES = [
'/share/',
'/integrations',
'/docs',
]
function isPublicRoute(pathname: string): boolean {
if (PUBLIC_ROUTES.has(pathname)) return true
return PUBLIC_PREFIXES.some((prefix) => pathname.startsWith(prefix))
}
const AUTH_ONLY_ROUTES = new Set(['/login', '/signup'])
export function middleware(request: NextRequest) {
const { pathname } = request.nextUrl
const hasAccess = request.cookies.has('access_token')
const hasRefresh = request.cookies.has('refresh_token')
const hasSession = hasAccess || hasRefresh
// * Authenticated user (with access token) hitting /login or /signup → send them home.
// * Only check access_token; stale refresh_token alone must not block login (fixes post-inactivity sign-in).
if (hasAccess && AUTH_ONLY_ROUTES.has(pathname)) {
return NextResponse.redirect(new URL('/', request.url))
}
// * Public route → allow through
if (isPublicRoute(pathname)) {
return NextResponse.next()
}
// * Protected route without a session → redirect to login
if (!hasSession) {
const loginUrl = new URL('/login', request.url)
return NextResponse.redirect(loginUrl)
}
return NextResponse.next()
}
export const config = {
matcher: [
/*
* Match all routes except:
* - _next/static, _next/image (Next.js internals)
* - favicon.ico, manifest.json, icons, images (static assets)
* - api routes (handled by their own auth)
*/
'/((?!_next/static|_next/image|favicon\\.ico|manifest\\.json|.*\\.png$|.*\\.svg$|.*\\.ico$|api/).*)',
],
}
Reference in New Issue View Git Blame Copy Permalink