Initial commit: Next.js rewrite of Super Bowl Squares app

Full rewrite of the legacy PHP/MySQL app using Next.js 14, PostgreSQL, Prisma, NextAuth, Tailwind CSS, and WebSocket-based live chat/grid updates. Deployed via Docker Compose with a custom Node.js server for WebSocket support. Fix chat display names by passing userId from the NextAuth session over WebSocket instead of attempting to read the HttpOnly session cookie (which is inaccessible to JavaScript). Server now looks up the user's first name from the database using the userId. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-17 17:34:50 -08:00
commit b4e89ea9ee
178 changed files with 12268 additions and 0 deletions
@@ -0,0 +1,56 @@
+import { withAuth } from 'next-auth/middleware';
+import { NextResponse } from 'next/server';
+
+export default withAuth(
+  function middleware(req) {
+    const { pathname } = req.nextUrl;
+    const token = req.nextauth.token;
+
+    // Admin routes require ADMIN or VIEWER role
+    if (pathname.startsWith('/admin')) {
+      if (token?.role !== 'ADMIN' && token?.role !== 'VIEWER') {
+        return NextResponse.redirect(new URL('/login', req.url));
+      }
+    }
+
+    // My-squares requires PLAYER or higher
+    if (pathname.startsWith('/my-squares')) {
+      if (!token?.role) {
+        return NextResponse.redirect(new URL('/login', req.url));
+      }
+    }
+
+    return NextResponse.next();
+  },
+  {
+    callbacks: {
+      authorized: ({ token, req }) => {
+        const { pathname } = req.nextUrl;
+        // Allow public routes without auth
+        if (
+          pathname === '/' ||
+          pathname === '/login' ||
+          pathname === '/register' ||
+          pathname === '/signup' ||
+          pathname === '/setup' ||
+          pathname.startsWith('/api/auth') ||
+          pathname.startsWith('/api/setup') ||
+          pathname.startsWith('/api/squares') ||
+          pathname.startsWith('/api/users') ||
+          pathname.startsWith('/_next') ||
+          pathname.startsWith('/images')
+        ) {
+          return true;
+        }
+        // All other routes require authentication
+        return !!token;
+      },
+    },
+  }
+);
+
+export const config = {
+  matcher: [
+    '/((?!_next/static|_next/image|favicon.ico|images).*)',
+  ],
+};