pguzman/squares_game
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d4c82867d428f783944468663e7265712d60d4e6
squares_game/src/middleware.ts
T
Philip d4c82867d4 Fix guest signup not showing payment info after purchase 
/api/settings was missing from the middleware public routes allowlist,
causing unauthenticated (guest) requests to be blocked before reaching
the route handler. The error was silently caught, leaving settings null
and hiding the amount owed, payment methods, and payment instructions.
Logged-in users were unaffected as their session token passed middleware.

Also update CLAUDE.md to reflect the WebSocket userId-based auth change.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-18 08:26:42 -08:00

58 lines
1.6 KiB
TypeScript
Raw Blame History

import { withAuth } from 'next-auth/middleware';
import { NextResponse } from 'next/server';
export default withAuth(
function middleware(req) {
const { pathname } = req.nextUrl;
const token = req.nextauth.token;
// Admin routes require ADMIN or VIEWER role
if (pathname.startsWith('/admin')) {
if (token?.role !== 'ADMIN' && token?.role !== 'VIEWER') {
return NextResponse.redirect(new URL('/login', req.url));
}
}
// My-squares requires PLAYER or higher
if (pathname.startsWith('/my-squares')) {
if (!token?.role) {
return NextResponse.redirect(new URL('/login', req.url));
}
}
return NextResponse.next();
},
{
callbacks: {
authorized: ({ token, req }) => {
const { pathname } = req.nextUrl;
// Allow public routes without auth
if (
pathname === '/' ||
pathname === '/login' ||
pathname === '/register' ||
pathname === '/signup' ||
pathname === '/setup' ||
pathname.startsWith('/api/auth') ||
pathname.startsWith('/api/setup') ||
pathname.startsWith('/api/squares') ||
pathname.startsWith('/api/settings') ||
pathname.startsWith('/api/users') ||
pathname.startsWith('/_next') ||
pathname.startsWith('/images')
) {
return true;
}
// All other routes require authentication
return !!token;
},
},
}
);
export const config = {
matcher: [
'/((?!_next/static|_next/image|favicon.ico|images).*)',
],
};
Reference in New Issue View Git Blame Copy Permalink