denshooter
0ae1883cf4
✅ Updated Admin Dashboard URL: - Changed the Admin Dashboard access path from `/admin` to `/manage` in multiple files for consistency. ✅ Enhanced Middleware Authentication: - Updated middleware to protect new admin routes including `/manage` and `/dashboard`. ✅ Implemented CSRF Protection: - Added CSRF token generation and validation for login and session validation routes. ✅ Introduced Rate Limiting: - Added rate limiting for admin routes and CSRF token requests to enhance security. ✅ Refactored Admin Page: - Created a new admin management page with improved authentication handling and user feedback. 🎯 Overall Improvements: - Strengthened security measures for admin access. - Improved user experience with clearer navigation and feedback. - Streamlined authentication processes for better performance.
58 lines
1.8 KiB
TypeScript
58 lines
1.8 KiB
TypeScript
import { NextResponse } from 'next/server';
|
|
import type { NextRequest } from 'next/server';
|
|
|
|
export function middleware(request: NextRequest) {
|
|
// Protect admin routes
|
|
if (request.nextUrl.pathname.startsWith('/admin') ||
|
|
request.nextUrl.pathname.startsWith('/dashboard') ||
|
|
request.nextUrl.pathname.startsWith('/manage') ||
|
|
request.nextUrl.pathname.startsWith('/control')) {
|
|
|
|
const authHeader = request.headers.get('authorization');
|
|
const basicAuth = process.env.ADMIN_BASIC_AUTH;
|
|
|
|
if (!basicAuth) {
|
|
return new NextResponse('Admin access not configured', { status: 500 });
|
|
}
|
|
|
|
if (!authHeader || !authHeader.startsWith('Basic ')) {
|
|
return new NextResponse('Authentication required', {
|
|
status: 401,
|
|
headers: {
|
|
'WWW-Authenticate': 'Basic realm="Admin Area"',
|
|
},
|
|
});
|
|
}
|
|
|
|
const credentials = authHeader.split(' ')[1];
|
|
const [username, password] = Buffer.from(credentials, 'base64').toString().split(':');
|
|
const [expectedUsername, expectedPassword] = basicAuth.split(':');
|
|
|
|
if (username !== expectedUsername || password !== expectedPassword) {
|
|
return new NextResponse('Invalid credentials', {
|
|
status: 401,
|
|
headers: {
|
|
'WWW-Authenticate': 'Basic realm="Admin Area"',
|
|
},
|
|
});
|
|
}
|
|
}
|
|
|
|
// For all other routes, continue with normal processing
|
|
return NextResponse.next();
|
|
}
|
|
|
|
export const config = {
|
|
matcher: [
|
|
/*
|
|
* Match all request paths except for the ones starting with:
|
|
* - api/email (email API routes)
|
|
* - api/health (health check)
|
|
* - _next/static (static files)
|
|
* - _next/image (image optimization files)
|
|
* - favicon.ico (favicon file)
|
|
* - api/auth (auth API routes - need to be processed)
|
|
*/
|
|
'/((?!api/email|api/health|_next/static|_next/image|favicon.ico|api/auth).*)',
|
|
],
|
|
}; |