portfolio/middleware.ts

import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";

export function middleware(request: NextRequest) {
  // For /manage and /editor routes, the pages handle their own authentication
  // No middleware redirect needed - let the pages show login forms

  // Fix for 421 Misdirected Request with Nginx Proxy Manager
  // Ensure proper host header handling for reverse proxy
  const hostname = request.headers.get('host') || request.headers.get('x-forwarded-host') || '';
  
  // Add security headers to all responses
  const response = NextResponse.next();
  
  // Set proper headers for Nginx Proxy Manager
  if (hostname) {
    response.headers.set('X-Forwarded-Host', hostname);
    response.headers.set('X-Real-IP', request.headers.get('x-real-ip') || request.headers.get('x-forwarded-for') || '');
  }

  // Security headers (complementing next.config.ts headers)
  response.headers.set("X-DNS-Prefetch-Control", "on");
  response.headers.set("X-Frame-Options", "DENY");
  response.headers.set("X-Content-Type-Options", "nosniff");
  response.headers.set("X-XSS-Protection", "1; mode=block");
  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
  response.headers.set(
    "Permissions-Policy",
    "camera=(), microphone=(), geolocation=()",
  );

  // Rate limiting headers for API routes
  if (request.nextUrl.pathname.startsWith("/api/")) {
    response.headers.set("X-RateLimit-Limit", "100");
    response.headers.set("X-RateLimit-Remaining", "99");
  }

  return response;
}

export const config = {
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - api/email (email API routes)
     * - api/health (health check)
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico (favicon file)
     * - api/auth (auth API routes - need to be processed)
     */
    "/((?!api/email|api/health|_next/static|_next/image|favicon.ico|api/auth).*)",
  ],
};