tyler/blackcanyontickets
1
0
Fork 0
Code Issues 8 Pull Requests Packages Projects Releases Wiki Activity
Files
dbf4b11e81c1426de58c942d0a9a7267fd359e2f
blackcanyontickets/src/middleware.ts
dzinesco dbf4b11e81 fix: Implement comprehensive edit event button functionality and resolve authentication issues 
Major fixes and improvements:
- Fixed edit event button functionality with proper event handlers and DOM ready state checking
- Added status column to tickets table via Supabase migration to resolve 500 API errors
- Updated stats API to correctly calculate revenue from decimal price values
- Resolved authentication redirect loops by fixing cookie configuration for Docker environment
- Fixed Permissions-Policy header syntax errors
- Added comprehensive debugging and error handling for event management
- Implemented modal-based event editing with form validation and API integration
- Enhanced event data loading with proper error handling and user feedback

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-14 18:49:49 -06:00

70 lines
2.2 KiB
TypeScript
Raw Blame History

import { defineMiddleware } from 'astro/middleware';
export const onRequest = defineMiddleware(async (context, next) => {
// Security headers
const securityHeaders = {
// HTTPS enforcement
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
// XSS protection
'X-XSS-Protection': '1; mode=block',
// Content type sniffing protection
'X-Content-Type-Options': 'nosniff',
// Frame options disabled - Using CSP frame-ancestors instead for Stripe compatibility
// 'X-Frame-Options': 'SAMEORIGIN',
// Referrer policy
'Referrer-Policy': 'strict-origin-when-cross-origin',
// Content Security Policy - Temporarily relaxed for Stripe Connect debugging
'Content-Security-Policy': [
"default-src 'self' https:",
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https:",
"style-src 'self' 'unsafe-inline' https:",
"font-src 'self' https:",
"img-src 'self' data: https: blob:",
"connect-src 'self' https: wss:",
"frame-src 'self' https:",
"frame-ancestors 'self' https:",
"form-action 'self'",
"base-uri 'self'",
"object-src 'none'",
"worker-src 'self' blob: https:"
].join('; '),
// Permissions policy - Fixed syntax
'Permissions-Policy': [
'camera=()',
'microphone=()',
'geolocation=()',
'payment=(self "https://js.stripe.com" "https://connect-js.stripe.com" "https://*.stripe.com")',
'usb=()',
'bluetooth=()',
'magnetometer=()',
'gyroscope=()',
'accelerometer=()'
].join(', ')
};
// HTTPS redirect in production
if (process.env.NODE_ENV === 'production') {
const proto = context.request.headers.get('x-forwarded-proto');
const host = context.request.headers.get('host');
if (proto === 'http' && host) {
return Response.redirect(`https://${host}${context.url.pathname}${context.url.search}`, 301);
}
}
// Continue with the request
const response = await next();
// Add security headers to response
Object.entries(securityHeaders).forEach(([key, value]) => {
response.headers.set(key, value);
});
return response;
});
Reference in New Issue View Git Blame Copy Permalink