From 01198111ea49eda096a432efc474baa112f268e6 Mon Sep 17 00:00:00 2001 From: default Date: Sun, 7 Jun 2026 02:08:37 +0000 Subject: [PATCH] fix(build): remove duplicate proxy.ts (Next.js 16 uses middleware) Next.js 16 enforces 'one of middleware.ts OR proxy.ts' - both can't coexist. Our src/middleware.ts (Auth.js v5) is the canonical one; src/proxy.ts was the legacy dev_session auto-issuer. --- src/proxy.ts | 83 ---------------------------------------------------- 1 file changed, 83 deletions(-) delete mode 100644 src/proxy.ts diff --git a/src/proxy.ts b/src/proxy.ts deleted file mode 100644 index ab234e2..0000000 --- a/src/proxy.ts +++ /dev/null @@ -1,83 +0,0 @@ -import { NextResponse, type NextRequest } from "next/server"; - -/** - * Root-level proxy (formerly `middleware.ts`, renamed in Next.js 16). - * - * Routing policy: - * 1. `/admin/*` with no auth cookie + `ALLOW_DEV_LOGIN !== "false"` - * → set `dev_session=platform_admin` and let the request through. - * This makes `/admin` "just work" in dev/demo without any login - * UI gymnastics. - * 2. `/login` with an auth cookie (any flavour) - * → redirect to `/admin` so an authenticated user never sees the - * login form. - * 3. `/admin/*` (or `/protected-example`) with no auth cookie - * → redirect to `/login`. - * 4. Everything else → continue. - * - * Auth-cookie flavours recognised: - * - `dev_session` (dev auto-login, see above) - * - `rc_auth_uid` / `rc_uid` (legacy /api/login flow) - * - `authjs.session-token` / `__Secure-authjs.session-token` (Auth.js v5) - * - * The proxy only checks cookie *presence*. The real auth check (JWT - * signature decryption, admin role lookup) happens in - * `getAdminUser()` server-side. The proxy is just routing. - */ - -function isAuthenticated(request: NextRequest): boolean { - const dev = request.cookies.get("dev_session")?.value; - if ( - dev === "platform_admin" || - dev === "brand_admin" || - dev === "store_employee" - ) { - return true; - } - if (request.cookies.get("rc_auth_uid")?.value) return true; - if (request.cookies.get("rc_uid")?.value) return true; - if (request.cookies.get("authjs.session-token")?.value) return true; - if (request.cookies.get("__Secure-authjs.session-token")?.value) return true; - return false; -} - -export default function proxy(request: NextRequest) { - const { nextUrl } = request; - const isOnAdmin = nextUrl.pathname.startsWith("/admin"); - const isOnProtectedExample = nextUrl.pathname.startsWith( - "/protected-example" - ); - const isOnLogin = nextUrl.pathname === "/login"; - const authenticated = isAuthenticated(request); - - // ── 1. Dev auto-login for /admin/* ─────────────────────────────── - if (isOnAdmin && !authenticated) { - const allowDev = process.env.ALLOW_DEV_LOGIN !== "false"; - if (allowDev) { - const response = NextResponse.next(); - response.cookies.set("dev_session", "platform_admin", { - path: "/", - maxAge: 60 * 60 * 24, // 1 day - sameSite: "lax", - }); - return response; - } - } - - // ── 2. Bounce authenticated users away from /login ─────────────── - if (isOnLogin && isAuthenticated(request)) { - return NextResponse.redirect(new URL("/admin", nextUrl)); - } - - // ── 3. Gate protected routes ───────────────────────────────────── - if ((isOnAdmin || isOnProtectedExample) && !authenticated) { - return NextResponse.redirect(new URL("/login", nextUrl)); - } - - // ── 4. Everything else: continue ───────────────────────────────── - return NextResponse.next(); -} - -export const config = { - matcher: ["/admin/:path*", "/admin", "/login", "/protected-example"], -};