Claude VM
64bccdb4b0
Adds a public, no-auth endpoint at /api/version that returns:
{ commit, commitShort, buildTime, nodeEnv, cutover, nextVersion }
Build-time injection via GIT_COMMIT + BUILD_TIME ARG/ENV propagated
from compose build.args through Dockerfile builder + runner stages.
Excluded from middleware auth gating.
Deploy command (run on satra after git pull):
GIT_COMMIT=$(git rev-parse HEAD) \
BUILD_TIME=$(date -u +%FT%TZ) \
docker compose build architools
Without these env vars, falls back to "unknown" so the build never
fails; only the endpoint shows reduced info.
Useful for: confirming what's actually deployed after CI, cross-app
deploy correlation (api.gis.ac, eterra.live, orchestrator), uptime
monitors.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
64 lines
2.4 KiB
TypeScript
64 lines
2.4 KiB
TypeScript
import { getToken } from "next-auth/jwt";
|
|
import { NextRequest, NextResponse } from "next/server";
|
|
|
|
export async function middleware(request: NextRequest) {
|
|
// In development, skip auth enforcement (dev stub user handles it)
|
|
if (process.env.NODE_ENV === "development") {
|
|
return NextResponse.next();
|
|
}
|
|
|
|
const token = await getToken({
|
|
req: request,
|
|
secret: process.env.NEXTAUTH_SECRET,
|
|
});
|
|
|
|
// Authenticated — check for portal-only users
|
|
if (token) {
|
|
const { pathname } = request.nextUrl;
|
|
// Portal-only users: redirect to /portal when accessing main app
|
|
const portalUsers = (process.env.PORTAL_ONLY_USERS ?? "dtiurbe,d.tiurbe").split(",").map(s => s.trim().toLowerCase());
|
|
const tokenEmail = String(token.email ?? "").toLowerCase();
|
|
const tokenName = String(token.name ?? "").toLowerCase();
|
|
const isPortalUser = portalUsers.some(
|
|
(u) => tokenEmail.includes(u) || tokenName.includes(u),
|
|
);
|
|
if (isPortalUser && !pathname.startsWith("/portal") && !pathname.startsWith("/api/") && !pathname.startsWith("/auth/")) {
|
|
const baseUrl = process.env.NEXTAUTH_URL || "https://tools.beletage.ro";
|
|
return NextResponse.redirect(new URL("/portal", baseUrl));
|
|
}
|
|
return NextResponse.next();
|
|
}
|
|
|
|
const { pathname } = request.nextUrl;
|
|
|
|
// API routes: return 401 JSON instead of redirect
|
|
if (pathname.startsWith("/api/")) {
|
|
return NextResponse.json(
|
|
{ error: "Authentication required" },
|
|
{ status: 401 },
|
|
);
|
|
}
|
|
|
|
// Use NEXTAUTH_URL as base (request.url uses container's internal 0.0.0.0:3000)
|
|
const baseUrl = process.env.NEXTAUTH_URL || "https://tools.beletage.ro";
|
|
const callbackUrl = `${baseUrl}${pathname}${request.nextUrl.search}`;
|
|
|
|
// Redirect to custom sign-in page (auto-forwards to Authentik)
|
|
const signInUrl = new URL("/auth/signin", baseUrl);
|
|
signInUrl.searchParams.set("callbackUrl", callbackUrl);
|
|
return NextResponse.redirect(signInUrl);
|
|
}
|
|
|
|
export const config = {
|
|
matcher: [
|
|
/*
|
|
* Match all paths EXCEPT:
|
|
* - /api/auth/* (NextAuth endpoints — must be public for login flow)
|
|
* - /_next/* (Next.js internals: static files, HMR, chunks)
|
|
* - /favicon.ico, /robots.txt, /sitemap.xml
|
|
* - Files with extensions (images, fonts, etc.)
|
|
*/
|
|
"/((?!api/auth|api/version|api/notifications/digest|api/eterra/auto-refresh|api/compress-pdf|api/address-book|api/projects|auth/signin|_next|favicon\\.ico|robots\\.txt|sitemap\\.xml|.*\\..*).*)",
|
|
],
|
|
};
|