@payez/next-mvp 3.2.1 → 3.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -317,7 +317,8 @@ async function checkViability(request, endpoint, log) {
|
|
|
317
317
|
'Cache-Control': 'no-store',
|
|
318
318
|
'Cookie': request.headers.get('cookie') || ''
|
|
319
319
|
},
|
|
320
|
-
credentials: 'include'
|
|
320
|
+
credentials: 'include',
|
|
321
|
+
signal: AbortSignal.timeout(5000),
|
|
321
322
|
});
|
|
322
323
|
if (response.ok) {
|
|
323
324
|
const data = await response.json();
|
|
@@ -364,14 +365,17 @@ const RBAC_EXEMPT_PATHS = ['/error', '/unauthorized', '/service-unavailable'];
|
|
|
364
365
|
/** Handle 'allow' decision - run RBAC if enabled */
|
|
365
366
|
async function handleAllow(request, pathname, sessionPointer, sessionStatus) {
|
|
366
367
|
const isPublic = (0, route_config_1.isUnauthenticatedRoute)(pathname);
|
|
367
|
-
if ((0, rbac_check_1.isRBACEnabled)() && !isPublic) {
|
|
368
|
+
if ((0, rbac_check_1.isRBACEnabled)() && !isPublic && sessionPointer.exists) {
|
|
368
369
|
// Skip RBAC for error/fallback pages to prevent redirect loops
|
|
369
370
|
if (RBAC_EXEMPT_PATHS.some(p => pathname.startsWith(p))) {
|
|
370
371
|
return server_1.NextResponse.next();
|
|
371
372
|
}
|
|
372
373
|
if (!sessionPointer.clientId) {
|
|
373
|
-
console.error('[MIDDLEWARE] RBAC: No clientId');
|
|
374
|
-
|
|
374
|
+
console.error('[MIDDLEWARE] RBAC: No clientId — returning 401');
|
|
375
|
+
if (pathname.startsWith('/api/')) {
|
|
376
|
+
return server_1.NextResponse.json({ error: 'Unauthorized — missing clientId for RBAC' }, { status: 401 });
|
|
377
|
+
}
|
|
378
|
+
return server_1.NextResponse.redirect(new URL('/unauthorized', request.url));
|
|
375
379
|
}
|
|
376
380
|
try {
|
|
377
381
|
const result = await (0, rbac_check_1.checkPagePermission)(pathname, sessionPointer.roles, sessionPointer.clientId);
|
|
@@ -419,7 +423,8 @@ async function handleRefresh(request, safeCallback, opts) {
|
|
|
419
423
|
'x-session-token': request.cookies.get((0, app_slug_1.getSessionCookieName)())?.value ||
|
|
420
424
|
request.cookies.get((0, app_slug_1.getSecureSessionCookieName)())?.value || ''
|
|
421
425
|
},
|
|
422
|
-
credentials: 'include'
|
|
426
|
+
credentials: 'include',
|
|
427
|
+
signal: AbortSignal.timeout(5000),
|
|
423
428
|
});
|
|
424
429
|
if (response.ok) {
|
|
425
430
|
const data = await response.json();
|
package/package.json
CHANGED
|
@@ -439,7 +439,8 @@ async function checkViability(
|
|
|
439
439
|
'Cache-Control': 'no-store',
|
|
440
440
|
'Cookie': request.headers.get('cookie') || ''
|
|
441
441
|
},
|
|
442
|
-
credentials: 'include'
|
|
442
|
+
credentials: 'include',
|
|
443
|
+
signal: AbortSignal.timeout(5000),
|
|
443
444
|
});
|
|
444
445
|
|
|
445
446
|
if (response.ok) {
|
|
@@ -515,15 +516,21 @@ async function handleAllow(
|
|
|
515
516
|
): Promise<NextResponse> {
|
|
516
517
|
const isPublic = isUnauthenticatedRoute(pathname);
|
|
517
518
|
|
|
518
|
-
if (isRBACEnabled() && !isPublic) {
|
|
519
|
+
if (isRBACEnabled() && !isPublic && sessionPointer.exists) {
|
|
519
520
|
// Skip RBAC for error/fallback pages to prevent redirect loops
|
|
520
521
|
if (RBAC_EXEMPT_PATHS.some(p => pathname.startsWith(p))) {
|
|
521
522
|
return NextResponse.next();
|
|
522
523
|
}
|
|
523
524
|
|
|
524
525
|
if (!sessionPointer.clientId) {
|
|
525
|
-
console.error('[MIDDLEWARE] RBAC: No clientId');
|
|
526
|
-
|
|
526
|
+
console.error('[MIDDLEWARE] RBAC: No clientId — returning 401');
|
|
527
|
+
if (pathname.startsWith('/api/')) {
|
|
528
|
+
return NextResponse.json(
|
|
529
|
+
{ error: 'Unauthorized — missing clientId for RBAC' },
|
|
530
|
+
{ status: 401 }
|
|
531
|
+
);
|
|
532
|
+
}
|
|
533
|
+
return NextResponse.redirect(new URL('/unauthorized', request.url));
|
|
527
534
|
}
|
|
528
535
|
|
|
529
536
|
try {
|
|
@@ -591,7 +598,8 @@ async function handleRefresh(
|
|
|
591
598
|
'x-session-token': request.cookies.get(getSessionCookieName())?.value ||
|
|
592
599
|
request.cookies.get(getSecureSessionCookieName())?.value || ''
|
|
593
600
|
},
|
|
594
|
-
credentials: 'include'
|
|
601
|
+
credentials: 'include',
|
|
602
|
+
signal: AbortSignal.timeout(5000),
|
|
595
603
|
});
|
|
596
604
|
|
|
597
605
|
if (response.ok) {
|