velocitatem/cvfs
1
0
Fork 0
mirror of https://github.com/velocitatem/cvfs.git synced 2026-05-31 16:53:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(webapp): use Web Crypto API in middleware and drop node: prefix in auth route

Browse Source 
Middleware runs in Edge Runtime (no Node.js built-ins), so use
globalThis.crypto.subtle for HMAC verification. Route handler uses
`import { createHmac } from 'crypto'` without the node: prefix
which webpack cannot resolve during Next.js build.

https://claude.ai/code/session_01CdisLhbC2kVt2hxfJ7TNPf
This commit is contained in:
Claude
2026-04-03 13:59:09 +00:00
parent 01f34915f6
commit 8d72dfa09d
2 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
apps/webapp/src/app/api/auth/login/route.ts
View File

@@ -1,12 +1,12 @@
import { NextRequest, NextResponse } from 'next/server';
import crypto from 'node:crypto';
import { createHmac } from 'crypto';
const SECRET = process.env.SESSION_SECRET ?? 'dev-secret-change-in-production';
const LOGIN_USER = process.env.LOGIN_USER ?? 'admin';
const LOGIN_PASS = process.env.LOGIN_PASS ?? 'admin';
function sign(value: string) {
return crypto.createHmac('sha256', SECRET).update(value).digest('hex');
return createHmac('sha256', SECRET).update(value).digest('hex');
}
export async function POST(req: NextRequest) {

20
apps/webapp/src/middleware.ts
View File

@@ -1,22 +1,28 @@
import { NextRequest, NextResponse } from 'next/server';
import crypto from 'node:crypto';
const SECRET = process.env.SESSION_SECRET ?? 'dev-secret-change-in-production';
function verifySession(token: string): boolean {
async function verifySession(token: string): Promise<boolean> {
const lastDot = token.lastIndexOf('.');
if (lastDot === -1) return false;
const payload = token.slice(0, lastDot);
const sig = token.slice(lastDot + 1);
const expected = crypto.createHmac('sha256', SECRET).update(payload).digest('hex');
return sig === expected;
const sigHex = token.slice(lastDot + 1);
try {
const key = await globalThis.crypto.subtle.importKey(
'raw', new TextEncoder().encode(SECRET),
{ name: 'HMAC', hash: 'SHA-256' }, false, ['verify'],
);
const sigBytes = new Uint8Array((sigHex.match(/.{1,2}/g) ?? []).map(b => parseInt(b, 16)));
return await globalThis.crypto.subtle.verify('HMAC', key, sigBytes, new TextEncoder().encode(payload));
} catch { return false; }
}
export function middleware(req: NextRequest) {
export async function middleware(req: NextRequest) {
if (!req.nextUrl.pathname.startsWith('/dashboard')) return NextResponse.next();
const session = req.cookies.get('session')?.value;
const oidc = req.cookies.get('oidc_token')?.value;
if ((session && verifySession(session)) || oidc) return NextResponse.next();
if (oidc) return NextResponse.next();
if (session && await verifySession(session)) return NextResponse.next();
return NextResponse.redirect(new URL('/login', req.url));
}