Initial commit

middleware.ts

@@ -0,0 +1,45 @@
+import { auth } from "@/auth";
+import { NextResponse } from "next/server";
+
+export default auth((req) => {
+  const isLoggedIn = !!req.auth;
+  const pathname = req.nextUrl.pathname;
+
+  // Always allow auth API routes
+  if (pathname.startsWith("/api/auth")) return;
+
+  // Allow client review portal with token (no auth needed)
+  if (pathname.startsWith("/client/")) return;
+
+  // Allow token-gated client API routes (comments, approvals via review token)
+  if (pathname.startsWith("/api/client/")) return;
+
+  // Allow local file serving (needed for video playback in client portal)
+  if (pathname.startsWith("/api/files/")) return;
+
+  // Allow upload webhook endpoints
+  if (pathname.startsWith("/api/uploadthing")) return;
+
+  // Redirect logged-in users away from login page
+  if (pathname === "/login" && isLoggedIn) {
+    return NextResponse.redirect(new URL("/dashboard", req.url));
+  }
+
+  // Force password change: redirect to /settings until they set a new password
+  if (isLoggedIn && req.auth?.user?.mustChangePassword && pathname !== "/settings" && !pathname.startsWith("/api/") && !pathname.startsWith("/_next/")) {
+    return NextResponse.redirect(new URL("/settings", req.url));
+  }
+
+  // Redirect unauthenticated users to login
+  if (!isLoggedIn && pathname !== "/login") {
+    const loginUrl = new URL("/login", req.url);
+    loginUrl.searchParams.set("callbackUrl", pathname);
+    return NextResponse.redirect(loginUrl);
+  }
+});
+
+export const config = {
+  matcher: [
+    "/((?!_next/static|_next/image|favicon.ico|public|placeholder).*)",
+  ],
+};