twotalesanimation
46 lines
1.5 KiB
TypeScript
46 lines
1.5 KiB
TypeScript
import { auth } from "@/auth";
|
|
import { NextResponse } from "next/server";
|
|
|
|
export default auth((req) => {
|
|
const isLoggedIn = !!req.auth;
|
|
const pathname = req.nextUrl.pathname;
|
|
|
|
// Always allow auth API routes
|
|
if (pathname.startsWith("/api/auth")) return;
|
|
|
|
// Allow client review portal with token (no auth needed)
|
|
if (pathname.startsWith("/client/")) return;
|
|
|
|
// Allow token-gated client API routes (comments, approvals via review token)
|
|
if (pathname.startsWith("/api/client/")) return;
|
|
|
|
// Allow local file serving (needed for video playback in client portal)
|
|
if (pathname.startsWith("/api/files/")) return;
|
|
|
|
// Allow upload webhook endpoints
|
|
if (pathname.startsWith("/api/uploadthing")) return;
|
|
|
|
// Redirect logged-in users away from login page
|
|
if (pathname === "/login" && isLoggedIn) {
|
|
return NextResponse.redirect(new URL("/dashboard", req.url));
|
|
}
|
|
|
|
// Force password change: redirect to /settings until they set a new password
|
|
if (isLoggedIn && req.auth?.user?.mustChangePassword && pathname !== "/settings" && !pathname.startsWith("/api/") && !pathname.startsWith("/_next/")) {
|
|
return NextResponse.redirect(new URL("/settings", req.url));
|
|
}
|
|
|
|
// Redirect unauthenticated users to login
|
|
if (!isLoggedIn && pathname !== "/login") {
|
|
const loginUrl = new URL("/login", req.url);
|
|
loginUrl.searchParams.set("callbackUrl", pathname);
|
|
return NextResponse.redirect(loginUrl);
|
|
}
|
|
});
|
|
|
|
export const config = {
|
|
matcher: [
|
|
"/((?!_next/static|_next/image|favicon.ico|public|placeholder).*)",
|
|
],
|
|
};
|