43 lines
1.3 KiB
TypeScript
43 lines
1.3 KiB
TypeScript
// The single server-side gate. Runs for EVERY request to the deployed Bun/Nitro server
|
|
// (pages, the /api proxy, everything) before routing. Unauthenticated requests are
|
|
// redirected to /login (page navigations) or rejected 401 (/api). Fails CLOSED if
|
|
// PUNKTFUNK_UI_PASSWORD is unset, so a misconfigured LAN-exposed server admits no one.
|
|
import {
|
|
defineEventHandler,
|
|
getRequestURL,
|
|
sendRedirect,
|
|
setResponseStatus,
|
|
useSession,
|
|
} from "h3";
|
|
import {
|
|
isPublicPath,
|
|
sessionConfig,
|
|
uiPassword,
|
|
type SessionData,
|
|
} from "../util/auth";
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
const { pathname } = getRequestURL(event);
|
|
if (isPublicPath(pathname)) return;
|
|
|
|
// Misconfigured: refuse everything rather than serve open on the LAN.
|
|
if (!uiPassword()) {
|
|
setResponseStatus(event, 503);
|
|
return { error: "auth not configured: set PUNKTFUNK_UI_PASSWORD" };
|
|
}
|
|
|
|
const session = await useSession<SessionData>(event, sessionConfig());
|
|
if (session.data.authenticated) return; // authenticated — let it through
|
|
|
|
if (pathname.startsWith("/api")) {
|
|
setResponseStatus(event, 401);
|
|
return { error: "unauthorized" };
|
|
}
|
|
// Page navigation → bounce to the login screen, remembering where they were headed.
|
|
return sendRedirect(
|
|
event,
|
|
`/login?next=${encodeURIComponent(pathname)}`,
|
|
302,
|
|
);
|
|
});
|