fix: keep traffic token out of page payload

apps/web/src/middleware.ts

@@ -9,6 +9,7 @@ import {
 } from "@/lib/admin-auth";
 
 const TRAFFIC_MONITOR_TOKEN = process.env.TRAFFIC_MONITOR_TOKEN?.trim();
+const TRAFFIC_MONITOR_COOKIE = "vw_traffic_monitor";
 
 export function middleware(request: NextRequest) {
   const url = request.nextUrl;
@@ -18,18 +19,33 @@ export function middleware(request: NextRequest) {
 
   if (isTrafficDashboard && process.env.NODE_ENV === "production") {
     const token = url.searchParams.get("token");
-    if (token && TRAFFIC_MONITOR_TOKEN && token === TRAFFIC_MONITOR_TOKEN) {
-      const cleanUrl = url.clone();
+    const headerToken = request.headers.get(ADMIN_TRAFFIC_TOKEN_HEADER);
+    const cookieToken = request.cookies.get(TRAFFIC_MONITOR_COOKIE)?.value;
+
+    if (TRAFFIC_MONITOR_TOKEN && (headerToken === TRAFFIC_MONITOR_TOKEN || cookieToken === TRAFFIC_MONITOR_TOKEN)) {
       const headers = stripClientAdminHeaders(request);
-      cleanUrl.searchParams.delete("token");
       headers.set(ADMIN_TRAFFIC_TOKEN_HEADER, TRAFFIC_MONITOR_TOKEN);
-      return NextResponse.rewrite(cleanUrl, {
+      return NextResponse.next({
         request: {
           headers,
         },
       });
     }
 
+    if (token && TRAFFIC_MONITOR_TOKEN && token === TRAFFIC_MONITOR_TOKEN) {
+      const cleanUrl = url.clone();
+      cleanUrl.searchParams.delete("token");
+      const response = NextResponse.redirect(cleanUrl);
+      response.cookies.set(TRAFFIC_MONITOR_COOKIE, TRAFFIC_MONITOR_TOKEN, {
+        httpOnly: true,
+        maxAge: 60 * 60,
+        path: "/traffic",
+        sameSite: "strict",
+        secure: true,
+      });
+      return response;
+    }
+
     const adminTrafficUrl = url.clone();
     adminTrafficUrl.pathname = "/admin/traffic";
     adminTrafficUrl.searchParams.delete("token");