From bbfe7409d3b063cfb7ac890c794e449361203fe7 Mon Sep 17 00:00:00 2001 From: OG T Date: Thu, 11 Jun 2026 19:41:52 +0800 Subject: [PATCH] fix: keep traffic token out of page payload --- apps/web/src/middleware.ts | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/apps/web/src/middleware.ts b/apps/web/src/middleware.ts index 46b39c1..c2d3af7 100644 --- a/apps/web/src/middleware.ts +++ b/apps/web/src/middleware.ts @@ -9,6 +9,7 @@ import { } from "@/lib/admin-auth"; const TRAFFIC_MONITOR_TOKEN = process.env.TRAFFIC_MONITOR_TOKEN?.trim(); +const TRAFFIC_MONITOR_COOKIE = "vw_traffic_monitor"; export function middleware(request: NextRequest) { const url = request.nextUrl; @@ -18,18 +19,33 @@ export function middleware(request: NextRequest) { if (isTrafficDashboard && process.env.NODE_ENV === "production") { const token = url.searchParams.get("token"); - if (token && TRAFFIC_MONITOR_TOKEN && token === TRAFFIC_MONITOR_TOKEN) { - const cleanUrl = url.clone(); + const headerToken = request.headers.get(ADMIN_TRAFFIC_TOKEN_HEADER); + const cookieToken = request.cookies.get(TRAFFIC_MONITOR_COOKIE)?.value; + + if (TRAFFIC_MONITOR_TOKEN && (headerToken === TRAFFIC_MONITOR_TOKEN || cookieToken === TRAFFIC_MONITOR_TOKEN)) { const headers = stripClientAdminHeaders(request); - cleanUrl.searchParams.delete("token"); headers.set(ADMIN_TRAFFIC_TOKEN_HEADER, TRAFFIC_MONITOR_TOKEN); - return NextResponse.rewrite(cleanUrl, { + return NextResponse.next({ request: { headers, }, }); } + if (token && TRAFFIC_MONITOR_TOKEN && token === TRAFFIC_MONITOR_TOKEN) { + const cleanUrl = url.clone(); + cleanUrl.searchParams.delete("token"); + const response = NextResponse.redirect(cleanUrl); + response.cookies.set(TRAFFIC_MONITOR_COOKIE, TRAFFIC_MONITOR_TOKEN, { + httpOnly: true, + maxAge: 60 * 60, + path: "/traffic", + sameSite: "strict", + secure: true, + }); + return response; + } + const adminTrafficUrl = url.clone(); adminTrafficUrl.pathname = "/admin/traffic"; adminTrafficUrl.searchParams.delete("token");