cal.pub0.org/apps/web/middleware.ts

import { get } from "@vercel/edge-config";
import { collectEvents } from "next-collect/server";
import { NextMiddleware, NextResponse, userAgent } from "next/server";

import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
import { isIpInBanlist } from "@calcom/lib/getIP";
import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";

const middleware: NextMiddleware = async (req) => {
  const url = req.nextUrl;

  if (!url.pathname.startsWith("/api")) {
    //
    // NOTE: When tRPC hits an error a 500 is returned, when this is received
    //       by the application the user is automatically redirected to /auth/login.
    //
    //     - For this reason our matchers are sufficient for an app-wide maintenance page.
    //
    try {
      // Check whether the maintenance page should be shown
      const isInMaintenanceMode = await get<boolean>("isInMaintenanceMode");
      // If is in maintenance mode, point the url pathname to the maintenance page
      if (isInMaintenanceMode) {
        req.nextUrl.pathname = `/maintenance`;
        return NextResponse.rewrite(req.nextUrl);
      }
    } catch (error) {
      // show the default page if EDGE_CONFIG env var is missing,
      // but log the error to the console
      // console.error(error);
    }
  }

  if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) {
    const callbackUrl = url.searchParams.get("callbackUrl");
    const { isBot } = userAgent(req);

    if (
      isBot ||
      (callbackUrl && ![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => callbackUrl.startsWith(u))) ||
      isIpInBanlist(req)
    ) {
      // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback
      req.nextUrl.pathname = "/api/nope";
      return NextResponse.redirect(req.nextUrl);
    }
  }

  // Ensure that embed query param is there in when /embed is added.
  // query param is the way in which client side code knows that it is in embed mode.
  if (url.pathname.endsWith("/embed") && typeof url.searchParams.get("embed") !== "string") {
    url.searchParams.set("embed", "");
    return NextResponse.redirect(url);
  }

  // Don't 404 old routing_forms links
  if (url.pathname.startsWith("/apps/routing_forms")) {
    url.pathname = url.pathname.replace("/apps/routing_forms", "/apps/routing-forms");
    return NextResponse.rewrite(url);
  }

  if (url.pathname.startsWith("/auth/login")) {
    const moreHeaders = new Headers(req.headers);
    // Use this header to actually enforce CSP, otherwise it is running in Report Only mode on all pages.
    moreHeaders.set("x-csp-enforce", "true");
    return NextResponse.next({
      request: {
        headers: moreHeaders,
      },
    });
  }

  return NextResponse.next();
};

export const config = {
  matcher: [
    "/api/collect-events/:path*",
    "/api/auth/:path*",
    "/apps/routing_forms/:path*",
    "/:path*/embed",
    "/auth/login",
  ],
};

export default collectEvents({
  middleware,
  ...nextCollectBasicSettings,
  cookieName: "__clnds",
  extend: extendEventData,
});
Feature/maintenance mode (#6930) * Implement maintenance mode with Vercel Edge Config * Error log is spam during development/ added \n in .env.example * Exclude _next, /api for /maintenance page * Re-instate previous config * rtl: begone * Added note to explain why /auth/login covers the maintenance page. --------- Co-authored-by: Omar López <zomars@me.com> 2023-02-08 21:51:58 +00:00			`import { get } from "@vercel/edge-config";`
Telemetry improvements (#2935) * next-collect initial setup * naming changes * WIP * WIP: added cookie name * telemetry update * fixes * telemetry eventTypes fix * tmp jitsu config for testing * tmp jitsu key update (for tests) * deploy commit * cookieName fixes * telemetry credentials update * NextCollect updated to latest canary; added TELEMETRY_KEY to config * TELEMETRY_KEY fix removed browser_user_agent field from event * removed _middleware.ts for test deploy * _middleware.ts restored * next-collect version bump * yarn.lock fix * Added license consent property, set default telemetry endpoint * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Updated to latest version of next-collect * - Updated to latest version of next-collect - Few improvements in event collection: isTeamBooking for all events, page_url for all events - Do not send second page event on re-render of /team/[slug] * Revert booking confirmed tracking * Applied prettier + fix lint Co-authored-by: Art Sk <kirsan007@gmail.com> 2022-06-02 16:19:01 +00:00			`import { collectEvents } from "next-collect/server";`
DDOS mitigation updates 2022-08-16 19:50:09 +00:00			`import { NextMiddleware, NextResponse, userAgent } from "next/server";`
Telemetry improvements (#2935) * next-collect initial setup * naming changes * WIP * WIP: added cookie name * telemetry update * fixes * telemetry eventTypes fix * tmp jitsu config for testing * tmp jitsu key update (for tests) * deploy commit * cookieName fixes * telemetry credentials update * NextCollect updated to latest canary; added TELEMETRY_KEY to config * TELEMETRY_KEY fix removed browser_user_agent field from event * removed _middleware.ts for test deploy * _middleware.ts restored * next-collect version bump * yarn.lock fix * Added license consent property, set default telemetry endpoint * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Updated to latest version of next-collect * - Updated to latest version of next-collect - Few improvements in event collection: isTeamBooking for all events, page_url for all events - Do not send second page event on re-render of /team/[slug] * Revert booking confirmed tracking * Applied prettier + fix lint Co-authored-by: Art Sk <kirsan007@gmail.com> 2022-06-02 16:19:01 +00:00
Whitelist only cal domain as callbackUrls 2022-08-16 19:55:50 +00:00			`import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";`
Implements quick ip banlist Debugs IP banlist Adds explainer for getIP util Adds collect-events to middleware filter Fixes middleware 2022-08-23 21:34:10 +00:00			`import { isIpInBanlist } from "@calcom/lib/getIP";`
Refactors EE code (#3490) * WIP * WIP * Type and migration fixes * Adds missing default import * Fixes import * Fixes tRPC imports in App Store * Migrate stripe helpers * WIP * Type fixes * Type fix? * WIP * WIP * Update index.ts * Fixes * Update workflow.tsx * Moved queries to lib * Moves QueryCell * Migrates MultiSelectCheckboxes * WIP * CryptoSection type fixes * WIP * Import fixes * Build fixes * Update app-providers.tsx * Build fixes * Upgrades hookform zod resolvers * Build fixes * Cleanup * Build fixes * Relocates QueryCell to ui * Moved List and SkeletonLoader * Revert QueryCell migration * Can't use QueryCell here * oops * CryptoSection cleanup * Update app-providers.tsx * Moved ee to features * ee to features/ee * Removes @calcom/ee * Adds possible feature locations * Build fixes * Migrates stripe to app-store lib * Colocates stripe imports * Update subscription.ts * Submodule sync Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-07-28 19:58:26 +00:00			`import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";`
Telemetry improvements (#2935) * next-collect initial setup * naming changes * WIP * WIP: added cookie name * telemetry update * fixes * telemetry eventTypes fix * tmp jitsu config for testing * tmp jitsu key update (for tests) * deploy commit * cookieName fixes * telemetry credentials update * NextCollect updated to latest canary; added TELEMETRY_KEY to config * TELEMETRY_KEY fix removed browser_user_agent field from event * removed _middleware.ts for test deploy * _middleware.ts restored * next-collect version bump * yarn.lock fix * Added license consent property, set default telemetry endpoint * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Updated to latest version of next-collect * - Updated to latest version of next-collect - Few improvements in event collection: isTeamBooking for all events, page_url for all events - Do not send second page event on re-render of /team/[slug] * Revert booking confirmed tracking * Applied prettier + fix lint Co-authored-by: Art Sk <kirsan007@gmail.com> 2022-06-02 16:19:01 +00:00
Adds middleware to get V2 early access (#3617) Co-authored-by: sean-brydon <55134778+sean-brydon@users.noreply.github.com> 2022-08-09 09:21:15 +00:00			`const middleware: NextMiddleware = async (req) => {`
			`const url = req.nextUrl;`

Feature/maintenance mode (#6930) * Implement maintenance mode with Vercel Edge Config * Error log is spam during development/ added \n in .env.example * Exclude _next, /api for /maintenance page * Re-instate previous config * rtl: begone * Added note to explain why /auth/login covers the maintenance page. --------- Co-authored-by: Omar López <zomars@me.com> 2023-02-08 21:51:58 +00:00			`if (!url.pathname.startsWith("/api")) {`
			`//`
			`// NOTE: When tRPC hits an error a 500 is returned, when this is received`
			`// by the application the user is automatically redirected to /auth/login.`
			`//`
			`// - For this reason our matchers are sufficient for an app-wide maintenance page.`
			`//`
			`try {`
			`// Check whether the maintenance page should be shown`
			`const isInMaintenanceMode = await get<boolean>("isInMaintenanceMode");`
			`// If is in maintenance mode, point the url pathname to the maintenance page`
			`if (isInMaintenanceMode) {`
			req.nextUrl.pathname = `/maintenance`;
			`return NextResponse.rewrite(req.nextUrl);`
			`}`
			`} catch (error) {`
			`// show the default page if EDGE_CONFIG env var is missing,`
			`// but log the error to the console`
			`// console.error(error);`
			`}`
			`}`

Implements quick ip banlist Debugs IP banlist Adds explainer for getIP util Adds collect-events to middleware filter Fixes middleware 2022-08-23 21:34:10 +00:00			`if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) {`
Avoid DDOS (#3871) 2022-08-16 17:15:13 +00:00			`const callbackUrl = url.searchParams.get("callbackUrl");`
DDOS mitigation updates 2022-08-16 19:50:09 +00:00			`const { isBot } = userAgent(req);`
Whitelist only cal domain as callbackUrls 2022-08-16 19:55:50 +00:00
			`if (`
			`isBot \|\|`
Implements quick ip banlist Debugs IP banlist Adds explainer for getIP util Adds collect-events to middleware filter Fixes middleware 2022-08-23 21:34:10 +00:00			`(callbackUrl && ![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => callbackUrl.startsWith(u))) \|\|`
			`isIpInBanlist(req)`
Whitelist only cal domain as callbackUrls 2022-08-16 19:55:50 +00:00			`) {`
Avoid DDOS (#3871) 2022-08-16 17:15:13 +00:00			`// DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback`
Middleware rewrite shenanigans 2022-08-16 19:59:38 +00:00			`req.nextUrl.pathname = "/api/nope";`
			`return NextResponse.redirect(req.nextUrl);`
Avoid DDOS (#3871) 2022-08-16 17:15:13 +00:00			`}`
			`}`
Routing Forms Improvements - Rename routing_forms to routing-forms (#4546) * Animate fields list and routes list * Rename routing_forms slug to routing-forms * Add comments * Fixtypo * Add dropdown separator for consistency * Fix missing occurences of routing_forms and improve types for webhooks * Fix weird error about title child is an array * Fix webhook issues * Fix webhook tests and issues found during fixing them * Fix lint errors and warnings Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-09-22 17:23:43 +00:00
The links that can be directly given to embed should pre-render(Either SSG/SSR) (#4975) * Embed SSG and consistently pass embedType query param across pages * Embed fixes * Code cleanup * Add main class which tells embed which helps in identifying which area is outside the main content * remove any special optimization handling for routing forms * Add comments * Small fixes * Fix broken team booking page in embed * Fix Fallback message dark theme * TS Fixes * Fixes * Fix tests * Remove not required code Co-authored-by: Peer Richelsen <peeroke@gmail.com> 2022-10-19 21:25:03 +00:00			`// Ensure that embed query param is there in when /embed is added.`
			`// query param is the way in which client side code knows that it is in embed mode.`
			`if (url.pathname.endsWith("/embed") && typeof url.searchParams.get("embed") !== "string") {`
			`url.searchParams.set("embed", "");`
			`return NextResponse.redirect(url);`
			`}`

Routing Forms Improvements - Rename routing_forms to routing-forms (#4546) * Animate fields list and routes list * Rename routing_forms slug to routing-forms * Add comments * Fixtypo * Add dropdown separator for consistency * Fix missing occurences of routing_forms and improve types for webhooks * Fix weird error about title child is an array * Fix webhook issues * Fix webhook tests and issues found during fixing them * Fix lint errors and warnings Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-09-22 17:23:43 +00:00			`// Don't 404 old routing_forms links`
			`if (url.pathname.startsWith("/apps/routing_forms")) {`
			`url.pathname = url.pathname.replace("/apps/routing_forms", "/apps/routing-forms");`
			`return NextResponse.rewrite(url);`
			`}`

Beginning of Strict CSP Compliance (#6841) * Add CSP Support and enable it initially for Login page * Update README * Make sure that CSP is not enabled if CSP_POLICY isnt set * Add a new value for x-csp header that tells if instance has opted-in to CSP or not * Add more src to CSP * Fix typo in header name * Remove duplicate headers fn * Add https://eu.ui-avatars.com/api/ * Add CSP_POLICY to env.example 2023-02-06 22:50:08 +00:00			`if (url.pathname.startsWith("/auth/login")) {`
fix: add req.headers (#6921) Signed-off-by: Udit Takkar <udit.07814802719@cse.mait.ac.in> 2023-02-07 12:42:47 +00:00			`const moreHeaders = new Headers(req.headers);`
Beginning of Strict CSP Compliance (#6841) * Add CSP Support and enable it initially for Login page * Update README * Make sure that CSP is not enabled if CSP_POLICY isnt set * Add a new value for x-csp header that tells if instance has opted-in to CSP or not * Add more src to CSP * Fix typo in header name * Remove duplicate headers fn * Add https://eu.ui-avatars.com/api/ * Add CSP_POLICY to env.example 2023-02-06 22:50:08 +00:00			`// Use this header to actually enforce CSP, otherwise it is running in Report Only mode on all pages.`
			`moreHeaders.set("x-csp-enforce", "true");`
			`return NextResponse.next({`
			`request: {`
			`headers: moreHeaders,`
			`},`
			`});`
			`}`

Backported 973e0a3..6ad0e23 (#3943) 2022-08-26 18:07:44 +00:00			`return NextResponse.next();`
Adds middleware to get V2 early access (#3617) Co-authored-by: sean-brydon <55134778+sean-brydon@users.noreply.github.com> 2022-08-09 09:21:15 +00:00			`};`

fix: use matcher in middleware (#5304) Co-authored-by: Peer Richelsen <peeroke@gmail.com> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-11-03 14:51:43 +00:00			`export const config = {`
Beginning of Strict CSP Compliance (#6841) * Add CSP Support and enable it initially for Login page * Update README * Make sure that CSP is not enabled if CSP_POLICY isnt set * Add a new value for x-csp header that tells if instance has opted-in to CSP or not * Add more src to CSP * Fix typo in header name * Remove duplicate headers fn * Add https://eu.ui-avatars.com/api/ * Add CSP_POLICY to env.example 2023-02-06 22:50:08 +00:00			`matcher: [`
			`"/api/collect-events/:path*",`
			`"/api/auth/:path*",`
			`"/apps/routing_forms/:path*",`
			`"/:path*/embed",`
			`"/auth/login",`
			`],`
fix: use matcher in middleware (#5304) Co-authored-by: Peer Richelsen <peeroke@gmail.com> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-11-03 14:51:43 +00:00			`};`

Telemetry improvements (#2935) * next-collect initial setup * naming changes * WIP * WIP: added cookie name * telemetry update * fixes * telemetry eventTypes fix * tmp jitsu config for testing * tmp jitsu key update (for tests) * deploy commit * cookieName fixes * telemetry credentials update * NextCollect updated to latest canary; added TELEMETRY_KEY to config * TELEMETRY_KEY fix removed browser_user_agent field from event * removed _middleware.ts for test deploy * _middleware.ts restored * next-collect version bump * yarn.lock fix * Added license consent property, set default telemetry endpoint * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Updated to latest version of next-collect * - Updated to latest version of next-collect - Few improvements in event collection: isTeamBooking for all events, page_url for all events - Do not send second page event on re-render of /team/[slug] * Revert booking confirmed tracking * Applied prettier + fix lint Co-authored-by: Art Sk <kirsan007@gmail.com> 2022-06-02 16:19:01 +00:00			`export default collectEvents({`
Adds middleware to get V2 early access (#3617) Co-authored-by: sean-brydon <55134778+sean-brydon@users.noreply.github.com> 2022-08-09 09:21:15 +00:00			`middleware,`
Telemetry improvements (#2935) * next-collect initial setup * naming changes * WIP * WIP: added cookie name * telemetry update * fixes * telemetry eventTypes fix * tmp jitsu config for testing * tmp jitsu key update (for tests) * deploy commit * cookieName fixes * telemetry credentials update * NextCollect updated to latest canary; added TELEMETRY_KEY to config * TELEMETRY_KEY fix removed browser_user_agent field from event * removed _middleware.ts for test deploy * _middleware.ts restored * next-collect version bump * yarn.lock fix * Added license consent property, set default telemetry endpoint * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Updated to latest version of next-collect * - Updated to latest version of next-collect - Few improvements in event collection: isTeamBooking for all events, page_url for all events - Do not send second page event on re-render of /team/[slug] * Revert booking confirmed tracking * Applied prettier + fix lint Co-authored-by: Art Sk <kirsan007@gmail.com> 2022-06-02 16:19:01 +00:00			`...nextCollectBasicSettings,`
			`cookieName: "__clnds",`
			`extend: extendEventData,`
			`});`