cal.pub0.org/apps/web/middleware.ts

import { collectEvents } from "next-collect/server";
import { NextMiddleware, NextResponse, userAgent } from "next/server";

import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
import { isIpInBanlist } from "@calcom/lib/getIP";
import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";

const middleware: NextMiddleware = async (req) => {
  const url = req.nextUrl;

  if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) {
    const callbackUrl = url.searchParams.get("callbackUrl");
    const { isBot } = userAgent(req);

    if (
      isBot ||
      (callbackUrl && ![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => callbackUrl.startsWith(u))) ||
      isIpInBanlist(req)
    ) {
      // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback
      req.nextUrl.pathname = "/api/nope";
      return NextResponse.redirect(req.nextUrl);
    }
  }

  // Ensure that embed query param is there in when /embed is added.
  // query param is the way in which client side code knows that it is in embed mode.
  if (url.pathname.endsWith("/embed") && typeof url.searchParams.get("embed") !== "string") {
    url.searchParams.set("embed", "");
    return NextResponse.redirect(url);
  }

  // Don't 404 old routing_forms links
  if (url.pathname.startsWith("/apps/routing_forms")) {
    url.pathname = url.pathname.replace("/apps/routing_forms", "/apps/routing-forms");
    return NextResponse.rewrite(url);
  }

  return NextResponse.next();
};

export const config = {
  matcher: ["/api/collect-events/:path*", "/api/auth/:path*", "/apps/routing_forms/:path*", "/:path*/embed"],
};

export default collectEvents({
  middleware,
  ...nextCollectBasicSettings,
  cookieName: "__clnds",
  extend: extendEventData,
});
Telemetry improvements (#2935) * next-collect initial setup * naming changes * WIP * WIP: added cookie name * telemetry update * fixes * telemetry eventTypes fix * tmp jitsu config for testing * tmp jitsu key update (for tests) * deploy commit * cookieName fixes * telemetry credentials update * NextCollect updated to latest canary; added TELEMETRY_KEY to config * TELEMETRY_KEY fix removed browser_user_agent field from event * removed _middleware.ts for test deploy * _middleware.ts restored * next-collect version bump * yarn.lock fix * Added license consent property, set default telemetry endpoint * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Updated to latest version of next-collect * - Updated to latest version of next-collect - Few improvements in event collection: isTeamBooking for all events, page_url for all events - Do not send second page event on re-render of /team/[slug] * Revert booking confirmed tracking * Applied prettier + fix lint Co-authored-by: Art Sk <kirsan007@gmail.com> 2022-06-02 16:19:01 +00:00			`import { collectEvents } from "next-collect/server";`
DDOS mitigation updates 2022-08-16 19:50:09 +00:00			`import { NextMiddleware, NextResponse, userAgent } from "next/server";`
Telemetry improvements (#2935) * next-collect initial setup * naming changes * WIP * WIP: added cookie name * telemetry update * fixes * telemetry eventTypes fix * tmp jitsu config for testing * tmp jitsu key update (for tests) * deploy commit * cookieName fixes * telemetry credentials update * NextCollect updated to latest canary; added TELEMETRY_KEY to config * TELEMETRY_KEY fix removed browser_user_agent field from event * removed _middleware.ts for test deploy * _middleware.ts restored * next-collect version bump * yarn.lock fix * Added license consent property, set default telemetry endpoint * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Updated to latest version of next-collect * - Updated to latest version of next-collect - Few improvements in event collection: isTeamBooking for all events, page_url for all events - Do not send second page event on re-render of /team/[slug] * Revert booking confirmed tracking * Applied prettier + fix lint Co-authored-by: Art Sk <kirsan007@gmail.com> 2022-06-02 16:19:01 +00:00
Whitelist only cal domain as callbackUrls 2022-08-16 19:55:50 +00:00			`import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";`
Implements quick ip banlist Debugs IP banlist Adds explainer for getIP util Adds collect-events to middleware filter Fixes middleware 2022-08-23 21:34:10 +00:00			`import { isIpInBanlist } from "@calcom/lib/getIP";`
Refactors EE code (#3490) * WIP * WIP * Type and migration fixes * Adds missing default import * Fixes import * Fixes tRPC imports in App Store * Migrate stripe helpers * WIP * Type fixes * Type fix? * WIP * WIP * Update index.ts * Fixes * Update workflow.tsx * Moved queries to lib * Moves QueryCell * Migrates MultiSelectCheckboxes * WIP * CryptoSection type fixes * WIP * Import fixes * Build fixes * Update app-providers.tsx * Build fixes * Upgrades hookform zod resolvers * Build fixes * Cleanup * Build fixes * Relocates QueryCell to ui * Moved List and SkeletonLoader * Revert QueryCell migration * Can't use QueryCell here * oops * CryptoSection cleanup * Update app-providers.tsx * Moved ee to features * ee to features/ee * Removes @calcom/ee * Adds possible feature locations * Build fixes * Migrates stripe to app-store lib * Colocates stripe imports * Update subscription.ts * Submodule sync Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-07-28 19:58:26 +00:00			`import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";`
Telemetry improvements (#2935) * next-collect initial setup * naming changes * WIP * WIP: added cookie name * telemetry update * fixes * telemetry eventTypes fix * tmp jitsu config for testing * tmp jitsu key update (for tests) * deploy commit * cookieName fixes * telemetry credentials update * NextCollect updated to latest canary; added TELEMETRY_KEY to config * TELEMETRY_KEY fix removed browser_user_agent field from event * removed _middleware.ts for test deploy * _middleware.ts restored * next-collect version bump * yarn.lock fix * Added license consent property, set default telemetry endpoint * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Updated to latest version of next-collect * - Updated to latest version of next-collect - Few improvements in event collection: isTeamBooking for all events, page_url for all events - Do not send second page event on re-render of /team/[slug] * Revert booking confirmed tracking * Applied prettier + fix lint Co-authored-by: Art Sk <kirsan007@gmail.com> 2022-06-02 16:19:01 +00:00
Adds middleware to get V2 early access (#3617) Co-authored-by: sean-brydon <55134778+sean-brydon@users.noreply.github.com> 2022-08-09 09:21:15 +00:00			`const middleware: NextMiddleware = async (req) => {`
			`const url = req.nextUrl;`

Implements quick ip banlist Debugs IP banlist Adds explainer for getIP util Adds collect-events to middleware filter Fixes middleware 2022-08-23 21:34:10 +00:00			`if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) {`
Avoid DDOS (#3871) 2022-08-16 17:15:13 +00:00			`const callbackUrl = url.searchParams.get("callbackUrl");`
DDOS mitigation updates 2022-08-16 19:50:09 +00:00			`const { isBot } = userAgent(req);`
Whitelist only cal domain as callbackUrls 2022-08-16 19:55:50 +00:00
			`if (`
			`isBot \|\|`
Implements quick ip banlist Debugs IP banlist Adds explainer for getIP util Adds collect-events to middleware filter Fixes middleware 2022-08-23 21:34:10 +00:00			`(callbackUrl && ![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => callbackUrl.startsWith(u))) \|\|`
			`isIpInBanlist(req)`
Whitelist only cal domain as callbackUrls 2022-08-16 19:55:50 +00:00			`) {`
Avoid DDOS (#3871) 2022-08-16 17:15:13 +00:00			`// DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback`
Middleware rewrite shenanigans 2022-08-16 19:59:38 +00:00			`req.nextUrl.pathname = "/api/nope";`
			`return NextResponse.redirect(req.nextUrl);`
Avoid DDOS (#3871) 2022-08-16 17:15:13 +00:00			`}`
			`}`
Routing Forms Improvements - Rename routing_forms to routing-forms (#4546) * Animate fields list and routes list * Rename routing_forms slug to routing-forms * Add comments * Fixtypo * Add dropdown separator for consistency * Fix missing occurences of routing_forms and improve types for webhooks * Fix weird error about title child is an array * Fix webhook issues * Fix webhook tests and issues found during fixing them * Fix lint errors and warnings Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-09-22 17:23:43 +00:00
The links that can be directly given to embed should pre-render(Either SSG/SSR) (#4975) * Embed SSG and consistently pass embedType query param across pages * Embed fixes * Code cleanup * Add main class which tells embed which helps in identifying which area is outside the main content * remove any special optimization handling for routing forms * Add comments * Small fixes * Fix broken team booking page in embed * Fix Fallback message dark theme * TS Fixes * Fixes * Fix tests * Remove not required code Co-authored-by: Peer Richelsen <peeroke@gmail.com> 2022-10-19 21:25:03 +00:00			`// Ensure that embed query param is there in when /embed is added.`
			`// query param is the way in which client side code knows that it is in embed mode.`
			`if (url.pathname.endsWith("/embed") && typeof url.searchParams.get("embed") !== "string") {`
			`url.searchParams.set("embed", "");`
			`return NextResponse.redirect(url);`
			`}`

Routing Forms Improvements - Rename routing_forms to routing-forms (#4546) * Animate fields list and routes list * Rename routing_forms slug to routing-forms * Add comments * Fixtypo * Add dropdown separator for consistency * Fix missing occurences of routing_forms and improve types for webhooks * Fix weird error about title child is an array * Fix webhook issues * Fix webhook tests and issues found during fixing them * Fix lint errors and warnings Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-09-22 17:23:43 +00:00			`// Don't 404 old routing_forms links`
			`if (url.pathname.startsWith("/apps/routing_forms")) {`
			`url.pathname = url.pathname.replace("/apps/routing_forms", "/apps/routing-forms");`
			`return NextResponse.rewrite(url);`
			`}`

Backported 973e0a3..6ad0e23 (#3943) 2022-08-26 18:07:44 +00:00			`return NextResponse.next();`
Adds middleware to get V2 early access (#3617) Co-authored-by: sean-brydon <55134778+sean-brydon@users.noreply.github.com> 2022-08-09 09:21:15 +00:00			`};`

fix: use matcher in middleware (#5304) Co-authored-by: Peer Richelsen <peeroke@gmail.com> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-11-03 14:51:43 +00:00			`export const config = {`
			`matcher: ["/api/collect-events/:path", "/api/auth/:path", "/apps/routing_forms/:path", "/:path/embed"],`
			`};`

Telemetry improvements (#2935) * next-collect initial setup * naming changes * WIP * WIP: added cookie name * telemetry update * fixes * telemetry eventTypes fix * tmp jitsu config for testing * tmp jitsu key update (for tests) * deploy commit * cookieName fixes * telemetry credentials update * NextCollect updated to latest canary; added TELEMETRY_KEY to config * TELEMETRY_KEY fix removed browser_user_agent field from event * removed _middleware.ts for test deploy * _middleware.ts restored * next-collect version bump * yarn.lock fix * Added license consent property, set default telemetry endpoint * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Updated to latest version of next-collect * - Updated to latest version of next-collect - Few improvements in event collection: isTeamBooking for all events, page_url for all events - Do not send second page event on re-render of /team/[slug] * Revert booking confirmed tracking * Applied prettier + fix lint Co-authored-by: Art Sk <kirsan007@gmail.com> 2022-06-02 16:19:01 +00:00			`export default collectEvents({`
Adds middleware to get V2 early access (#3617) Co-authored-by: sean-brydon <55134778+sean-brydon@users.noreply.github.com> 2022-08-09 09:21:15 +00:00			`middleware,`
Telemetry improvements (#2935) * next-collect initial setup * naming changes * WIP * WIP: added cookie name * telemetry update * fixes * telemetry eventTypes fix * tmp jitsu config for testing * tmp jitsu key update (for tests) * deploy commit * cookieName fixes * telemetry credentials update * NextCollect updated to latest canary; added TELEMETRY_KEY to config * TELEMETRY_KEY fix removed browser_user_agent field from event * removed _middleware.ts for test deploy * _middleware.ts restored * next-collect version bump * yarn.lock fix * Added license consent property, set default telemetry endpoint * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Switched to stable version of next-collect; restored LicenseProvider accidentally deleted during merge * Updated to latest version of next-collect * - Updated to latest version of next-collect - Few improvements in event collection: isTeamBooking for all events, page_url for all events - Do not send second page event on re-render of /team/[slug] * Revert booking confirmed tracking * Applied prettier + fix lint Co-authored-by: Art Sk <kirsan007@gmail.com> 2022-06-02 16:19:01 +00:00			`...nextCollectBasicSettings,`
			`cookieName: "__clnds",`
			`extend: extendEventData,`
			`});`