import { get } from "@vercel/edge-config"; import { collectEvents } from "next-collect/server"; import type { NextMiddleware } from "next/server"; import { NextResponse, userAgent } from "next/server"; import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants"; import { isIpInBanlist } from "@calcom/lib/getIP"; import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry"; const middleware: NextMiddleware = async (req) => { const url = req.nextUrl; const requestHeaders = new Headers(req.headers); if (isIpInBanlist(req) && url.pathname !== "/api/nope") { // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback req.nextUrl.pathname = "/api/nope"; return NextResponse.redirect(req.nextUrl); } if (!url.pathname.startsWith("/api")) { // // NOTE: When tRPC hits an error a 500 is returned, when this is received // by the application the user is automatically redirected to /auth/login. // // - For this reason our matchers are sufficient for an app-wide maintenance page. // try { // Check whether the maintenance page should be shown const isInMaintenanceMode = await get("isInMaintenanceMode"); // If is in maintenance mode, point the url pathname to the maintenance page if (isInMaintenanceMode) { req.nextUrl.pathname = `/maintenance`; return NextResponse.rewrite(req.nextUrl); } } catch (error) { // show the default page if EDGE_CONFIG env var is missing, // but log the error to the console // console.error(error); } } if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) { const callbackUrl = url.searchParams.get("callbackUrl"); const { isBot } = userAgent(req); if ( isBot || (callbackUrl && ![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => callbackUrl.startsWith(u))) || isIpInBanlist(req) ) { // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback req.nextUrl.pathname = "/api/nope"; return NextResponse.redirect(req.nextUrl); } } // Don't 404 old routing_forms links if (url.pathname.startsWith("/apps/routing_forms")) { url.pathname = url.pathname.replace("/apps/routing_forms", "/apps/routing-forms"); return NextResponse.rewrite(url); } if (url.pathname.startsWith("/api/trpc/")) { requestHeaders.set("x-cal-timezone", req.headers.get("x-vercel-ip-timezone") ?? ""); } if (url.pathname.startsWith("/auth/login")) { // Use this header to actually enforce CSP, otherwise it is running in Report Only mode on all pages. requestHeaders.set("x-csp-enforce", "true"); } return NextResponse.next({ request: { headers: requestHeaders, }, }); }; export const config = { matcher: [ "/((?!_next|.*avatar.png$|favicon.ico$).*)", "/api/collect-events/:path*", "/api/auth/:path*", "/apps/routing_forms/:path*", "/:path*/embed", "/api/trpc/:path*", "/auth/login", ], }; export default collectEvents({ middleware, ...nextCollectBasicSettings, cookieName: "__clnds", extend: extendEventData, });