afc6f5f3a8
- Add API key authentication middleware for all API endpoints - Fix path traversal vulnerability with screen parameter validation - Implement comprehensive input validation and sanitization - Create centralized security utilities in lib/security.ts - Add input validation for all stream and screen API endpoints - Prevent SQL injection with proper parameter validation - Add URL validation and string sanitization - Update documentation with security setup instructions - Pass all TypeScript type checks and ESLint validation Security improvements address critical vulnerabilities: - Authentication: Protect all API endpoints with API key - Path traversal: Validate screen names against allowlist - Input validation: Comprehensive validation with error details - XSS prevention: String sanitization and length limits 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
35 lines
No EOL
981 B
TypeScript
35 lines
No EOL
981 B
TypeScript
import { NextRequest, NextResponse } from 'next/server';
|
|
|
|
export function middleware(request: NextRequest) {
|
|
// Only protect API routes
|
|
if (request.nextUrl.pathname.startsWith('/api/')) {
|
|
// Allow OPTIONS requests for CORS preflight
|
|
if (request.method === 'OPTIONS') {
|
|
return NextResponse.next();
|
|
}
|
|
|
|
// Check for API key in header
|
|
const apiKey = request.headers.get('x-api-key');
|
|
const validKey = process.env.API_KEY;
|
|
|
|
// If API_KEY is not set in environment, skip authentication (development mode)
|
|
if (!validKey) {
|
|
console.warn('API_KEY not set in environment variables. API endpoints are unprotected!');
|
|
return NextResponse.next();
|
|
}
|
|
|
|
// Validate API key
|
|
if (!apiKey || apiKey !== validKey) {
|
|
return NextResponse.json(
|
|
{ error: 'Unauthorized. Valid API key required.' },
|
|
{ status: 401 }
|
|
);
|
|
}
|
|
}
|
|
|
|
return NextResponse.next();
|
|
}
|
|
|
|
export const config = {
|
|
matcher: '/api/:path*'
|
|
}; |