Login page only X-FRame-Options header
This commit is contained in:
parent
97fee864bf
commit
684ec40526
|
@ -1,13 +1,21 @@
|
|||
import { collectEvents } from "next-collect/server";
|
||||
import { NextMiddleware, NextResponse, userAgent } from "next/server";
|
||||
|
||||
import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
|
||||
import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL, IS_SELF_HOSTED } from "@calcom/lib/constants";
|
||||
import { isIpInBanlist } from "@calcom/lib/getIP";
|
||||
import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";
|
||||
|
||||
const middleware: NextMiddleware = async (req) => {
|
||||
const url = req.nextUrl;
|
||||
|
||||
//TODO: Might be a good idea to extract out all conditions where IS_SELF_HOSTED is handled in a Cal.config.ts file, so that self hosters can also enable this features just by modifying that config
|
||||
if (url.pathname.startsWith("/auth/login") && !IS_SELF_HOSTED) {
|
||||
console.log("Redirecting to login page");
|
||||
const response = NextResponse.next();
|
||||
response.headers.set("X-Frame-Options", "SAMEORIGIN");
|
||||
return response;
|
||||
}
|
||||
|
||||
if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) {
|
||||
const callbackUrl = url.searchParams.get("callbackUrl");
|
||||
const { isBot } = userAgent(req);
|
||||
|
@ -40,7 +48,13 @@ const middleware: NextMiddleware = async (req) => {
|
|||
};
|
||||
|
||||
export const config = {
|
||||
matcher: ["/api/collect-events/:path*", "/api/auth/:path*", "/apps/routing_forms/:path*", "/:path*/embed"],
|
||||
matcher: [
|
||||
"/api/collect-events/:path*",
|
||||
"/api/auth/:path*",
|
||||
"/apps/routing_forms/:path*",
|
||||
"/:path*/embed",
|
||||
"/auth/login",
|
||||
],
|
||||
};
|
||||
|
||||
export default collectEvents({
|
||||
|
|
|
@ -263,28 +263,27 @@ const nextConfig = {
|
|||
return redirects;
|
||||
},
|
||||
async headers() {
|
||||
const ContentSecurityPolicy = `
|
||||
const ContentSecurityPolicyForCalHosted = `
|
||||
default-src 'self';
|
||||
script-src 'self';
|
||||
child-src app.cal.com;
|
||||
style-src 'self' app.cal.com;
|
||||
font-src 'self';
|
||||
`;
|
||||
return [
|
||||
{
|
||||
const redirects = [];
|
||||
|
||||
if (process.env.NEXT_PUBLIC_WEBAPP_URL === "https://app.cal.com") {
|
||||
redirects.push({
|
||||
source: "/:path*",
|
||||
headers: [
|
||||
{
|
||||
key: "X-Frame-Options",
|
||||
value: "SAMEORIGIN",
|
||||
},
|
||||
{
|
||||
key: "Content-Security-Policy",
|
||||
value: ContentSecurityPolicy.replace(/\s{2,}/g, " ").trim(),
|
||||
value: ContentSecurityPolicyForCalHosted.replace(/\s{2,}/g, " ").trim(),
|
||||
},
|
||||
],
|
||||
},
|
||||
];
|
||||
});
|
||||
}
|
||||
return redirects;
|
||||
},
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user