Login page only X-FRame-Options header
This commit is contained in:
parent
97fee864bf
commit
684ec40526
|
@ -1,13 +1,21 @@
|
||||||
import { collectEvents } from "next-collect/server";
|
import { collectEvents } from "next-collect/server";
|
||||||
import { NextMiddleware, NextResponse, userAgent } from "next/server";
|
import { NextMiddleware, NextResponse, userAgent } from "next/server";
|
||||||
|
|
||||||
import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
|
import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL, IS_SELF_HOSTED } from "@calcom/lib/constants";
|
||||||
import { isIpInBanlist } from "@calcom/lib/getIP";
|
import { isIpInBanlist } from "@calcom/lib/getIP";
|
||||||
import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";
|
import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";
|
||||||
|
|
||||||
const middleware: NextMiddleware = async (req) => {
|
const middleware: NextMiddleware = async (req) => {
|
||||||
const url = req.nextUrl;
|
const url = req.nextUrl;
|
||||||
|
|
||||||
|
//TODO: Might be a good idea to extract out all conditions where IS_SELF_HOSTED is handled in a Cal.config.ts file, so that self hosters can also enable this features just by modifying that config
|
||||||
|
if (url.pathname.startsWith("/auth/login") && !IS_SELF_HOSTED) {
|
||||||
|
console.log("Redirecting to login page");
|
||||||
|
const response = NextResponse.next();
|
||||||
|
response.headers.set("X-Frame-Options", "SAMEORIGIN");
|
||||||
|
return response;
|
||||||
|
}
|
||||||
|
|
||||||
if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) {
|
if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) {
|
||||||
const callbackUrl = url.searchParams.get("callbackUrl");
|
const callbackUrl = url.searchParams.get("callbackUrl");
|
||||||
const { isBot } = userAgent(req);
|
const { isBot } = userAgent(req);
|
||||||
|
@ -40,7 +48,13 @@ const middleware: NextMiddleware = async (req) => {
|
||||||
};
|
};
|
||||||
|
|
||||||
export const config = {
|
export const config = {
|
||||||
matcher: ["/api/collect-events/:path*", "/api/auth/:path*", "/apps/routing_forms/:path*", "/:path*/embed"],
|
matcher: [
|
||||||
|
"/api/collect-events/:path*",
|
||||||
|
"/api/auth/:path*",
|
||||||
|
"/apps/routing_forms/:path*",
|
||||||
|
"/:path*/embed",
|
||||||
|
"/auth/login",
|
||||||
|
],
|
||||||
};
|
};
|
||||||
|
|
||||||
export default collectEvents({
|
export default collectEvents({
|
||||||
|
|
|
@ -263,28 +263,27 @@ const nextConfig = {
|
||||||
return redirects;
|
return redirects;
|
||||||
},
|
},
|
||||||
async headers() {
|
async headers() {
|
||||||
const ContentSecurityPolicy = `
|
const ContentSecurityPolicyForCalHosted = `
|
||||||
default-src 'self';
|
default-src 'self';
|
||||||
script-src 'self';
|
script-src 'self';
|
||||||
child-src app.cal.com;
|
child-src app.cal.com;
|
||||||
style-src 'self' app.cal.com;
|
style-src 'self' app.cal.com;
|
||||||
font-src 'self';
|
font-src 'self';
|
||||||
`;
|
`;
|
||||||
return [
|
const redirects = [];
|
||||||
{
|
|
||||||
|
if (process.env.NEXT_PUBLIC_WEBAPP_URL === "https://app.cal.com") {
|
||||||
|
redirects.push({
|
||||||
source: "/:path*",
|
source: "/:path*",
|
||||||
headers: [
|
headers: [
|
||||||
{
|
|
||||||
key: "X-Frame-Options",
|
|
||||||
value: "SAMEORIGIN",
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
key: "Content-Security-Policy",
|
key: "Content-Security-Policy",
|
||||||
value: ContentSecurityPolicy.replace(/\s{2,}/g, " ").trim(),
|
value: ContentSecurityPolicyForCalHosted.replace(/\s{2,}/g, " ").trim(),
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
},
|
});
|
||||||
];
|
}
|
||||||
|
return redirects;
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user