XFire_GovLink/middleware.ts at main · XFire2025/XFire_GovLink · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
import { verifyAccessToken } from "@/lib/auth/user-jwt";

// Define protected routes for different user types
const PROTECTED_ROUTES = {
  // User/Citizen protected routes
  USER: [
    "/user/dashboard",
    "/user/profile",
    "/user/booking",
    "/user/chat",
    "/user/submission",
  ],
  // Agent protected routes
  AGENT: [
    "/agent/dashboard",
    "/agent/analytics",
    "/agent/appointments",
    "/agent/chat",
    "/agent/profile",
    "/agent/submissions",
  ],
  // Admin protected routes
  ADMIN: [
    "/admin/dashboard",
    "/admin/agents",
    "/admin/customer-agent",
    "/admin/reports",
    "/admin/suspension",
    "/admin/system-configuration",
    "/admin/users",
    "/admin/verification",
    "/admin/admin-management",
  ],
};

// Public routes that don't require authentication
const PUBLIC_ROUTES = [
  "/",
  "/user/auth/login",
  "/user/auth/register",
  "/user/auth/forgot-password",
  "/agent/login",
  "/admin/login",
  "/api/auth/user/login",
  "/api/auth/user/register",
  "/api/auth/user/logout",
  "/api/auth/user/refresh",
  "/api/auth/user/verify-email",
  "/api/auth/admin/login",
  "/api/auth/admin/logout",
  "/api/auth/admin/refresh",
  "/api/auth/admin/initialize",
  "/api/auth/admin/logout",
  "/api/auth/admin/refresh",
  // '/api/auth/admin/create-default', // removed, now handled by create route
  "/api/auth/admin/create",
  "/verify-email",
  "/reset-password",
];

// Check if a path matches any of the protected routes
function isProtectedRoute(
  pathname: string,
  routeType: "USER" | "AGENT" | "ADMIN"
): boolean {
  return PROTECTED_ROUTES[routeType].some(
    (route) => pathname.startsWith(route) || pathname === route
  );
}

// Check if a path is a public route
function isPublicRoute(pathname: string): boolean {
  return PUBLIC_ROUTES.some(
    (route) => pathname === route || pathname.startsWith(route)
  );
}

// Get user info from token
async function getUserFromToken(token: string) {
  try {
    const decoded = verifyAccessToken(token);
    return decoded;
  } catch {
    return null;
  }
}

// Redirect to appropriate login page based on route type
function getLoginRedirect(pathname: string): string {
  if (pathname.startsWith("/admin")) {
    return "/admin/login";
  } else if (pathname.startsWith("/agent")) {
    return "/agent/login";
  } else {
    return "/user/auth/login";
  }
}

export async function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl;

  // Skip middleware for static files, API routes (except auth), and public assets
  if (
    pathname.startsWith("/_next") ||
    pathname.startsWith("/static") ||
    pathname.includes(".") ||
    (pathname.startsWith("/api/") && !pathname.startsWith("/api/auth"))
  ) {
    return NextResponse.next();
  }

  // Allow public routes
  if (isPublicRoute(pathname)) {
    return NextResponse.next();
  }

  // Get tokens from cookies
  const accessToken = request.cookies.get("access_token")?.value;
  const refreshToken = request.cookies.get("refresh_token")?.value;

  // If no access token, check if we can refresh
  if (!accessToken) {
    if (refreshToken) {
      // Try to refresh the token
      try {
        const refreshResponse = await fetch(
          `${request.nextUrl.origin}/api/auth/user/refresh`,
          {
            method: "POST",
            headers: {
              Cookie: `refresh_token=${refreshToken}`,
            },
          }
        );

        if (refreshResponse.ok) {
          const response = NextResponse.next();
          // Copy the new access token from the refresh response
          const setCookieHeader = refreshResponse.headers.get("set-cookie");
          if (setCookieHeader) {
            response.headers.set("set-cookie", setCookieHeader);
          }
          return response;
        }
      } catch {
        // Token refresh failed - will redirect to login
      }
    }

    // No valid tokens, redirect to login
    const loginUrl = new URL(getLoginRedirect(pathname), request.url);
    loginUrl.searchParams.set("redirect", pathname);
    return NextResponse.redirect(loginUrl);
  }

  // Verify access token and get user info
  const user = await getUserFromToken(accessToken);
  if (!user) {
    // Invalid token, clear cookies and redirect to login
    const response = NextResponse.redirect(
      new URL(getLoginRedirect(pathname), request.url)
    );
    response.cookies.delete("access_token");
    response.cookies.delete("refresh_token");
    return response;
  }

  // Check role-based access
  const userRole = user.role?.toUpperCase() as "CITIZEN" | "AGENT" | "ADMIN";

  // For user/citizen routes
  if (isProtectedRoute(pathname, "USER")) {
    if (userRole !== "CITIZEN") {
      return NextResponse.redirect(new URL("/", request.url));
    }
  }

  // For agent routes
  if (isProtectedRoute(pathname, "AGENT")) {
    if (userRole !== "AGENT") {
      return NextResponse.redirect(new URL("/", request.url));
    }
  }

  // For admin routes
  if (isProtectedRoute(pathname, "ADMIN")) {
    if (userRole !== "ADMIN") {
      return NextResponse.redirect(new URL("/", request.url));
    }
  }

  // Check account status
  if (
    user.accountStatus === "suspended" ||
    user.accountStatus === "deactivated"
  ) {
    const suspendedUrl = new URL("/account-suspended", request.url);
    return NextResponse.redirect(suspendedUrl);
  }

  // Add user info to headers for components to access
  const response = NextResponse.next();
  response.headers.set("x-user-id", user.userId);
  response.headers.set("x-user-role", user.role);
  response.headers.set("x-user-email", user.email);

  return response;
}

// Configure which paths the middleware should run on
export const config = {
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - api (API routes)
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico (favicon file)
     */
    "/((?!api|_next/static|_next/image|favicon.ico).*)",
  ],
};