import { NextResponse } from 'next/server'; import type { NextRequest } from 'next/server'; export function middleware(request: NextRequest) { const publicPaths = ['/sign-in', '/login', '/_next', '/favicon.ico', '/images', '/public', '/api/auth', '/test-session']; const { pathname } = request.nextUrl; if (publicPaths.some((path) => pathname.startsWith(path))) { return NextResponse.next(); } // Check for NextAuth session tokens with different possible names const token = request.cookies.get('next-auth.session-token')?.value || request.cookies.get('__Secure-next-auth.session-token')?.value || request.cookies.get('__Host-next-auth.session-token')?.value; // Debug: log all cookies for development if (process.env.NODE_ENV === 'development') { const cookieNames = request.cookies.getAll().map(cookie => cookie.name); console.log('🔍 All cookies:', cookieNames); console.log('🔍 NextAuth session token:', request.cookies.get('next-auth.session-token')?.value ? 'exists' : 'missing'); console.log('🔍 Secure session token:', request.cookies.get('__Secure-next-auth.session-token')?.value ? 'exists' : 'missing'); console.log('🔍 Host session token:', request.cookies.get('__Host-next-auth.session-token')?.value ? 'exists' : 'missing'); // Check for any cookie that might contain session info const allCookies = request.cookies.getAll(); const sessionCookies = allCookies.filter(cookie => cookie.name.includes('session') || cookie.name.includes('auth') || cookie.name.includes('token') ); console.log('🔍 Session-related cookies:', sessionCookies.map(c => c.name)); } // Debug logging for development if (process.env.NODE_ENV === 'development') { console.log('🔍 Middleware - Path:', pathname, 'Token exists:', !!token); } // Si c'est une requĂȘte API if (pathname.startsWith('/api')) { // Routes API publiques autorisĂ©es sans authentification const publicApi = [ '/api/auth', '/api/messages/unread-counts', '/api/socket' ]; const isPublicApi = publicApi.some((p) => pathname.startsWith(p)); // Autoriser les prĂ©-requĂȘtes CORS (preflight) if (request.method === 'OPTIONS') { const response = new NextResponse(null, { status: 204 }); response.headers.set('Access-Control-Allow-Origin', request.headers.get('origin') || '*'); response.headers.set('Access-Control-Allow-Methods', 'GET,POST,PUT,PATCH,DELETE,OPTIONS'); response.headers.set('Access-Control-Allow-Headers', request.headers.get('access-control-request-headers') || 'Content-Type, Authorization'); response.headers.set('Access-Control-Allow-Credentials', 'true'); response.headers.set('Vary', 'Origin'); return response; } if (!token && !isPublicApi) { console.log('❌ API request without token:', pathname); return NextResponse.json({ error: 'Not authenticated' }, { status: 401 }); } if (token) { console.log('✅ API request with token:', pathname); } else { console.log('✅ Public API request (no token required):', pathname); } const response = NextResponse.next(); // RĂ©pondre avec des en-tĂȘtes CORS pour les requĂȘtes API valides response.headers.set('Access-Control-Allow-Origin', request.headers.get('origin') || '*'); response.headers.set('Access-Control-Allow-Methods', 'GET,POST,PUT,PATCH,DELETE,OPTIONS'); response.headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization'); response.headers.set('Access-Control-Allow-Credentials', 'true'); response.headers.set('Vary', 'Origin'); return response; } // Pour les pages if (!token) { console.log('❌ Page request without token, redirecting to sign-in:', pathname); const signInUrl = new URL('/sign-in', request.url); return NextResponse.redirect(signInUrl); } console.log('✅ Page request with token:', pathname); return NextResponse.next(); } export const config = { matcher: [ /* * Match all request paths except for the ones starting with: * - api/auth (auth API routes) * - _next/static (static files) * - _next/image (image optimization files) * - favicon.ico (favicon file) * - sign-in (sign-in page) * - login (login page) */ '/((?!api/auth|_next/static|_next/image|favicon.ico|sign-in|login|test-session).*)', ], };