Update middleware to combine techniques for detecting external requests

2025-04-19 19:01:19 +00:00 · 2024-09-30 19:28:03 -05:00 · 2024-09-30 19:28:03 -05:00 · 41dfcb6918
commit 41dfcb6918
parent b55a3cd892
1 changed files with 20 additions and 3 deletions
--- a/src/middleware.js
+++ b/src/middleware.js
@ -14,7 +14,6 @@ export const config = {
 export default async function combinedMiddleware(request) {
  const ip = request.ip ?? '127.0.0.1';
  const pathname = request.nextUrl.pathname;
-  const vercelBypass = request.headers.get('x-vercel-protection-bypass');

  // Allow access to .well-known paths
  if (pathname.startsWith('/.well-known')) {
@ -24,8 +23,8 @@ export default async function combinedMiddleware(request) {
      : NextResponse.redirect(new URL('/blocked', request.url));
  }

-  // Check if the request is coming from a Vercel deployment
-  if (!vercelBypass) {
+  // Check if the request is internal
+  if (!isInternalRequest(request)) {
    return new NextResponse(JSON.stringify({ error: 'Forbidden' }), { 
      status: 403,
      headers: { 'Content-Type': 'application/json' }
@ -37,4 +36,22 @@ export default async function combinedMiddleware(request) {
  return success
    ? NextResponse.next()
    : NextResponse.redirect(new URL('/blocked', request.url));
+}
+
+function isInternalRequest(request) {
+  // Check if the request is from the same origin
+  const requestHost = request.headers.get('host');
+  const requestProtocol = request.headers.get('x-forwarded-proto') || 'http';
+  const requestOrigin = `${requestProtocol}://${requestHost}`;
+
+  // Check if the request has a referer from the same origin
+  const referer = request.headers.get('referer');
+  
+  // Allow requests with no referer (direct API calls from your app)
+  if (!referer) {
+    return true;
+  }
+
+  // Check if the referer matches the request origin
+  return referer.startsWith(requestOrigin);
 }