Update middleware to combine techniques for detecting external requests

2025-06-06 18:31:00 +00:00 · 2024-09-30 19:28:03 -05:00 · 2024-09-30 19:28:03 -05:00 · 41dfcb6918
commit 41dfcb6918
parent b55a3cd892
1 changed files with 20 additions and 3 deletions
--- a/src/middleware.js
+++ b/src/middleware.js
@ -14,7 +14,6 @@ export const config = {
 export default async function combinedMiddleware(request) {
  const ip = request.ip ?? '127.0.0.1';
  const pathname = request.nextUrl.pathname;
  const vercelBypass = request.headers.get('x-vercel-protection-bypass');
  // Allow access to .well-known paths
  if (pathname.startsWith('/.well-known')) {
@ -24,8 +23,8 @@ export default async function combinedMiddleware(request) {
      : NextResponse.redirect(new URL('/blocked', request.url));
  }
-  // Check if the request is coming from a Vercel deployment
+  // Check if the request is internal
-  if (!vercelBypass) {
+  if (!isInternalRequest(request)) {
    return new NextResponse(JSON.stringify({ error: 'Forbidden' }), { 
      status: 403,
      headers: { 'Content-Type': 'application/json' }
@ -38,3 +37,21 @@ export default async function combinedMiddleware(request) {
    ? NextResponse.next()
    : NextResponse.redirect(new URL('/blocked', request.url));
 }
 function isInternalRequest(request) {
  // Check if the request is from the same origin
  const requestHost = request.headers.get('host');
  const requestProtocol = request.headers.get('x-forwarded-proto') || 'http';
  const requestOrigin = `${requestProtocol}://${requestHost}`;
  // Check if the request has a referer from the same origin
  const referer = request.headers.get('referer');
  // Allow requests with no referer (direct API calls from your app)
  if (!referer) {
    return true;
  }
  // Check if the referer matches the request origin
  return referer.startsWith(requestOrigin);
 }