From e59bee30f71117cfb7e65aba4fcfdcde2dac824c Mon Sep 17 00:00:00 2001
From: austinkelsay <austinkelsay@yahoo.com>
Date: Mon, 30 Sep 2024 19:41:26 -0500
Subject: [PATCH] Return back to basic rate limit middleware, setup server
 session to block user route to test

---
 src/middleware.js            | 48 ++++++------------------------------
 src/pages/api/users/index.js |  6 ++++-
 2 files changed, 13 insertions(+), 41 deletions(-)

diff --git a/src/middleware.js b/src/middleware.js
index 602bd47..69f5b5f 100644
--- a/src/middleware.js
+++ b/src/middleware.js
@@ -4,54 +4,22 @@ import { kv } from '@vercel/kv';
 
 const ratelimit = new Ratelimit({
   redis: kv,
+  // 5 requests from the same IP in 10 seconds
   limiter: Ratelimit.slidingWindow(5, '10 s'),
 });
 
+// Define which routes you want to rate limit
 export const config = {
-  matcher: ['/api/:path*'],
+  matcher: '/',
 };
 
-export default async function combinedMiddleware(request) {
+export default async function middleware(request) {
+  // You could alternatively limit based on user ID or similar
   const ip = request.ip ?? '127.0.0.1';
-  const pathname = request.nextUrl.pathname;
-
-  // Allow access to .well-known paths
-  if (pathname.startsWith('/.well-known')) {
-    const { success } = await ratelimit.limit(ip);
-    return success
-      ? NextResponse.next()
-      : NextResponse.redirect(new URL('/blocked', request.url));
-  }
-
-  // Check if the request is internal
-  if (!isInternalRequest(request)) {
-    return new NextResponse(JSON.stringify({ error: 'Forbidden' }), { 
-      status: 403,
-      headers: { 'Content-Type': 'application/json' }
-    });
-  }
-
-  // Apply rate limiting for allowed requests
-  const { success } = await ratelimit.limit(ip);
+  const { success, pending, limit, reset, remaining } = await ratelimit.limit(
+    ip
+  );
   return success
     ? NextResponse.next()
     : NextResponse.redirect(new URL('/blocked', request.url));
-}
-
-function isInternalRequest(request) {
-  // Check if the request is from the same origin
-  const requestHost = request.headers.get('host');
-  const requestProtocol = request.headers.get('x-forwarded-proto') || 'http';
-  const requestOrigin = `${requestProtocol}://${requestHost}`;
-
-  // Check if the request has a referer from the same origin
-  const referer = request.headers.get('referer');
-  
-  // Allow requests with no referer (direct API calls from your app)
-  if (!referer) {
-    return true;
-  }
-
-  // Check if the referer matches the request origin
-  return referer.startsWith(requestOrigin);
 }
\ No newline at end of file
diff --git a/src/pages/api/users/index.js b/src/pages/api/users/index.js
index e12c2f5..a18d444 100644
--- a/src/pages/api/users/index.js
+++ b/src/pages/api/users/index.js
@@ -6,7 +6,11 @@ export default async function handler(req, res) {
   if (req.method === 'GET') {
     try {
       const session = await getServerSession(req, res, authOptions)
-      console.log("Session", session)
+      
+      if (!session) {
+        return res.status(401).json({ error: 'Unauthorized' });
+      }
+
       const users = await getAllUsers();
       res.status(200).json(users);
     } catch (error) {