chore: Update middleware to protect additional paths and use API key …

…for authorization Signed-off-by: Ilayda Cansin Koc <ilaydacansin@gmail.com>
GAIA-X4PLC-AAD · Jun 11, 2024 · df7e7e7 · df7e7e7
1 parent e8fb483
commit df7e7e7
Showing 1 changed file with 10 additions and 14 deletions.
diff --git a/vclogin/middleware.ts b/vclogin/middleware.ts
@@ -1,24 +1,20 @@
 import { NextResponse } from "next/server";
 import type { NextRequest } from "next/server";
 
-const excludePath = [
-  "/api/dynamic/presentCredentialById",
-  "/api/dynamic/clientMetadataById",
-  "/api/presentCredential",
-  "/api/clientMetadata",
+const protectedPaths = [
+  "/api/dynamic/createTempAuthorization",
+  "/api/dynamic/getAuthResponse",
+  "/api/dynamic/getQRCodeString",
 ];
 
-export function middleware(req: NextRequest, res: NextResponse) {
+export function middleware(req: NextRequest) {
   const authHeader = req.headers.get("Authorization");
-  const oidcClientId = authHeader?.split(" ")[1];
-
-  if (excludePath.includes(req.nextUrl.pathname)) {
-    return NextResponse.next();
-  }
-
-  if (oidcClientId && oidcClientId === process.env.OIDC_CLIENT_ID) {
+  const path = req.nextUrl.pathname;
+  const apiKey = authHeader?.split(" ")[1];
+  if (protectedPaths.includes(path) && apiKey === process.env.API_KEY) {
     return NextResponse.next();
-  } else {
+  } else if (protectedPaths.includes(path) && apiKey !== process.env.API_KEY) {
     return new Response("Unauthorized", { status: 401 });
   }
+  return NextResponse.next();
 }