c0c6652dd5
middleware.ts now checks profiles.role on every /admin/* request and returns a plain 404 (not a redirect) for anonymous users and any authenticated user without role='admin'. The 404 wording matches a non-existent route, so we don't leak the existence of an admin area. gutomec@gmail.com promoted to admin in the live DB. openrouter.ts chat now collects artifacts silently during the tool-call loop instead of streaming them to the SSE. After the model writes its final prose (and after the forced-synthesis pass if needed), we scan the assembled text for [[doc-id/p007#cNNNN]] citations and emit ONLY the artifacts referenced. Duplicates are deduped by chunk_id. The persisted citations column on messages now stores the filtered set too, so old sessions reload with the same focused card grid. Before: every hybrid_search hit (up to 6 per call × 5 calls = 30+ citation cards plus crop images) flooded the chat regardless of what the model ended up using. After: only the chunks actually woven into the answer.
62 lines
2 KiB
TypeScript
62 lines
2 KiB
TypeScript
/**
|
|
* Next.js middleware — refreshes the Supabase auth session on every request,
|
|
* so Server Components see the latest user state.
|
|
*
|
|
* Skipped on static assets and the static-file API to keep them fast.
|
|
*/
|
|
import { NextResponse, type NextRequest } from "next/server";
|
|
import { createServerClient, type CookieOptions } from "@supabase/ssr";
|
|
|
|
export async function middleware(request: NextRequest) {
|
|
const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
|
|
const key = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
|
|
|
|
let response = NextResponse.next({ request });
|
|
|
|
if (!url || !key) {
|
|
// Supabase not configured — skip auth refresh entirely
|
|
return response;
|
|
}
|
|
|
|
const supabase = createServerClient(url, key, {
|
|
cookies: {
|
|
getAll() {
|
|
return request.cookies.getAll();
|
|
},
|
|
setAll(toSet: Array<{ name: string; value: string; options?: CookieOptions }>) {
|
|
toSet.forEach(({ name, value }) => request.cookies.set(name, value));
|
|
response = NextResponse.next({ request });
|
|
toSet.forEach(({ name, value, options }) => response.cookies.set(name, value, options));
|
|
},
|
|
},
|
|
});
|
|
|
|
// Trigger refresh (silently if token still valid)
|
|
const { data: { user } } = await supabase.auth.getUser();
|
|
|
|
// Gate /admin/* by role. Non-admin (including anonymous) gets the public
|
|
// 404, not a redirect — we don't want to leak the existence of the route.
|
|
const pathname = request.nextUrl.pathname;
|
|
if (pathname.startsWith("/admin")) {
|
|
if (!user) {
|
|
return new NextResponse("Not Found", { status: 404 });
|
|
}
|
|
const { data: profile } = await supabase
|
|
.from("profiles")
|
|
.select("role")
|
|
.eq("id", user.id)
|
|
.maybeSingle();
|
|
if (profile?.role !== "admin") {
|
|
return new NextResponse("Not Found", { status: 404 });
|
|
}
|
|
}
|
|
|
|
return response;
|
|
}
|
|
|
|
export const config = {
|
|
matcher: [
|
|
// Match everything EXCEPT static files + the static-file API
|
|
"/((?!_next/static|_next/image|favicon.ico|api/static).*)",
|
|
],
|
|
};
|