create middleware block and update proxy file also make token stored in cookes and up date user page to can show user details also fixed delete user error and delete car error and broken corse inginx image block now we can uplode image to server and but it in my app
This commit is contained in:
35
app/api/auth/set-cookie/route.ts
Normal file
35
app/api/auth/set-cookie/route.ts
Normal file
@@ -0,0 +1,35 @@
|
||||
// app/api/auth/set-cookie/route.ts
|
||||
// Receives the JWT from the client immediately after login and stores it
|
||||
// in an HttpOnly, Secure, SameSite=Strict cookie.
|
||||
// The client never stores the raw token — it passes through this endpoint once.
|
||||
|
||||
import { NextRequest, NextResponse } from "next/server";
|
||||
|
||||
export async function POST(request: NextRequest) {
|
||||
const body = await request.json().catch(() => null);
|
||||
const token: unknown = body?.token;
|
||||
|
||||
if (typeof token !== "string" || !token) {
|
||||
return NextResponse.json({ error: "Invalid token" }, { status: 400 });
|
||||
}
|
||||
|
||||
const isProduction = process.env.NODE_ENV === "production";
|
||||
|
||||
// Build the Set-Cookie header manually so we have full control over flags.
|
||||
// - HttpOnly: JavaScript cannot read this cookie.
|
||||
// - Secure: Only sent over HTTPS (omitted in development for localhost).
|
||||
// - SameSite=Strict: Not sent on cross-site requests, mitigating CSRF.
|
||||
// - Path=/: Available for all routes (needed for the middleware to read it).
|
||||
const cookieParts = [
|
||||
`auth_token=${encodeURIComponent(token)}`,
|
||||
"HttpOnly",
|
||||
isProduction ? "Secure" : "", // Omit Secure on localhost (no HTTPS)
|
||||
"SameSite=Strict",
|
||||
"Path=/",
|
||||
"Max-Age=604800", // 7 days in seconds
|
||||
].filter(Boolean);
|
||||
|
||||
const response = NextResponse.json({ ok: true });
|
||||
response.headers.set("Set-Cookie", cookieParts.join("; "));
|
||||
return response;
|
||||
}
|
||||
Reference in New Issue
Block a user