fix homepage storefront proxy and CSP
Build & Deploy / Build & Push Docker Image (push) Successful in 2m50s
Test / Type Check (all packages) (push) Successful in 52s
Build & Deploy / Deploy to VPS (push) Successful in 3s
Test / API Unit Tests (push) Successful in 54s
Test / Homepage Unit Tests (push) Successful in 44s
Test / Storefront Unit Tests (push) Successful in 41s
Test / Admin Unit Tests (push) Successful in 42s
Test / Dashboard Unit Tests (push) Successful in 41s
Test / API Integration Tests (push) Successful in 1m0s

This commit is contained in:
root
2026-07-02 13:55:10 -04:00
parent 9c11f3660d
commit 56c3bcf666
6 changed files with 98 additions and 5 deletions
+2 -1
View File
@@ -7,7 +7,8 @@ export function buildContentSecurityPolicy(
development: boolean,
apiOrigin?: string,
): string {
const scriptSources = ["'self'", `'nonce-${nonce}'`, "'strict-dynamic'", "'unsafe-eval'"];
void nonce;
const scriptSources = ["'self'", "'unsafe-inline'", "'unsafe-eval'"];
const styleSources = ["'self'", "'unsafe-inline'"];
+10 -2
View File
@@ -13,6 +13,7 @@ import type { NextRequest } from 'next/server';
import { NextResponse } from 'next/server';
const dashboardLanguageCookie = 'rentaldrivego-language';
const reservedProxySegments = new Set(['dashboard', 'admin', 'storefront']);
function applySecurityHeaders(response: NextResponse, contentSecurityPolicy: string): NextResponse {
response.headers.set('Content-Security-Policy', contentSecurityPolicy);
@@ -65,10 +66,17 @@ export function proxy(request: NextRequest): NextResponse {
return applySecurityHeaders(response, csp);
}
// Redirect locale-less paths (e.g. /sign-in → /en/sign-in), but not /dashboard, /admin, or files
const pathSegments = request.nextUrl.pathname.split('/').filter(Boolean);
if (isLocale(pathSegments[0]) && pathSegments[1] === 'storefront') {
const destination = request.nextUrl.clone();
destination.pathname = `/${pathSegments.slice(1).join('/')}`;
return applySecurityHeaders(NextResponse.redirect(destination), csp);
}
// Redirect locale-less paths (e.g. /sign-in → /en/sign-in), but not proxied app paths or files.
const firstSegment = request.nextUrl.pathname.split('/')[1];
const isFile = /\.\w+$/.test(request.nextUrl.pathname);
if (firstSegment && !isFile && !isLocale(firstSegment) && firstSegment !== 'dashboard' && firstSegment !== 'admin') {
if (firstSegment && !isFile && !isLocale(firstSegment) && !reservedProxySegments.has(firstSegment)) {
const cookieLocale = request.cookies.get(localeCookie)?.value;
const locale = isLocale(cookieLocale)
? cookieLocale