feat(example): Add Nosecone example with custom router #2662
Conversation
|
✨ Submitted to Merge by David Mytton (@davidmytton). It will be added to the merge queue once all branch protection rules pass and there are no merge conflicts with the target branch. See more details here. |
|
New dependencies detected. Learn more about Socket for GitHub ↗︎
|
|
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is unstable ownership?A new collaborator has begun publishing package versions. Package stability and security risk may be elevated. Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
| if (m) { | ||
| for (const fn of middlewareFuncs) { | ||
| const resp = await fn(request, event); | ||
| // TODO: better response guards |
There was a problem hiding this comment.
@blaine-arcjet could you review my fix in #2639 (comment) please? Seems like we should handle redirects and auth errors by just returning the response, but that might leave the security headers unset.
There was a problem hiding this comment.
Is there a reason we can't add the headers to returned response before returning it from the middleware?
It looks like the implementation for NextResponse.redirect() isn't complex:
static redirect(url, init) {
const status = typeof init === "number" ? init : (init == null ? void 0 : init.status) ?? 307;
if (!REDIRECTS.has(status)) {
throw new RangeError('Failed to execute "redirect" on "response": Invalid status code');
}
const initObj = typeof init === "object" ? init : {};
const headers = new Headers(initObj == null ? void 0 : initObj.headers);
headers.set("Location", (0, _utils.validateURL)(url));
return new NextResponse(null, {
...initObj,
headers,
status
});
}So we could return a Response instantly that sets the status code & Location header.
Also, to make this resilient, we probably want to handle NextResponse.rewrite(), which looks like it sets a different header than NextResponse.next():
static rewrite(destination, init) {
const headers = new Headers(init == null ? void 0 : init.headers);
headers.set("x-middleware-rewrite", (0, _utils.validateURL)(destination));
handleMiddlewareField(init, headers);
return new NextResponse(null, {
...init,
headers
});
}There was a problem hiding this comment.
Ideally we'd add the headers to all responses. So this is really about extending how we handle the redirect and rewrites to make sure they're captured correctly.
There was a problem hiding this comment.
@blaine-arcjet could you add this to the code when you get a chance please? You'll do a better job than me at this!
Created to help with #2639 so making this an official example.