kang
55bd56116d
更新 .env.example,补充玩家端本地开发配置说明,并新增直连 Laravel 服务及局域网访问相关配置选项。 重构 middleware.ts:使用新的 API 请求路径构建方法,提升代码清晰度与可维护性。 移除 next.config.ts 中已弃用的 API_BASE_URL 配置,简化 API 请求处理流程。 调整 lottery-http 以适配新的 API 基础地址解析机制,提升代码维护性。 优化 CSP(内容安全策略)配置,精简连接来源白名单管理,进一步增强安全性。
49 lines
1.3 KiB
TypeScript
49 lines
1.3 KiB
TypeScript
import { NextResponse, type NextRequest } from "next/server";
|
|
|
|
import { lotteryApiOrigin } from "./src/lib/lottery-api-base";
|
|
import { generateCSP, nonCspSecurityHeaders } from "./src/lib/csp-config";
|
|
|
|
type RuntimeOriginsEnvelope = {
|
|
code?: number;
|
|
data?: {
|
|
iframe_allowed_origins?: unknown;
|
|
};
|
|
};
|
|
|
|
async function loadRuntimeOrigins(): Promise<string[]> {
|
|
try {
|
|
const url = `${lotteryApiOrigin()}/api/v1/integration/runtime-origins`;
|
|
const response = await fetch(url, {
|
|
headers: { Accept: "application/json" },
|
|
cache: "no-store",
|
|
});
|
|
|
|
if (!response.ok) return [];
|
|
|
|
const payload = (await response.json()) as RuntimeOriginsEnvelope;
|
|
const origins = payload.data?.iframe_allowed_origins;
|
|
|
|
if (!Array.isArray(origins)) return [];
|
|
|
|
return origins.filter((origin): origin is string => typeof origin === "string");
|
|
} catch {
|
|
return [];
|
|
}
|
|
}
|
|
|
|
export async function middleware(_request: NextRequest): Promise<NextResponse> {
|
|
const response = NextResponse.next();
|
|
const runtimeOrigins = await loadRuntimeOrigins();
|
|
|
|
response.headers.set("Content-Security-Policy", generateCSP(runtimeOrigins));
|
|
for (const header of nonCspSecurityHeaders) {
|
|
response.headers.set(header.key, header.value);
|
|
}
|
|
|
|
return response;
|
|
}
|
|
|
|
export const config = {
|
|
matcher: ["/((?!api|_next/static|_next/image|favicon.ico|.*\\..*).*)"],
|
|
};
|