xiaokang/lotteryFront
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1316a62ce339ff68ba1e93cd43a7b2a6ee71b102
lotteryFront/middleware.ts
kang 1316a62ce3 feat: 更新环境配置并增强 iframe 安全处理机制 
修改 .env.example,优化环境切换说明,并新增 API_BASE_URL 配置项,提升配置管理能力。
更新 next.config.ts:使用 API_BASE_URL 代理 API 请求,增强开发与生产环境的灵活性。
重构 iframe-bridge 与 use-token-refresh 组件,采用新的 iframe 来源校验方法,提升安全性检查能力。
优化 csp-config.ts:动态注入允许的父级来源(parent origins)到 CSP 配置中,强化安全策略。
调整 lottery-http:通过 Next.js 代理转发 API 请求,简化 API 调用流程。
2026-05-28 10:12:24 +08:00

48 lines
1.3 KiB
TypeScript
Raw Blame History

import { NextResponse, type NextRequest } from "next/server";
import { generateCSP, nonCspSecurityHeaders } from "./src/lib/csp-config";
type RuntimeOriginsEnvelope = {
code?: number;
data?: {
iframe_allowed_origins?: unknown;
};
};
async function loadRuntimeOrigins(request: NextRequest): Promise<string[]> {
try {
const url = new URL("/api/v1/integration/runtime-origins", request.url);
const response = await fetch(url, {
headers: { Accept: "application/json" },
cache: "no-store",
});
if (!response.ok) return [];
const payload = (await response.json()) as RuntimeOriginsEnvelope;
const origins = payload.data?.iframe_allowed_origins;
if (!Array.isArray(origins)) return [];
return origins.filter((origin): origin is string => typeof origin === "string");
} catch {
return [];
}
}
export async function middleware(request: NextRequest): Promise<NextResponse> {
const response = NextResponse.next();
const runtimeOrigins = await loadRuntimeOrigins(request);
response.headers.set("Content-Security-Policy", generateCSP(runtimeOrigins));
for (const header of nonCspSecurityHeaders) {
response.headers.set(header.key, header.value);
}
return response;
}
export const config = {
matcher: ["/((?!api|_next/static|_next/image|favicon.ico|.*\\..*).*)"],
};
Reference in New Issue View Git Blame Copy Permalink