( requestId: string, resource: DeploymentAuthResource, request: NextRequest, parsedBody: DeploymentAuthBody | null | undefined, cookiePrefix: DeploymentAuthKind )
| 57 | * support all four modes: `'public'`, `'password'`, `'email'`, and `'sso'`. |
| 58 | */ |
| 59 | export async function validateDeploymentAuth( |
| 60 | requestId: string, |
| 61 | resource: DeploymentAuthResource, |
| 62 | request: NextRequest, |
| 63 | parsedBody: DeploymentAuthBody | null | undefined, |
| 64 | cookiePrefix: DeploymentAuthKind |
| 65 | ): Promise<DeploymentAuthResult> { |
| 66 | const authType = resource.authType || 'public' |
| 67 | |
| 68 | if (authType === 'public') { |
| 69 | return { authorized: true } |
| 70 | } |
| 71 | |
| 72 | if (authType !== 'sso') { |
| 73 | const authCookie = request.cookies.get(deploymentAuthCookieName(cookiePrefix, resource.id)) |
| 74 | |
| 75 | if ( |
| 76 | authCookie && |
| 77 | validateAuthToken(authCookie.value, resource.id, authType, resource.password) |
| 78 | ) { |
| 79 | return { authorized: true } |
| 80 | } |
| 81 | } |
| 82 | |
| 83 | if (authType === 'password') { |
| 84 | if (request.method === 'GET') { |
| 85 | return { authorized: false, error: 'auth_required_password' } |
| 86 | } |
| 87 | |
| 88 | try { |
| 89 | if (!parsedBody) { |
| 90 | return { authorized: false, error: 'Password is required' } |
| 91 | } |
| 92 | |
| 93 | const { password, input } = parsedBody |
| 94 | |
| 95 | if (input && !password) { |
| 96 | return { authorized: false, error: 'auth_required_password' } |
| 97 | } |
| 98 | |
| 99 | if (!password) { |
| 100 | return { authorized: false, error: 'Password is required' } |
| 101 | } |
| 102 | |
| 103 | if (!resource.password) { |
| 104 | logger.error(`[${requestId}] No password set for password-protected ${resource.id}`) |
| 105 | return { authorized: false, error: 'Authentication configuration error' } |
| 106 | } |
| 107 | |
| 108 | const ip = getClientIp(request) |
| 109 | const ipRateLimit = await rateLimiter.checkRateLimitDirect( |
| 110 | `${cookiePrefix}-password:ip:${resource.id}:${ip}`, |
| 111 | PASSWORD_IP_RATE_LIMIT |
| 112 | ) |
| 113 | if (!ipRateLimit.allowed) { |
| 114 | logger.warn( |
| 115 | `[${requestId}] Password attempt IP rate limit exceeded for ${resource.id} from ${ip}` |
| 116 | ) |
no test coverage detected