import { NextResponse } from "next/server"; import type { NextRequest } from "next/server"; const allowedWhenLoggedOut = ["/auth/login", "/auth/register", "/auth/forgot-password"]; const restrictedWhenLoggedIn = ["/auth/login", "/auth/register"]; // Simple helper to decode JWT in Edge Runtime function getRoleFromToken(token: string) { try { const payload = token.split('.')[1]; const decoded = JSON.parse(atob(payload)); return decoded.role; } catch (e) { return null; } } export function middleware(request: NextRequest) { const sessionToken = request.cookies.get("__Secure-next-auth.session-token")?.value || request.cookies.get("next-auth.session-token")?.value; const accessToken = request.cookies.get("access_token")?.value; const { pathname } = request.nextUrl; // 1. If not logged in and trying to access dashboard if (!sessionToken && pathname.startsWith("/dashboard")) { const loginUrl = new URL("/auth/login", request.url); loginUrl.searchParams.set("redirect", pathname); return NextResponse.redirect(loginUrl); } // 2. If logged in but role is pending (Force Choose Role) if (sessionToken && accessToken) { const role = getRoleFromToken(accessToken); if (role === 'social_pending' && !pathname.startsWith("/auth/choose-role") && pathname !== "/") { return NextResponse.redirect(new URL("/auth/choose-role", request.url)); } // Prevent finalized users from going back to choose-role if (role !== 'social_pending' && pathname.startsWith("/auth/choose-role")) { return NextResponse.redirect(new URL("/dashboard", request.url)); } } // 3. Prevent logged in users from visiting login/register if (sessionToken && restrictedWhenLoggedIn.some((path) => pathname.startsWith(path))) { return NextResponse.redirect(new URL("/dashboard", request.url)); } return NextResponse.next(); } export const config = { matcher: [ "/", "/dashboard/:path*", "/api/protected/:path*", "/auth/login", "/auth/register", "/auth/forgot-password", "/auth/choose-role", ], };