import { NextResponse } from "next/server" import type { NextRequest } from "next/server" import { jwtVerify } from "jose" const JWT_SECRET = new TextEncoder().encode( process.env.JWT_SECRET || "fallback-dev-secret-do-not-use-in-production" ) const publicRoutes = [ "/login", "/api/auth/login", "/api/auth/logout", "/_next/static", "/_next/image", "/favicon.ico", "/logo", "/fonts", ] export async function middleware(request: NextRequest) { const { pathname } = request.nextUrl const isPublic = publicRoutes.some( (route) => pathname === route || pathname.startsWith(route + "/") || pathname.startsWith(route) ) if (pathname === "/api/auth/me") { return NextResponse.next() } if (isPublic) { return NextResponse.next() } const sessionCookie = request.cookies.get("session")?.value if (!sessionCookie) { const loginUrl = new URL("/login", request.url) loginUrl.searchParams.set("redirect", pathname) return NextResponse.redirect(loginUrl) } try { await jwtVerify(sessionCookie, JWT_SECRET) return NextResponse.next() } catch { const loginUrl = new URL("/login", request.url) loginUrl.searchParams.set("redirect", pathname) return NextResponse.redirect(loginUrl) } } export const config = { matcher: ["/((?!_next/static|_next/image|favicon.ico|logo|fonts).*)"], }