This is my middleware.js file for Next.js:
import { NextResponse } from 'next/server';
import { createCsrfMiddleware } from '@edge-csrf/nextjs';
const csrfMiddleware = createCsrfMiddleware({
secret : process.env.CSRF_SECRET,
cookie : {
secure : process.env.NODE_ENV === 'production',
sameSite : 'strict',
httpOnly : true
}
});
export const middleware = async (req) => {
const path = req.nextUrl.pathname;
if (req.method === 'POST' && path === '/api/whatever') {
try {
console.warn(`checking skip in ${path}...`);
const decoder = new TextDecoder('utf-8');
let wholeBody = decoder.decode(await req.arrayBuffer());
const json = JSON.parse(wholeBody);
if (json.action === 'skip') {
console.warn(`skipped: '${wholeBody}'`);
return NextResponse.next();
}
else {
console.warn('skip ignored');
return csrfMiddleware(req); // body is unusable
}
}
catch (err) {
console.warn(`skip check failed in ${path}: ${err.message}`);
return new NextResponse('Internal Server Error', { status: 500 });
}
}
return csrfMiddleware(req);
};
Notice two things:
- I am using @edge-csrf/nextjs to prevent CSRF, but that’s not important.
- I am trying to skip the CSRF middleware by inspecting the CONTENTS of the payload.
Yes. I know this is a weird case, and usually it’s done by ignoring a whole API path. But I want to know if it’s possible to do it this way.
Having said that, there is an issue right there in the line with the comment.
Before reaching that part, the body has been ‘consumed’ by (I guess) req.arrayBuffer().
Hence it cannot be used again.
So I wonder if is it possible to read the body and rewind the thing (haha) or peeking into it in some way.
Thanks for your ideas/comments.