src/hooks/requireAuthHook.js

// requireAuthHook.js
import { API_URL } from "@/config";

// Short-term failure cache for auth timeouts/errors
let lastAuthFailureTime = 0;
const AUTH_FAILURE_CACHE_MS = 30000; // 30 seconds

// WeakMap to cache auth promises per Astro context (request)
const authCache = new WeakMap();

export const requireAuthHook = async (Astro) => {
  // If we recently failed due to API timeout/unreachability, fail closed quickly
  if (Date.now() - lastAuthFailureTime < AUTH_FAILURE_CACHE_MS) {
    return null;
  }
  // Check if we already have a cached promise for this request
  if (authCache.has(Astro)) {
    return authCache.get(Astro);
  }

  // Create a promise and cache it immediately to prevent race conditions
  const authPromise = performAuth(Astro);
  authCache.set(Astro, authPromise);

  // Return the promise - all callers will await the same promise
  return authPromise;
};

async function performAuth(Astro) {
  try {
    const cookieHeader = Astro.request.headers.get("cookie") ?? "";
    // Add timeout to avoid hanging SSR render
    let controller = new AbortController();
    let timeout = setTimeout(() => controller.abort(), 3000);
    let res;
    try {
      res = await fetch(`${API_URL}/auth/id`, {
        headers: { Cookie: cookieHeader },
        credentials: "include",
        signal: controller.signal,
      });
    } catch (err) {
      clearTimeout(timeout);
      lastAuthFailureTime = Date.now();
      console.error("[SSR] auth/id failed or timed out", err);
      return null;
    }
    clearTimeout(timeout);

    if (res.status === 401) {
      // Check if we even have a refresh token before attempting refresh
      if (!cookieHeader.includes('refresh_token=')) {
        return null;
      }

      // Try refresh with timeout
      controller = new AbortController();
      timeout = setTimeout(() => controller.abort(), 3000);
      let refreshRes;
      try {
        refreshRes = await fetch(`${API_URL}/auth/refresh`, {
          method: "POST",
          headers: { Cookie: cookieHeader },
          credentials: "include",
          signal: controller.signal,
        });
      } catch (err) {
        clearTimeout(timeout);
        lastAuthFailureTime = Date.now();
        console.error("[SSR] auth/refresh failed or timed out", err);
        return null;
      }
      clearTimeout(timeout);

      if (!refreshRes.ok) {
        let errorDetail = '';
        try {
          const errorBody = await refreshRes.text();
          errorDetail = ` - ${errorBody}`;
        } catch {}
        console.error(`[SSR] Token refresh failed ${refreshRes.status}${errorDetail}`);
        return null;
      }

      // Get all Set-Cookie headers (getSetCookie returns an array)
      let setCookies = [];
      if (typeof refreshRes.headers.getSetCookie === 'function') {
        setCookies = refreshRes.headers.getSetCookie();
      } else {
        // Fallback for older Node versions
        const setCookieHeader = refreshRes.headers.get("set-cookie");
        if (setCookieHeader) {
          // Split on comma followed by a cookie name (word=), avoiding splitting on Expires dates
          setCookies = setCookieHeader.split(/,(?=\s*[a-zA-Z_][a-zA-Z0-9_]*=)/);
        }
      }

      if (setCookies.length === 0) {
        console.error("No set-cookie header found in refresh response");
        return null;
      }

      // Forward cookies to client
      setCookies.forEach((c) => Astro.response.headers.append("set-cookie", c.trim()));

      // Build new cookie header for the retry request
      const newCookieHeader = setCookies.map(c => c.split(";")[0].trim()).join("; ");

      controller = new AbortController();
      timeout = setTimeout(() => controller.abort(), 3000);
      try {
        res = await fetch(`${API_URL}/auth/id`, {
          headers: { Cookie: newCookieHeader },
          credentials: "include",
          signal: controller.signal,
        });
      } catch (err) {
        clearTimeout(timeout);
        lastAuthFailureTime = Date.now();
        console.error("[SSR] auth/id retry failed or timed out", err);
        return null;
      }
      clearTimeout(timeout);
    }

    if (!res.ok) {
      console.error("Failed to fetch user ID after token refresh", res.status);
      return null;
    }

    const user = await res.json();
    return user;

  } catch (err) {
    console.error("[SSR] requireAuthHook error:", err);
    return null;
  }
}
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`// requireAuthHook.js`
			`import { API_URL } from "@/config";`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00
misc 2025-12-17 13:33:31 -05:00			`// Short-term failure cache for auth timeouts/errors`
			`let lastAuthFailureTime = 0;`
			`const AUTH_FAILURE_CACHE_MS = 30000; // 30 seconds`

feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`// WeakMap to cache auth promises per Astro context (request)`
			`const authCache = new WeakMap();`

misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`export const requireAuthHook = async (Astro) => {`
misc 2025-12-17 13:33:31 -05:00			`// If we recently failed due to API timeout/unreachability, fail closed quickly`
			`if (Date.now() - lastAuthFailureTime < AUTH_FAILURE_CACHE_MS) {`
			`return null;`
			`}`
feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`// Check if we already have a cached promise for this request`
			`if (authCache.has(Astro)) {`
			`return authCache.get(Astro);`
			`}`

			`// Create a promise and cache it immediately to prevent race conditions`
			`const authPromise = performAuth(Astro);`
			`authCache.set(Astro, authPromise);`

			`// Return the promise - all callers will await the same promise`
			`return authPromise;`
			`};`

			`async function performAuth(Astro) {`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00			`try {`
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`const cookieHeader = Astro.request.headers.get("cookie") ?? "";`
misc 2025-12-17 13:33:31 -05:00			`// Add timeout to avoid hanging SSR render`
			`let controller = new AbortController();`
			`let timeout = setTimeout(() => controller.abort(), 3000);`
			`let res;`
			`try {`
			res = await fetch(`${API_URL}/auth/id`, {
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`headers: { Cookie: cookieHeader },`
			`credentials: "include",`
misc 2025-12-17 13:33:31 -05:00			`signal: controller.signal,`
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`});`
misc 2025-12-17 13:33:31 -05:00			`} catch (err) {`
			`clearTimeout(timeout);`
			`lastAuthFailureTime = Date.now();`
			`console.error("[SSR] auth/id failed or timed out", err);`
			`return null;`
			`}`
			`clearTimeout(timeout);`

			`if (res.status === 401) {`
Add support for Lottie stickers and enhance disk space API endpoint - Introduced Lottie sticker component with placeholder handling in DiscordLogs. - Expanded Discord message types in DiscordLogs component. - Implemented disk space fetching in MediaRequestForm with visual indicator. - Enhanced API for fetching Discord messages to include Lottie data for stickers. - Added disk space API endpoint with authentication and authorization checks. 2025-12-19 10:26:22 -05:00			`// Check if we even have a refresh token before attempting refresh`
			`if (!cookieHeader.includes('refresh_token=')) {`
			`return null;`
			`}`

misc 2025-12-17 13:33:31 -05:00			`// Try refresh with timeout`
			`controller = new AbortController();`
			`timeout = setTimeout(() => controller.abort(), 3000);`
			`let refreshRes;`
			`try {`
			refreshRes = await fetch(`${API_URL}/auth/refresh`, {
			`method: "POST",`
			`headers: { Cookie: cookieHeader },`
			`credentials: "include",`
			`signal: controller.signal,`
			`});`
			`} catch (err) {`
			`clearTimeout(timeout);`
			`lastAuthFailureTime = Date.now();`
			`console.error("[SSR] auth/refresh failed or timed out", err);`
			`return null;`
			`}`
			`clearTimeout(timeout);`
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00
			`if (!refreshRes.ok) {`
Add support for Lottie stickers and enhance disk space API endpoint - Introduced Lottie sticker component with placeholder handling in DiscordLogs. - Expanded Discord message types in DiscordLogs component. - Implemented disk space fetching in MediaRequestForm with visual indicator. - Enhanced API for fetching Discord messages to include Lottie data for stickers. - Added disk space API endpoint with authentication and authorization checks. 2025-12-19 10:26:22 -05:00			`let errorDetail = '';`
			`try {`
			`const errorBody = await refreshRes.text();`
			errorDetail = ` - ${errorBody}`;
			`} catch {}`
			console.error(`[SSR] Token refresh failed ${refreshRes.status}${errorDetail}`);
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`return null;`
			`}`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00
feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`// Get all Set-Cookie headers (getSetCookie returns an array)`
			`let setCookies = [];`
			`if (typeof refreshRes.headers.getSetCookie === 'function') {`
			`setCookies = refreshRes.headers.getSetCookie();`
Enhance authentication flow with improved error handling and logging in requireAuthHook. Refine HLS stream initialization and metadata fetching in AudioPlayer to handle station changes gracefully. Improve toast notifications and autocomplete behavior in LyricSearch. Simplify RandomMsg logic and remove unused imports. Add track and album count display in MediaRequestForm and enhance artist selection. Introduce dark mode styles for tables and dialogs in RequestManagement.css. Adjust imports and ensure proper usage of requireAuthHook in index.astro and requests.astro. 2025-09-22 11:15:24 -04:00			`} else {`
feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`// Fallback for older Node versions`
			`const setCookieHeader = refreshRes.headers.get("set-cookie");`
			`if (setCookieHeader) {`
			`// Split on comma followed by a cookie name (word=), avoiding splitting on Expires dates`
			`setCookies = setCookieHeader.split(/,(?=\s[a-zA-Z_][a-zA-Z0-9_]=)/);`
			`}`
			`}`

			`if (setCookies.length === 0) {`
Enhance authentication flow with improved error handling and logging in requireAuthHook. Refine HLS stream initialization and metadata fetching in AudioPlayer to handle station changes gracefully. Improve toast notifications and autocomplete behavior in LyricSearch. Simplify RandomMsg logic and remove unused imports. Add track and album count display in MediaRequestForm and enhance artist selection. Introduce dark mode styles for tables and dialogs in RequestManagement.css. Adjust imports and ensure proper usage of requireAuthHook in index.astro and requests.astro. 2025-09-22 11:15:24 -04:00			`console.error("No set-cookie header found in refresh response");`
			`return null;`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00			`}`
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00
feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`// Forward cookies to client`
			`setCookies.forEach((c) => Astro.response.headers.append("set-cookie", c.trim()));`

			`// Build new cookie header for the retry request`
			`const newCookieHeader = setCookies.map(c => c.split(";")[0].trim()).join("; ");`

misc 2025-12-17 13:33:31 -05:00			`controller = new AbortController();`
			`timeout = setTimeout(() => controller.abort(), 3000);`
			`try {`
			res = await fetch(`${API_URL}/auth/id`, {
			`headers: { Cookie: newCookieHeader },`
			`credentials: "include",`
			`signal: controller.signal,`
			`});`
			`} catch (err) {`
			`clearTimeout(timeout);`
			`lastAuthFailureTime = Date.now();`
			`console.error("[SSR] auth/id retry failed or timed out", err);`
			`return null;`
			`}`
			`clearTimeout(timeout);`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00			`}`

misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`if (!res.ok) {`
Enhance authentication flow with improved error handling and logging in requireAuthHook. Refine HLS stream initialization and metadata fetching in AudioPlayer to handle station changes gracefully. Improve toast notifications and autocomplete behavior in LyricSearch. Simplify RandomMsg logic and remove unused imports. Add track and album count display in MediaRequestForm and enhance artist selection. Introduce dark mode styles for tables and dialogs in RequestManagement.css. Adjust imports and ensure proper usage of requireAuthHook in index.astro and requests.astro. 2025-09-22 11:15:24 -04:00			`console.error("Failed to fetch user ID after token refresh", res.status);`
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`return null;`
			`}`
Enhance authentication flow with improved error handling and logging in requireAuthHook. Refine HLS stream initialization and metadata fetching in AudioPlayer to handle station changes gracefully. Improve toast notifications and autocomplete behavior in LyricSearch. Simplify RandomMsg logic and remove unused imports. Add track and album count display in MediaRequestForm and enhance artist selection. Introduce dark mode styles for tables and dialogs in RequestManagement.css. Adjust imports and ensure proper usage of requireAuthHook in index.astro and requests.astro. 2025-09-22 11:15:24 -04:00
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`const user = await res.json();`
			`return user;`

			`} catch (err) {`
			`console.error("[SSR] requireAuthHook error:", err);`
			`return null;`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00			`}`
feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`}`