src/hooks/requireAuthHook.js

// requireAuthHook.js
import { API_URL } from "@/config";

// WeakMap to cache auth promises per Astro context (request)
const authCache = new WeakMap();

export const requireAuthHook = async (Astro) => {
  // Check if we already have a cached promise for this request
  if (authCache.has(Astro)) {
    return authCache.get(Astro);
  }

  // Create a promise and cache it immediately to prevent race conditions
  const authPromise = performAuth(Astro);
  authCache.set(Astro, authPromise);

  // Return the promise - all callers will await the same promise
  return authPromise;
};

async function performAuth(Astro) {
  try {
    const cookieHeader = Astro.request.headers.get("cookie") ?? "";
    let res = await fetch(`${API_URL}/auth/id`, {
      headers: { Cookie: cookieHeader },
      credentials: "include",
    });

    if (res.status === 401) {
      const refreshRes = await fetch(`${API_URL}/auth/refresh`, {
        method: "POST",
        headers: { Cookie: cookieHeader },
        credentials: "include",
      });

      if (!refreshRes.ok) {
        console.error("Token refresh failed", refreshRes.status);
        return null;
      }

      // Get all Set-Cookie headers (getSetCookie returns an array)
      let setCookies = [];
      if (typeof refreshRes.headers.getSetCookie === 'function') {
        setCookies = refreshRes.headers.getSetCookie();
      } else {
        // Fallback for older Node versions
        const setCookieHeader = refreshRes.headers.get("set-cookie");
        if (setCookieHeader) {
          // Split on comma followed by a cookie name (word=), avoiding splitting on Expires dates
          setCookies = setCookieHeader.split(/,(?=\s*[a-zA-Z_][a-zA-Z0-9_]*=)/);
        }
      }

      if (setCookies.length === 0) {
        console.error("No set-cookie header found in refresh response");
        return null;
      }

      // Forward cookies to client
      setCookies.forEach((c) => Astro.response.headers.append("set-cookie", c.trim()));

      // Build new cookie header for the retry request
      const newCookieHeader = setCookies.map(c => c.split(";")[0].trim()).join("; ");

      res = await fetch(`${API_URL}/auth/id`, {
        headers: { Cookie: newCookieHeader },
        credentials: "include",
      });
    }

    if (!res.ok) {
      console.error("Failed to fetch user ID after token refresh", res.status);
      return null;
    }

    const user = await res.json();
    return user;

  } catch (err) {
    console.error("[SSR] requireAuthHook error:", err);
    return null;
  }
}
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`// requireAuthHook.js`
			`import { API_URL } from "@/config";`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00
feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`// WeakMap to cache auth promises per Astro context (request)`
			`const authCache = new WeakMap();`

misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`export const requireAuthHook = async (Astro) => {`
feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`// Check if we already have a cached promise for this request`
			`if (authCache.has(Astro)) {`
			`return authCache.get(Astro);`
			`}`

			`// Create a promise and cache it immediately to prevent race conditions`
			`const authPromise = performAuth(Astro);`
			`authCache.set(Astro, authPromise);`

			`// Return the promise - all callers will await the same promise`
			`return authPromise;`
			`};`

			`async function performAuth(Astro) {`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00			`try {`
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`const cookieHeader = Astro.request.headers.get("cookie") ?? "";`
			let res = await fetch(`${API_URL}/auth/id`, {
			`headers: { Cookie: cookieHeader },`
			`credentials: "include",`
			`});`

			`if (res.status === 401) {`
			const refreshRes = await fetch(`${API_URL}/auth/refresh`, {
			`method: "POST",`
			`headers: { Cookie: cookieHeader },`
			`credentials: "include",`
			`});`

			`if (!refreshRes.ok) {`
Enhance authentication flow with improved error handling and logging in requireAuthHook. Refine HLS stream initialization and metadata fetching in AudioPlayer to handle station changes gracefully. Improve toast notifications and autocomplete behavior in LyricSearch. Simplify RandomMsg logic and remove unused imports. Add track and album count display in MediaRequestForm and enhance artist selection. Introduce dark mode styles for tables and dialogs in RequestManagement.css. Adjust imports and ensure proper usage of requireAuthHook in index.astro and requests.astro. 2025-09-22 11:15:24 -04:00			`console.error("Token refresh failed", refreshRes.status);`
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`return null;`
			`}`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00
feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`// Get all Set-Cookie headers (getSetCookie returns an array)`
			`let setCookies = [];`
			`if (typeof refreshRes.headers.getSetCookie === 'function') {`
			`setCookies = refreshRes.headers.getSetCookie();`
Enhance authentication flow with improved error handling and logging in requireAuthHook. Refine HLS stream initialization and metadata fetching in AudioPlayer to handle station changes gracefully. Improve toast notifications and autocomplete behavior in LyricSearch. Simplify RandomMsg logic and remove unused imports. Add track and album count display in MediaRequestForm and enhance artist selection. Introduce dark mode styles for tables and dialogs in RequestManagement.css. Adjust imports and ensure proper usage of requireAuthHook in index.astro and requests.astro. 2025-09-22 11:15:24 -04:00			`} else {`
feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`// Fallback for older Node versions`
			`const setCookieHeader = refreshRes.headers.get("set-cookie");`
			`if (setCookieHeader) {`
			`// Split on comma followed by a cookie name (word=), avoiding splitting on Expires dates`
			`setCookies = setCookieHeader.split(/,(?=\s[a-zA-Z_][a-zA-Z0-9_]=)/);`
			`}`
			`}`

			`if (setCookies.length === 0) {`
Enhance authentication flow with improved error handling and logging in requireAuthHook. Refine HLS stream initialization and metadata fetching in AudioPlayer to handle station changes gracefully. Improve toast notifications and autocomplete behavior in LyricSearch. Simplify RandomMsg logic and remove unused imports. Add track and album count display in MediaRequestForm and enhance artist selection. Introduce dark mode styles for tables and dialogs in RequestManagement.css. Adjust imports and ensure proper usage of requireAuthHook in index.astro and requests.astro. 2025-09-22 11:15:24 -04:00			`console.error("No set-cookie header found in refresh response");`
			`return null;`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00			`}`
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00
feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`// Forward cookies to client`
			`setCookies.forEach((c) => Astro.response.headers.append("set-cookie", c.trim()));`

			`// Build new cookie header for the retry request`
			`const newCookieHeader = setCookies.map(c => c.split(";")[0].trim()).join("; ");`

misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			res = await fetch(`${API_URL}/auth/id`, {
			`headers: { Cookie: newCookieHeader },`
			`credentials: "include",`
			`});`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00			`}`

misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`if (!res.ok) {`
Enhance authentication flow with improved error handling and logging in requireAuthHook. Refine HLS stream initialization and metadata fetching in AudioPlayer to handle station changes gracefully. Improve toast notifications and autocomplete behavior in LyricSearch. Simplify RandomMsg logic and remove unused imports. Add track and album count display in MediaRequestForm and enhance artist selection. Introduce dark mode styles for tables and dialogs in RequestManagement.css. Adjust imports and ensure proper usage of requireAuthHook in index.astro and requests.astro. 2025-09-22 11:15:24 -04:00			`console.error("Failed to fetch user ID after token refresh", res.status);`
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`return null;`
			`}`
Enhance authentication flow with improved error handling and logging in requireAuthHook. Refine HLS stream initialization and metadata fetching in AudioPlayer to handle station changes gracefully. Improve toast notifications and autocomplete behavior in LyricSearch. Simplify RandomMsg logic and remove unused imports. Add track and album count display in MediaRequestForm and enhance artist selection. Introduce dark mode styles for tables and dialogs in RequestManagement.css. Adjust imports and ensure proper usage of requireAuthHook in index.astro and requests.astro. 2025-09-22 11:15:24 -04:00
misc / bugfix: session refresh 2025-08-28 11:15:17 -04:00			`const user = await res.json();`
			`return user;`

			`} catch (err) {`
			`console.error("[SSR] requireAuthHook error:", err);`
			`return null;`
another commit without a list of specific changes! (misc) 2025-08-21 15:07:10 -04:00			`}`
feat(api): implement rate limiting and SSRF protection across endpoints - Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse. - Introduced SSRF protection in `image-proxy` to block requests to private IP ranges. - Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction. - Refactored authentication checks in various pages to utilize middleware for cleaner code. - Improved JWT key loading with error handling and security warnings for production. - Updated `authFetch` utility to handle token refresh more efficiently with deduplication. - Enhanced rate limiting utility to trust proxy headers from known sources. - Numerous layout / design changes 2025-12-05 14:21:52 -05:00			`}`