feat: Add isRedirect to context #13143
Conversation
🦋 Changeset detectedLatest commit: daae1fe The changes in this PR will be included in the next version bump. Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
github-actions
bot
added
pkg: astro
![github-actions[bot]](/~https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
CodSpeed Performance ReportMerging #13143 will not alter performanceComparing Summary
|
|
Unfortunately, it seems that the discussion in the linked issue has a lot of known knowledge, so I miss some context. Before adding new runtime APIs, we usually want to make sure they are needed. Can you please do a TLDR of why you need it? Also, can't do something like the following snippet const response = await next();
if (response.status >= 300 && response.status < 400) {} |
To sum up my discovery process, the fundamental issue is that I think there needs to be some flag (or combination of flags) on the runtime API that indicates if I'm open to alternatives to
I thought about this, but Arcjet is a unique case here. It is a library for request protection (such as running a WAF, validating emails, detecting bots), so you wouldn't want to run every request through the middleware before protecting, since that would execute each other middleware before users would have a chance to validate the request. The current recommendation is to not run Arcjet protections on prerendered routes because they are just static files, so we recommend using a middleware like: import { defineMiddleware } from "astro:middleware";
import aj from "arcjet:client";
export const onRequest = defineMiddleware(async (ctx, next) => {
if (!ctx.isPrerendered) {
const decision = await aj.protect(ctx.request);
if (decision.isDenied()) {
return new Response(null, { status: 403, statusText: "Forbidden" });
}
}
return next();
});We additionally don't need to run the protections on redirects, since the redirect should point to either a static page where no protections will need to be run or a dynamic page where the protections will be run. With the import { defineMiddleware } from "astro:middleware";
import aj from "arcjet:client";
export const onRequest = defineMiddleware(async (ctx, next) => {
if (!ctx.isPrerendered && !ctx.isRedirect) {
const decision = await aj.protect(ctx.request);
if (decision.isDenied()) {
return new Response(null, { status: 403, statusText: "Forbidden" });
}
}
return next();
});But as I said above, I would be happy with any API that indicated if |
Changes
I added the
isRedirectfield to the Render context. This can help users avoid running middleware on routes that might just be a redirect.For example, the Arcjet integration fails if run on a redirect because
isPrerenderedis false, butclientAddressthrows if accessed; however, it would be generally recommended not to run Arcjet on a redirect because it'll run on the final endpoint. With this change, we can recommend users skip Arcjet whenisRedirectis true.Testing
I added a test to the redirects fixture that checks a header that is set by the middleware.
Docs
Yep! I'll add this to the Astro docs for Render context if this is something y'all want to include. 🎉
/cc @withastro/maintainers-docs for feedback!