import arcjet, { detectBot } from "@arcjet/next"; import { NextRequest, NextResponse } from "next/server"; export const config = { // matcher tells Next.js which routes to run the middleware on. // This runs the middleware on all routes except for static assets. matcher: ["/((?!_next/static|_next/image|favicon.ico|/_healthz).*)"], }; const aj = arcjet({ key: process.env.ARCJET_KEY!, rules: [ detectBot({ mode: "LIVE", allow: [ "CATEGORY:SEARCH_ENGINE", "CATEGORY:PREVIEW", "CATEGORY:SOCIAL", ], }), ], }); export default async function middleware(request: NextRequest) { const req = { ...request, ip: request.headers.get("x-real-ip"), } as NextRequest; console.log(req.ip); const decision = await aj.protect(req); console.log(decision); if ( // If this deny comes from a bot rule then block the request. You can // customize this logic to fit your needs e.g. changing the status code. decision.isDenied() && decision.reason.isBot() ) { return NextResponse.json({ error: "Unauthorized" }, { status: 403 }); } else if (decision.isErrored()) { console.warn("Arcjet error", decision.reason.message); return NextResponse.json({ error: "Bad request" }, { status: 400 }); } else { return NextResponse.next(); } }