From ea6c4d83290074ef6632733f0dfbfcb603d4f8e9 Mon Sep 17 00:00:00 2001 From: Jennie Robinson Faber Date: Thu, 19 Mar 2026 10:27:19 +0000 Subject: [PATCH] Lock down coming-soon mode to block all users including authenticated Remove auth bypass from coming-soon middleware so no one can access the in-development site in production. Remove unused login button from coming-soon page since wiki has its own OIDC login flow. --- app/middleware/coming-soon.global.js | 21 +-------------------- app/pages/coming-soon.vue | 9 --------- 2 files changed, 1 insertion(+), 29 deletions(-) diff --git a/app/middleware/coming-soon.global.js b/app/middleware/coming-soon.global.js index 4a102b1..3176935 100644 --- a/app/middleware/coming-soon.global.js +++ b/app/middleware/coming-soon.global.js @@ -13,25 +13,6 @@ export default defineNuxtRouteMiddleware(async (to, from) => { return; } - // Allow authenticated users to bypass coming-soon - const authToken = useCookie("auth-token"); - if (authToken.value) { - // On the server, verify the JWT is actually valid - if (import.meta.server) { - try { - const { jwtSecret } = useRuntimeConfig(); - const jwt = await import("jsonwebtoken").then((m) => m.default); - jwt.verify(authToken.value, jwtSecret); - return; - } catch { - // Invalid/expired token — fall through to coming-soon redirect - } - } else { - // Client-side: trust the cookie (SSR already validated on initial load) - return; - } - } - - // Redirect all other routes to coming-soon + // Redirect all other routes to coming-soon — no exceptions return navigateTo("/coming-soon"); }); diff --git a/app/pages/coming-soon.vue b/app/pages/coming-soon.vue index 3cfca6a..13ad706 100644 --- a/app/pages/coming-soon.vue +++ b/app/pages/coming-soon.vue @@ -4,13 +4,6 @@

Ghost Guild

Coming Soon

- - @@ -18,6 +11,4 @@ definePageMeta({ layout: "coming-soon", }); - -const { openLoginModal } = useLoginModal();