From 8771e65c8cad4eff88af1b6555401d3c84f29176 Mon Sep 17 00:00:00 2001
From: yiekheng <yiekheng@04080616.xyz>
Date: Sat, 9 May 2026 23:15:52 +0800
Subject: [PATCH] feat(web): edge middleware deny /api except events + health

---
 apps/web/src/middleware.ts | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 apps/web/src/middleware.ts

diff --git a/apps/web/src/middleware.ts b/apps/web/src/middleware.ts
new file mode 100644
index 0000000..9360754
--- /dev/null
+++ b/apps/web/src/middleware.ts
@@ -0,0 +1,17 @@
+import { NextRequest, NextResponse } from "next/server";
+
+export function middleware(req: NextRequest) {
+  const path = req.nextUrl.pathname;
+
+  // Block all /api/* except the read-only SSE and health endpoints.
+  // Mutations happen via Server Actions which post to page URLs, not /api/*.
+  if (path.startsWith("/api/") && path !== "/api/events" && path !== "/api/health") {
+    return new NextResponse("Not Found", { status: 404 });
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ["/((?!_next/static|_next/image|favicon.ico|icon-).*)"],
+};