From c42392d9df22771bbf26c8e7278cdb7f5f7a66d6 Mon Sep 17 00:00:00 2001
From: chunzhimoe <60135925+chunzhimoe@users.noreply.github.com>
Date: Sun, 12 Apr 2026 16:56:51 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E5=85=A8=E7=AB=99=E7=99=BB=E5=BD=95?=
 =?UTF-8?q?=E4=BF=9D=E6=8A=A4=20+=20=E9=82=AE=E7=AE=B1=E7=99=BD=E5=90=8D?=
 =?UTF-8?q?=E5=8D=95=20(ALLOWED=5FEMAILS)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/lib/authOptions.ts |  9 +++++++++
 src/middleware.ts      | 14 ++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 src/middleware.ts

diff --git a/src/lib/authOptions.ts b/src/lib/authOptions.ts
index 076dd95..f81b57e 100644
--- a/src/lib/authOptions.ts
+++ b/src/lib/authOptions.ts
@@ -1,6 +1,11 @@
 import type { NextAuthOptions } from "next-auth";
 import GithubProvider from "next-auth/providers/github";
 
+const allowedEmails = (process.env.ALLOWED_EMAILS ?? "")
+  .split(",")
+  .map((e) => e.trim().toLowerCase())
+  .filter(Boolean);
+
 export const authOptions: NextAuthOptions = {
   providers: [
     GithubProvider({
@@ -13,6 +18,10 @@ export const authOptions: NextAuthOptions = {
     signIn: "/login",
   },
   callbacks: {
+    async signIn({ user }) {
+      if (allowedEmails.length === 0) return true;
+      return allowedEmails.includes((user.email ?? "").toLowerCase());
+    },
     async session({ session, token }) {
       if (session.user && token.sub) {
         (session.user as { id?: string }).id = token.sub;
diff --git a/src/middleware.ts b/src/middleware.ts
new file mode 100644
index 0000000..ce1269d
--- /dev/null
+++ b/src/middleware.ts
@@ -0,0 +1,14 @@
+export { default } from "next-auth/middleware";
+
+export const config = {
+  matcher: [
+    /*
+     * 保护所有路由，以下除外：
+     * - /login          登录页
+     * - /api/auth/*     NextAuth 回调
+     * - /_next/*        Next.js 静态资源
+     * - /favicon.ico
+     */
+    "/((?!login|api/auth|_next/static|_next/image|favicon\\.ico).*)",
+  ],
+};