Publish arcjet/examples@6fbd5d7

Author: qw-in

.dockerignore

@@ -0,0 +1,13 @@
+*
+!app
+!assets
+!components
+!config
+!environment.d.ts
+!lib
+!middleware.ts
+!next-env.d.ts
+!package*.json
+!public
+!styles
+!tsconfig.json

Dockerfile

@@ -0,0 +1,13 @@
+FROM node:24-bookworm
+
+WORKDIR /app
+
+EXPOSE 3000
+
+COPY package*.json ./
+RUN npm ci
+
+COPY . .
+RUN npm run build
+
+CMD ["npm", "run", "start"]

app/api/auth/[...nextauth]/route.ts

@@ -1,8 +1,6 @@
 // This is Auth.js 5, the successor to NextAuth 4
 
-import { isDevelopment } from "@arcjet/env";
-import ip from "@arcjet/ip";
-import { NextRequest, NextResponse } from "next/server";
+import { type NextRequest, NextResponse } from "next/server";
 import arcjet, { detectBot, shield, slidingWindow } from "@/lib/arcjet";
 import { handlers } from "@/lib/auth";
 
@@ -31,11 +29,7 @@ const aj = arcjet
 
 // Protect the sensitive actions e.g. login, signup, etc with Arcjet
 const ajProtectedPOST = async (req: NextRequest) => {
-  // Next.js 15 doesn't provide the IP address in the request object so we use
-  // the Arcjet utility package to parse the headers and find it. If we're
-  // running in development mode, we'll use a local IP address.
-  const userIp = !isDevelopment(process.env) ? "127.0.0.1" : ip(req);
-  const decision = await aj.protect(req, { fingerprint: userIp });
+  const decision = await aj.protect(req);
 
   if (decision.isDenied()) {
     if (decision.reason.isRateLimit()) {

app/attack/test/route.ts

@@ -1,5 +1,3 @@
-import { isDevelopment } from "@arcjet/env";
-import ip from "@arcjet/ip";
 import { type NextRequest, NextResponse } from "next/server";
 import arcjet, { shield } from "@/lib/arcjet";
 
@@ -16,13 +14,9 @@ const aj = arcjet.withRule(
 );
 
 export async function GET(req: NextRequest) {
-  // Next.js 15 doesn't provide the IP address in the request object so we use
-  // the Arcjet utility package to parse the headers and find it. If we're
-  // running in development mode, we'll use a local IP address.
-  const userIp = isDevelopment(process.env) ? "127.0.0.1" : ip(req);
   // The protect method returns a decision object that contains information
   // about the request.
-  const decision = await aj.protect(req, { fingerprint: userIp });
+  const decision = await aj.protect(req);
 
   console.log("Arcjet decision: ", decision);
 

app/bots/test/route.ts

@@ -1,5 +1,3 @@
-import { isDevelopment } from "@arcjet/env";
-import ip from "@arcjet/ip";
 import { type NextRequest, NextResponse } from "next/server";
 import arcjet, { detectBot, fixedWindow } from "@/lib/arcjet";
 
@@ -26,13 +24,9 @@ const aj = arcjet
   );
 
 export async function GET(req: NextRequest) {
-  // Next.js 15 doesn't provide the IP address in the request object so we use
-  // the Arcjet utility package to parse the headers and find it. If we're
-  // running in development mode, we'll use a local IP address.
-  const userIp = isDevelopment(process.env) ? "127.0.0.1" : ip(req);
   // The protect method returns a decision object that contains information
   // about the request.
-  const decision = await aj.protect(req, { fingerprint: userIp });
+  const decision = await aj.protect(req);
 
   console.log("Arcjet decision: ", decision);
 

app/rate-limiting/test/route.ts

@@ -1,8 +1,6 @@
 import { setRateLimitHeaders } from "@arcjet/decorate";
-import { isDevelopment } from "@arcjet/env";
-import ip from "@arcjet/ip";
+import type { ArcjetDecision } from "@arcjet/next";
 import { type NextRequest, NextResponse } from "next/server";
-import type { Session } from "next-auth";
 import arcjet, { fixedWindow, shield } from "@/lib/arcjet";
 import { auth } from "@/lib/auth";
 
@@ -18,47 +16,42 @@ const aj = arcjet.withRule(
   }),
 );
 
-// Returns ad-hoc rules depending on whether the session is present. You could
-// inspect more details about the session to dynamically adjust the rate limit.
-function getClient(session: Session | null) {
-  if (session?.user) {
-    return aj.withRule(
-      fixedWindow({
-        mode: "LIVE",
-        max: 5,
-        window: "60s",
-      }),
-    );
-  } else {
-    return aj.withRule(
-      fixedWindow({
-        mode: "LIVE",
-        max: 2,
-        window: "60s",
-      }),
-    );
-  }
-}
+// Define an augmented client for rate limiting users
+const ajForUser = aj.withRule(
+  fixedWindow({
+    // fingerprint requests by user ID
+    characteristics: ["userId"],
+    mode: "LIVE",
+    max: 5,
+    window: "60s",
+  }),
+);
+
+// Define an augmented client for rate limiting guests
+const ajForGuest = aj.withRule(
+  fixedWindow({
+    // fingerprint requests by ip address (default unless set globally)
+    characteristics: ["ip.src"],
+    mode: "LIVE",
+    max: 2,
+    window: "60s",
+  }),
+);
 
 export async function POST(req: NextRequest) {
   // Get the session
   const session = await auth();
 
   console.log("Session: ", session);
 
-  // Next.js 15 doesn't provide the IP address in the request object so we use
-  // the Arcjet utility package to parse the headers and find it. If we're
-  // running in development mode, we'll use a local IP address.
-  const userIp = isDevelopment(process.env) ? "127.0.0.1" : ip(req);
+  let decision: ArcjetDecision;
 
   // Use the user ID if the user is logged in, otherwise use the IP address
-  const fingerprint = session?.user?.id ?? userIp;
-
-  // The protect method returns a decision object that contains information
-  // about the request.
-  const decision = await getClient(session).protect(req, {
-    fingerprint,
-  });
+  if (session?.user?.id) {
+    decision = await ajForUser.protect(req, { userId: session.user.id });
+  } else {
+    decision = await ajForGuest.protect(req);
+  }
 
   console.log("Arcjet decision: ", decision);
 

app/sensitive-info/test/route.ts

@@ -1,5 +1,3 @@
-import { isDevelopment } from "@arcjet/env";
-import ip from "@arcjet/ip";
 import { type NextRequest, NextResponse } from "next/server";
 import { formSchema } from "@/app/sensitive-info/schema";
 import arcjet, { sensitiveInfo, shield } from "@/lib/arcjet";
@@ -26,13 +24,9 @@ const aj = arcjet
   );
 
 export async function POST(req: NextRequest) {
-  // Next.js 15 doesn't provide the IP address in the request object so we use
-  // the Arcjet utility package to parse the headers and find it. If we're
-  // running in development mode, we'll use a local IP address.
-  const userIp = isDevelopment(process.env) ? "127.0.0.1" : ip(req);
   // The protect method returns a decision object that contains information
   // about the request.
-  const decision = await aj.protect(req, { fingerprint: userIp });
+  const decision = await aj.protect(req);
 
   console.log("Arcjet decision: ", decision);
 

app/signup/test/route.ts

@@ -1,6 +1,4 @@
-import { isDevelopment } from "@arcjet/env";
-import ip from "@arcjet/ip";
-import { NextRequest, NextResponse } from "next/server";
+import { type NextRequest, NextResponse } from "next/server";
 import { formSchema } from "@/app/signup/schema";
 import arcjet, { protectSignup, shield } from "@/lib/arcjet";
 
@@ -57,13 +55,9 @@ export async function POST(req: NextRequest) {
 
   const { email } = data.data;
 
-  // Next.js 15 doesn't provide the IP address in the request object so we use
-  // the Arcjet utility package to parse the headers and find it. If we're
-  // running in development mode, we'll use a local IP address.
-  const userIp = isDevelopment(process.env) ? "127.0.0.1" : ip(req);
   // The protect method returns a decision object that contains information
   // about the request.
-  const decision = await aj.protect(req, { fingerprint: userIp, email });
+  const decision = await aj.protect(req, { email });
 
   console.log("Arcjet decision: ", decision);
 
@@ -133,7 +127,7 @@ export async function POST(req: NextRequest) {
     }
   } else if (decision.isErrored()) {
     console.error("Arcjet error:", decision.reason);
-    if (decision.reason.message == "[unauthenticated] invalid key") {
+    if (decision.reason.message === "[unauthenticated] invalid key") {
       return NextResponse.json(
         {
           message:
@@ -143,7 +137,7 @@ export async function POST(req: NextRequest) {
       );
     } else {
       return NextResponse.json(
-        { message: "internal server error: " + decision.reason.message },
+        { message: `internal server error: ${decision.reason.message}` },
         { status: 500 },
       );
     }

compose.yaml

@@ -0,0 +1,16 @@
+services:
+  nextjs:
+    build: .
+    command: npm run dev
+    labels:
+      - dev.orbstack.domains=nextjs.arcjet-examples.orb.local
+    env_file:
+      - .env.local
+    ports:
+      - 3000
+    volumes:
+      - .:/app
+      - nextjs_node_modules:/app/node_modules
+
+volumes:
+  nextjs_node_modules:

lib/arcjet.ts

@@ -23,9 +23,6 @@ export default arcjet({
   // and set it as an environment variable rather than hard coding.
   // See: https://nextjs.org/docs/app/building-your-application/configuring/environment-variables
   key: process.env.ARCJET_KEY,
-  // We specify a custom fingerprint so we can dynamically build it within each
-  // demo route.
-  characteristics: ["fingerprint"],
   rules: [
     // You can include one or more rules base rules. We don't include any here
     // so they can be set on each sub-page for the demo.