blocking api calls in production

DockerfileTest

@@ -3,7 +3,9 @@
 #   docker build --file DockerfileTest . 
 #
 FROM node:16.15.1-alpine AS production
-ENV NODE_ENV=production
+
+# test = test uses legalValuesJson_test.json to run the all the tests
+ENV NODE_ENV=test
 
 SHELL ["/bin/sh", "-c"]
 
@@ -41,4 +43,5 @@ WORKDIR $home
 COPY --chown=55:$group . . 
 
 RUN yarn install --immutable
-RUN yarn run test:unit gisCoupleOnePenBenefit
+#RUN yarn run test:unit gisCoupleOnePenBenefit
+RUN yarn run test:unit 

pages/_middleware.tsx

@@ -0,0 +1,31 @@
+import { NextResponse } from 'next/server'
+import type { NextRequest } from 'next/server'
+
+// This function can be marked `async` if using `await` inside
+export function middleware(request: NextRequest) {
+  //
+  const AuthRequired =
+    process.env.APP_ENV === 'production' || process.env.APP_ENV === 'alpha'
+
+  const url = request.nextUrl
+  const { pathname } = url
+
+  if (AuthRequired) {
+    if (pathname.startsWith(`/api/`)) {
+      if (
+        !request.headers
+          .get('referer')
+          ?.includes('estimateursv-oasestimator.service.canada.ca')
+      ) {
+        return NextResponse.redirect(new URL('/', request.url))
+      }
+    }
+  }
+
+  return NextResponse.next()
+}
+
+// See "Matching Paths" below to learn more
+export const config = {
+  matcher: ['/((?!_next|fonts|examples|svg|[\\w-]+\\.\\w+).*)'],
+}