refactor(proxy): move blocked client check from FIM route to middleware (#1778)

The isFimClientBlocked guard was only blocking buggy client versions on
the FIM endpoint. Move this to the Next.js proxy middleware so blocked
clients are rejected before hitting any route.

Author: RSO

src/app/api/fim/completions/route.ts

@@ -15,7 +15,6 @@ import {
   extractFraudAndProjectHeaders,
   invalidRequestResponse,
   temporarilyUnavailableResponse,
-  upgradeRequiredResponse,
   wrapInSafeNextResponse,
   captureProxyError,
   extractHeaderAndLimitLength,
@@ -30,18 +29,6 @@ const MISTRAL_FIM_URL = 'https://api.mistral.ai/v1/fim/completions';
 const INCEPTION_FIM_URL = 'https://api.inceptionlabs.ai/v1/fim/completions';
 const FIM_MAX_TOKENS_LIMIT = 1000;
 
-// These client versions had a bug that caused excessive FIM endpoint requests.
-// Block them and require users to upgrade.
-const BLOCKED_FIM_USER_AGENT_REGEX = /^kilo\/7\.0\.[0-9]+$/;
-const BLOCKED_FIM_USER_AGENTS = ['kilo/7.1.0', 'kilo/7.1.1', 'kilo/7.1.2', 'kilo/7.1.3'];
-
-function isFimClientBlocked(userAgent: string | null): boolean {
-  if (!userAgent) return false;
-  return (
-    BLOCKED_FIM_USER_AGENT_REGEX.test(userAgent) || BLOCKED_FIM_USER_AGENTS.includes(userAgent)
-  );
-}
-
 type FimProvider = 'mistral' | 'inception';
 
 function resolveFimProvider(model: string): {
@@ -89,10 +76,6 @@ const FIMRequestBody = z.object({
 type FIMRequestBody = z.infer<typeof FIMRequestBody>;
 
 export async function POST(request: NextRequest) {
-  if (isFimClientBlocked(request.headers.get('user-agent'))) {
-    return upgradeRequiredResponse();
-  }
-
   const requestStartedAt = performance.now();
   const requesBodyTextPromise = request.text();
 

src/middleware/withBlockedClients.ts

@@ -0,0 +1,28 @@
+import { type NextFetchEvent, NextResponse } from 'next/server';
+import type { MiddlewareFactory } from '@/middleware/types';
+import type { NextMiddlewareWithAuth, NextRequestWithAuth } from 'next-auth/middleware';
+
+// These client versions had a bug that caused excessive requests.
+// Block them at the middleware level so they never reach the app.
+const BLOCKED_USER_AGENT_REGEX = /^kilo\/7\.0\.[0-9]+$/;
+const BLOCKED_USER_AGENTS = new Set(['kilo/7.1.0', 'kilo/7.1.1', 'kilo/7.1.2', 'kilo/7.1.3']);
+
+function isClientBlocked(userAgent: string | null): boolean {
+  if (!userAgent) return false;
+  return BLOCKED_USER_AGENT_REGEX.test(userAgent) || BLOCKED_USER_AGENTS.has(userAgent);
+}
+
+export const withBlockedClients: MiddlewareFactory = (nextMiddleware: NextMiddlewareWithAuth) => {
+  return async (request: NextRequestWithAuth, nextFetchEvent: NextFetchEvent) => {
+    if (isClientBlocked(request.headers.get('user-agent'))) {
+      return NextResponse.json(
+        {
+          error: 'upgrade_required',
+          message: 'Please upgrade your Kilo extension to the latest version.',
+        },
+        { status: 426 }
+      );
+    }
+    return nextMiddleware(request, nextFetchEvent);
+  };
+};

src/proxy.ts

@@ -1,6 +1,7 @@
 import type { NextRequestWithAuth } from 'next-auth/middleware';
 import { NextResponse } from 'next/server';
 import { withAuthenticatedAdminApiRoutes } from './middleware/withAuthenticatedAdminApiRoutes';
+import { withBlockedClients } from './middleware/withBlockedClients';
 import { withKiloEditorCookie } from './middleware/withKiloEditorCookie';
 
 function baseProxy(request: NextRequestWithAuth) {
@@ -13,7 +14,9 @@ function baseProxy(request: NextRequestWithAuth) {
   });
 }
 
-export const proxy = withAuthenticatedAdminApiRoutes(withKiloEditorCookie(baseProxy));
+export const proxy = withBlockedClients(
+  withAuthenticatedAdminApiRoutes(withKiloEditorCookie(baseProxy))
+);
 
 export const config = {
   /*