Core concepts

API Middleware

This page will walk you through the API middleware with examples.


Core concepts

If there are shared logic that you want to execute before the handler function, you can use use or inject method to add middleware to the router. Middleware also supports async/await syntax and error handling from previous Restful API example.

// server/middleware/auth.js
import {
  RouterBuilder,
  UnauthorizedException,
  NotFoundException,
} from 'next-api-handler';
import { verify, getUserInfo } from '@/services/auth';

export const authMiddleware = async (req, res) => {
  const apiKey = req.cookies['Authorization'];

  // some async service to check apiKey
  const isValid = await verify(apiKey);

  if (!isValid) throw new UnauthorizedException();

  // another async service to fetch user info
  const user = await getUserInfo(apiKey);

  if (!user) throw new NotFoundException();

  // this has to be an object or undefined (void function)
  return { user };
};

Then you can use the middleware in the router and pass on user from req.middleware to the handler function.

// pages/api/users/me.js
import { RouterBuilder, ForbiddenException } from 'next-api-handler';
import { authMiddleware } from '@/server/middleware/auth';
import { updateUser } from '@/services/user';

const router = new RouterBuilder();

router
  .use(authMiddleware)
  .get((req) => req.middleware.user)
  .put((req) => {
    if (!req.middleware.user.isAdmin) throw new ForbiddenException();

    return updateUser(req.body);
  });

export default router.build();

Reusing the word middleware

The term middleware could be misleading here.

next-api-handler middleware is different from Express.js middleware and Next 12.0 middleware, and it is not a replacement for them nor a superset of them.

next-api-handler middleware will only be executed before the handler function, more like a shared logic as api handler middleware and can only be used in next.js API routes under pages/api directory.


Multiple middleware

Sequential execution

You can also use multiple middleware and pass on data from one middleware to another. As middleware is executed in the order of use, the data passed on will be in the same order.

// server/middleware/cookie.js
import {
  RouterBuilder,
  UnauthorizedException,
  NotFoundException,
} from 'next-api-handler';
import { getEmailFromCookie } from '@/services/users';

export const cookieMiddleware = async (req, res) => {
  const email = getEmailFromCookie(req.cookies['Authorization']);

  if (!email) throw new UnauthorizedException();

  return { email };
};

export const userMiddleware = async (req, res) => {
  const user = await getUserByEmail(req.middleware.email);

  if (!user) throw new NotFoundException();

  return { user };
};

Then you can use the middleware in the router and pass on user from req.middleware to the handler function.

// pages/api/users.js
import { RouterBuilder, ForbiddenException } from 'next-api-handler';
import { cookieMiddleware, userMiddleware } from '@/server/middleware/auth';
import { updateUser } from '@/services/user';

const router = new RouterBuilder();

router
  .use(cookieMiddleware)
  .use(userMiddleware)
  .get((req) => req.middleware.user)
  .put((req) => {
    if (!req.middleware.user.isAdmin) throw new ForbiddenException();

    return updateUser(req.body);
  });

export default router.build();

Parallel execution

You can also use multiple middleware and execute them in parallel with inject method. This is useful when you want to fetch data from multiple services at the same time while still keeping the order of the data with use method in the end.

// server/middleware/auth.js
import {
  RouterBuilder,
  BadRequestException,
  UnauthorizedException,
  NotFoundException,
} from 'next-api-handler';
import { verifyVersion, getEmailFromCookie } from '@/services/users';

export const versionMiddleware = (req, res) => {
  const version = req.headers['x-version'];

  if (!verifyVersion(version)) throw new BadRequestException();

  return { version };
};

export const cookieMiddleware = async (req, res) => {
  const email = getEmailFromCookie(req.cookies['Authorization']);

  if (!email) throw new UnauthorizedException();

  return { email };
};

export const userMiddleware = async (req, res) => {
  const user = await getUserByEmail(req.middleware.email);

  console.log(`Client side running version ${req.middleware.version}`);

  if (!user) throw new NotFoundException();

  return { user };
};

Then you can use the middleware in the router and pass on user from req.middleware to the handler function.

// pages/api/users.js
import { RouterBuilder, ForbiddenException } from 'next-api-handler';
import {
  versionMiddleware,
  cookieMiddleware,
  userMiddleware,
} from '@/server/middleware/auth';
import { updateUser } from '@/services/user';

const router = new RouterBuilder();

router
  .inject(versionMiddleware)
  .inject(cookieMiddleware)
  .use(userMiddleware)
  .get((req) => req.middleware.user)
  .put((req) => {
    if (!req.middleware.user.isAdmin) throw new ForbiddenException();

    return updateUser(req.body);
  });

export default router.build();

Route specific middleware

You can also use middleware that is only specific to a route. This is useful when you want to use the same middleware for multiple routes.

// server/middleware/auth.js
import {
  RouterBuilder,
  UnauthorizedException,
  NotFoundException,
} from 'next-api-handler';
import { verify, getUserInfo } from '@/services/auth';

export const authMiddleware = async (req, res) => {
  const apiKey = req.cookies['Authorization'];

  // some async service to check apiKey
  const isValid = await verify(apiKey);

  if (!isValid) throw new UnauthorizedException();

  // another async service to fetch user info
  const user = await getUserInfo(apiKey);

  if (!user) throw new NotFoundException();

  // this has to be an object or undefined (void function)
  return { user };
};

export const adminMiddleware = async (req, res) => {
  if (!req.middleware.user.isAdmin) throw new ForbiddenException();
};

Then you can use the middleware in the router and pass on user from req.middleware to the handler function.

// pages/api/users/me.js
import { RouterBuilder } from 'next-api-handler';
import { authMiddleware, adminMiddleware } from '@/server/middleware/auth';
import { updateUser } from '@/services/user';

const router = new RouterBuilder();

router
  .use(authMiddleware) // This is equivalent to use('ALL', authMiddleware)
  .use('PUT', adminMiddleware)
  .get((req) => req.middleware.user)
  .put((req) => updateUser(req.body));

export default router.build();

Type safety

If you are using TypeScript, we can also enforce the response type by using generics. Here for demonstration purpose, we will put all middleware in one file. In production, you might consider splitting them into different business contexts.

// server/middleware/auth.ts
import {
  RouterBuilder,
  BadRequestException,
  UnauthorizedException,
  NotFoundException,
  ForbiddenException,
} from 'next-api-handler';
import { verifyVersion, getEmailFromCookie } from '@/services/users';

export type VersionMiddleware = {
  version: string,
};

export const versionMiddleware: NextApiHandlerWithMiddleware<
  VersionMiddleware
> = (req, res) => {
  const version = req.headers['x-version'];

  if (!verifyVersion(version)) throw new BadRequestException();

  return { version };
};

export type CookieMiddleware = {
  email: string,
};

export const cookieMiddleware: NextApiHandlerWithMiddleware<
  CookieMiddleware
> = async (req, res) => {
  const email = getEmailFromCookie(req.cookies['Authorization']);

  if (!email) throw new UnauthorizedException();

  return { email };
};

export type User = {
  email: string,
  isAdmin: boolean,
};

export type UserMiddleware = {
  user: User,
};

// Here we can pass required pre-executed middleware to the handler
export const userMiddleware: NextApiHandlerWithMiddleware<
  UserMiddleware,
  CookieMiddleware
> = async (req, res) => {
  const user = await getUserByEmail(req.middleware.email);

  console.log(`Client side running version ${req.middleware.version}`);

  if (!user) throw new NotFoundException();

  return { user };
};

// Here we can pass void as the response type
export const adminMiddleware: NextApiHandlerWithMiddleware<
  void,
  UserMiddleware
> = async (req, res) => {
  if (!req.middleware.user.isAdmin) throw new ForbiddenException();
};

Then you can use the middleware in the router and pass on user from req.middleware to the handler function.

// pages/api/users.ts
import { RouterBuilder, BadRequestException } from 'next-api-handler';
import {
  versionMiddleware,
  cookieMiddleware,
  userMiddleware,
  adminMiddleware,
  type User,
  type UserMiddleware,
  type VersionMiddleware,
} from '@/server/middleware/auth';
import { updateUser, deleteUser } from '@/services/user';

const router = new RouterBuilder();

router
  .inject(versionMiddleware)
  .inject(cookieMiddleware)
  .use(userMiddleware)
  .use('PUT', adminMiddleware)
  .use('DELETE', adminMiddleware)
  .put<User>((req) => updateUser(req.body));
  // here we add required middleware type to the handler
  .get<User, UserMiddleware>(
    (req) => req.middleware.user
  )
  // here we can combine multiple middleware types
  .delete<User, UserMiddleware & VersionMiddleware>(
    async (req) => {
      const user = await deleteUser(req.middleware.user.email, req.middleware.version)

      if (!user) throw new BadRequestException('Unmatched version');

      return user
    }
  );

export default router.build();

Sharing middleware

It might be tempted to create a router, register middleware and share between API routes, but it is not recommended. The reason is that the router will preserve usage of previous route specific middleware & handler, causing unexpected behavior.

Instead, create typed middleware in separate files and import them into the router when needed.

Previous
RESTful API