[RFC] Automatically run middleware for all server endpoints

[flybayer]

Problem

Currently we only support http middleware for queries/mutations. This results the following inelegant code:

export const getServerSideProps = ({req, res}) => {
  const session = await getSession(req, res)
  const result = await invokeWithMiddleware(getUser, {id: 1}, {req, res})
}

and for api routes

export default async function stripeWebhook(req, res) {
  const session = await getSession(req, res)
  const result = await invokeWithMiddleware(getUser, {id: 1}, {req, res})
}

Solution

1. Automatically run global middleware (whatever is in blitz.config.js) on all server endpoints which includes getServerSideProps and custom api routes.
2. Add ctx param to getServerSideProps and custom api routes. (This is the same middleware provided object currently given as second argument to queries/mutations)
3. Add ability to define local middleware for api routes. We currently support this for queries/mutations, so with these other changes we can essentially get it for free.

New for pages: ctx added to the provide context object

export const getServerSideProps = ({req, res, ctx}) => {
  const session = ctx.session
  const result = await getUser({id: 1}, ctx) // this is a query resolver
}

New for api routes: ctx added as a third parameter

export default async function stripeWebhook(req, res, ctx) {
  const session = ctx.session
  const result = await getUser({id: 1}, ctx) // this is a query resolver
}

---

TBD:

• How to keep local middleware working with the above API where you directly call query resolvers? Probably some babel magic required...

[MrLeebo]

What are the default global middlewares? Does that include Anti-CSRF? You wouldn't want to run that on certain API Routes, such as web hooks, for instance.

[flybayer]

sessionMiddleware is the only middleware included by default, and it includes anti-csrf but only for user sessions.

anti-csrf is only enforced if the request includes the anonymous or authenticated session cookie and for non-GET http methods.

So any direct requests from third parties like webhooks will not have those cookies and so anti-csrf will not be enforced.

[MrLeebo]

Ok, I think middleware for gSSP/API Routes is a great add! 👍

I wonder if it would be better to move middleware out of blitz.config.js and create a separate middleware.ts config file with helper utilities for adding/organizing middleware (like Rack in Rails). Having a dedicated file will probably make it easier to write recipes that include middlewares.

[flybayer]

@MrLeebo yeah we could. Feel free to make a new RFC for that if you want

[oyatek]

Hi,
What is the status of this? I also find invokeWithMiddleware to be inelegant.

[oyatek]

In latest blitzJS with Next15 app router I found that BlitzServerMiddleware(middleware), is not working for custom API endpoints. How to fix that?