💪 Mastering Middlewares in Next.js #36

akash-coded · 2025-02-20T04:56:44Z

akash-coded
Feb 20, 2025
Maintainer

💪 Mastering Middlewares in Next.js

Introduction to Middlewares in Next.js

Let’s start with an analogy. Think of a middleware as a security checkpoint at an airport. Before you board your flight (access a page or API), security checks if your passport (user authentication), scans your luggage (data validation), and ensures you meet the travel criteria (role-based access). Similarly, in Next.js, middlewares sit between the request and response lifecycle, allowing you to process requests before they reach a page or API route.

Next.js middlewares work at a global level and can intercept both API and page requests before they hit the actual handler.

Comparison: Middleware in Next.js vs Custom Middleware in React

Feature	Next.js Middleware	Custom Middleware in React
Execution Context	Runs at the Edge before request processing	Runs inside React components (not at the network level)
Use Cases	Authentication, Redirection, Geolocation-based personalization, Logging, Caching	State management (Redux Thunks, Sagas), Logging, Enhancing API requests
Performance	Executes before rendering (efficient for access control, redirects)	Runs inside the React app, leading to additional rendering overhead
Network Interception	Yes (processes requests before they hit the page/API route)	No (works within the React rendering lifecycle)

Key Takeaway: Next.js middlewares are great for network-level request processing, whereas custom middleware in React (like Redux middleware) is used for managing state, API calls, and component-level logic.

How Middlewares Work in Next.js

Middlewares in Next.js run before the request reaches a page or API route. These are implemented inside a file named middleware.js (or middleware.ts) in the project root.

Basic Middleware Example

A simple middleware that logs requests:

import { NextResponse } from 'next/server';
export function middleware(req) {

console.log(Request received for: ${req.nextUrl.pathname});

return NextResponse.next(); // Pass request to the next handler

}

Note: Unlike Express.js middleware, Next.js middleware does not use next(). Instead, it must return a NextResponse.

Practical Use Cases of Next.js Middlewares

1. Authentication & Protected Routes

One of the most common uses of middleware is protecting private routes.

🔹 Example: Protect pages based on authentication

Redirect users to /login if they are not authenticated:

import { NextResponse } from 'next/server';
export function middleware(req) {

const token = req.cookies.get('auth-token'); // Extract token from cookies
if (!token) {
    return NextResponse.redirect(new URL('/login', req.url)); // Redirect if no auth token
}

return NextResponse.next(); // Allow access

}

Where to Apply It?

Define routes where the middleware should run:

export const config = {
    matcher: ['/dashboard/:path*', '/profile/:path*'], // Apply to these routes
};

2. Role-Based Access Control (RBAC)

Redirect users if they lack the required permissions.

🔹 Example: Restrict access to `/admin` route

export function middleware(req) {
    const role = req.cookies.get('user-role'); // Assume roles are stored in cookies
if (role !== 'admin') {
    return NextResponse.redirect(new URL('/unauthorized', req.url));
}

return NextResponse.next();

}

3. Geolocation-Based Content

Middleware can dynamically serve different content based on the user’s location.

🔹 Example: Redirect users from India to a local page

export function middleware(req) {
    const country = req.geo.country; // Extract country from request metadata
if (country === 'IN') {
    return NextResponse.redirect(new URL('/india-homepage', req.url));
}

return NextResponse.next();

}

4. Custom Headers & Security Policies

You can add custom headers or security policies globally.

🔹 Example: Add security headers to every response

export function middleware(req) {
    const response = NextResponse.next();
response.headers.set('X-Frame-Options', 'DENY');
response.headers.set('X-Content-Type-Options', 'nosniff');

return response;

}

5. Caching API Responses

Middleware can cache API responses at the edge to improve performance.

🔹 Example: Cache responses for 5 minutes

export function middleware(req) {
    const response = NextResponse.next();
    response.headers.set('Cache-Control', 'public, max-age=300, stale-while-revalidate=600');
    return response;
}

Lesser-Known Uses of Next.js Middlewares

Apart from authentication and security, here are some lesser-known use cases:

1. A/B Testing & Feature Flags

Dynamically enable/disable features for users.

🔹 Example: Show a beta feature to 50% of users

export function middleware(req) {
    const random = Math.random();
    if (random < 0.5) {
        req.nextUrl.pathname = '/new-feature';
        return NextResponse.rewrite(req.nextUrl); // Rewrite URL dynamically
    }
    return NextResponse.next();
}

2. Device-Specific Rendering

Serve different pages based on the user’s device.

🔹 Example: Redirect mobile users to a mobile-specific site

export function middleware(req) {
    const userAgent = req.headers.get('user-agent') || '';
    const isMobile = /mobile/i.test(userAgent);
if (isMobile) {
    return NextResponse.redirect(new URL('/mobile-home', req.url));
}

return NextResponse.next();

}

3. Dynamic Language Redirection

Automatically serve content in the user’s preferred language.

🔹 Example: Redirect users based on language preference

export function middleware(req) {
    const acceptLang = req.headers.get('accept-language')?.split(',')[0] || 'en';
if (acceptLang.startsWith('es')) {
    return NextResponse.redirect(new URL('/es', req.url)); // Spanish version
}

return NextResponse.next();

}

Best Practices for Next.js Middlewares

✅ Keep Middlewares Lightweight
Avoid heavy computations as they run before every request.

✅ Use Edge Middleware for Performance
Next.js runs middlewares on the Vercel Edge Network, ensuring low latency.

✅ Limit the Scope Using matcher
Apply middleware only to necessary routes instead of running it globally.

✅ Avoid Modifying Large Responses
Middleware should handle request validation or redirection without modifying responses extensively.

Hands-on Exercise

Let’s implement a multi-functional middleware that:

Checks authentication before allowing access to /dashboard
Restricts admin routes to admins only
Redirects mobile users to a mobile version of the dashboard

Solution

import { NextResponse } from 'next/server';
export function middleware(req) {

const token = req.cookies.get('auth-token');

const role = req.cookies.get('user-role');

const userAgent = req.headers.get('user-agent') || '';

const isMobile = /mobile/i.test(userAgent);
const url = req.nextUrl.clone();

if (!token) {
    url.pathname = '/login';
    return NextResponse.redirect(url);
}

if (url.pathname.startsWith('/admin') &amp;&amp; role !== 'admin') {
    url.pathname = '/unauthorized';
    return NextResponse.redirect(url);
}

if (isMobile &amp;&amp; url.pathname === '/dashboard') {
    url.pathname = '/mobile-dashboard';
    return NextResponse.redirect(url);
}

return NextResponse.next();

}
export const config = {

matcher: ['/dashboard', '/admin/:path*'],

};

Conclusion

Today, we explored: ✅ How middlewares work in Next.js
✅ Common and lesser-known use cases
✅ Comparisons with React middleware
✅ Best practices and a hands-on implementation

🔥 Next Steps:

Try adding custom logging or analytics tracking to your middleware.
Experiment with Next.js Edge Middleware for even faster processing.

akash-coded · 2025-02-20T04:57:26Z

akash-coded
Feb 20, 2025
Maintainer Author

Advanced Technical Usage of Next.js Middlewares

In addition to common use cases like authentication and role-based access, let's explore some practical, lesser-known technical implementations of Next.js middlewares that can help optimize your application.

1️⃣ Redirect Users Based on Specific Conditions

One of the most powerful features of Next.js middleware is dynamic redirection. This is useful for:

Enforcing canonical URLs
Redirecting old paths to new paths
Implementing country-based redirections
Handling mobile vs desktop experiences dynamically

🔹 Example: Redirect Users Based on Query Parameters

If a user visits https://example.com/?legacy=true, redirect them to /new-version.

import { NextResponse } from 'next/server';

export function middleware(req) {
    const url = req.nextUrl.clone();

    if (url.searchParams.get('legacy') === 'true') {
        url.pathname = '/new-version';
        return NextResponse.redirect(url);
    }

    return NextResponse.next();
}

✅ When to use this?

Migrating old URLs to new structures
Redirecting users to a newer version of a product or feature

🔹 Example: Redirect Mobile Users to a Mobile-Specific Page

If a user is browsing on mobile, redirect them to a mobile-optimized version of the site.

export function middleware(req) {
    const userAgent = req.headers.get('user-agent') || '';
    const isMobile = /mobile/i.test(userAgent);

    if (isMobile) {
        return NextResponse.redirect(new URL('/mobile-home', req.url));
    }

    return NextResponse.next();
}

✅ When to use this?

Offering a mobile-optimized experience without using responsive UI
Redirecting users to a mobile version of your app

2️⃣ URL Rewriting with Middleware

Rewriting is different from redirecting. Instead of sending a new response, rewriting modifies the URL internally without changing what the user sees.

🔹 Example: Rewrite `/blog/:id` to a New Blog Format

If your blog URLs have changed from /blog/:id to /articles/:id, rewrite them internally.

export function middleware(req) {
    const url = req.nextUrl.clone();

    if (url.pathname.startsWith('/blog/')) {
        url.pathname = url.pathname.replace('/blog/', '/articles/');
        return NextResponse.rewrite(url);
    }

    return NextResponse.next();
}

✅ When to use this?

Migrating to a new URL structure without breaking SEO
Keeping old bookmarks and links functional

3️⃣ Blocking Requests Based on IP Address

Sometimes, you might want to block specific IP addresses from accessing your site (e.g., for security reasons).

🔹 Example: Block Requests from a Specific IP

export function middleware(req) {
    const blockedIPs = ['192.168.1.100', '45.67.89.101'];
    const clientIP = req.ip || req.headers.get('x-forwarded-for');

    if (blockedIPs.includes(clientIP)) {
        return new Response('Access Denied', { status: 403 });
    }

    return NextResponse.next();
}

✅ When to use this?

Blocking suspicious or harmful users
Preventing abuse from known bad actors

4️⃣ Rate Limiting API Requests

Prevent API abuse by restricting the number of requests per user within a time window.

🔹 Example: Limit Users to 5 Requests Per Minute

const rateLimit = new Map();

export function middleware(req) {
    const ip = req.ip || req.headers.get('x-forwarded-for');
    const now = Date.now();

    if (!rateLimit.has(ip)) {
        rateLimit.set(ip, []);
    }

    const timestamps = rateLimit.get(ip);
    timestamps.push(now);

    // Remove old timestamps
    while (timestamps.length && timestamps[0] < now - 60000) {
        timestamps.shift();
    }

    if (timestamps.length > 5) {
        return new Response('Too many requests', { status: 429 });
    }

    rateLimit.set(ip, timestamps);
    return NextResponse.next();
}

✅ When to use this?

Protecting APIs from abuse
Implementing throttling on sensitive operations

5️⃣ Middleware for User-Agent-Based Customization

Modify responses based on user-agent headers, useful for bot detection, device-specific rendering, or browser-based customizations.

🔹 Example: Detect Crawlers and Serve a Lite Version

If the request comes from a bot, serve a lightweight version of the page.

export function middleware(req) {
    const userAgent = req.headers.get('user-agent') || '';
    const isBot = /bot|crawler|spider|bingbot|googlebot/i.test(userAgent);

    if (isBot) {
        return NextResponse.rewrite(new URL('/lite-version', req.url));
    }

    return NextResponse.next();
}

✅ When to use this?

Serving SEO-friendly pages for crawlers
Handling requests differently for bots vs real users

6️⃣ Session Management with Middleware

You can use middleware to automatically extend session expiration when a user is active.

🔹 Example: Extend Authentication Token Expiry

export function middleware(req) {
    const token = req.cookies.get('auth-token');
    
    if (token) {
        // Extend expiration by resetting the cookie
        const response = NextResponse.next();
        response.cookies.set('auth-token', token, { httpOnly: true, maxAge: 3600 }); // 1 hour
        return response;
    }

    return NextResponse.next();
}

✅ When to use this?

Implementing auto-session extension based on user activity
Avoiding unnecessary logouts for active users

7️⃣ Adding Security Headers with Middleware

Ensure security best practices by automatically adding security headers.

🔹 Example: Add Content Security Policy (CSP) Headers

export function middleware(req) {
    const response = NextResponse.next();

    response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline'");
    response.headers.set('X-Frame-Options', 'DENY');
    response.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');

    return response;
}

✅ When to use this?

Preventing clickjacking attacks
Enforcing HTTPS security policies
Reducing risk of XSS attacks

Conclusion: Why Middleware is a Game-Changer

✅ Request-Level Control – Next.js middleware allows fine-grained control over requests before they hit the server.
✅ Optimized Performance – Since it runs before rendering, middleware can prevent unnecessary computation.
✅ Security Enhancements – IP blocking, rate-limiting, bot detection, and security headers provide better protection.
✅ Flexible Customization – Middleware enables dynamic routing, A/B testing, and content personalization.

🔥 Next Steps

Experiment with custom logging middleware to track analytics.
Implement Geo-based personalization for different user locations.
Try combining multiple middlewares for authentication + security + rate-limiting.

0 replies

akash-coded · 2025-02-20T04:57:43Z

akash-coded
Feb 20, 2025
Maintainer Author

🚀 Deep Dive into Middleware Chaining & Edge Middleware Optimizations in Next.js

Now that we've explored Next.js middleware basics and advanced use cases, let's go even deeper into:

1️⃣ Middleware Chaining – How to structure multiple middleware functions effectively
2️⃣ Edge Middleware Optimizations – Making middleware faster and leveraging Edge Functions for real-world performance boosts

1️⃣ Middleware Chaining in Next.js

Middleware chaining refers to the process of executing multiple middleware functions sequentially before sending the final response. This is useful when different middleware modules handle authentication, logging, security, and request transformations.

🚦 Why Chain Middlewares?

✅ Modular Code – Each middleware serves a single responsibility
✅ Performance Optimization – Skip expensive middleware if conditions fail early
✅ Better Debugging – Log & analyze request flow at each step

🛠 Approach 1: Basic Middleware Chaining

By convention, Next.js does not support middleware chaining directly (like Express.js). However, we can manually chain multiple middleware functions inside a single middleware.js file.

🔹 Example: Multi-Step Middleware for Authentication, Logging, and Role Validation

import { NextResponse } from 'next/server';

// Authentication Middleware
function checkAuthentication(req) {
    const token = req.cookies.get('auth-token');
    if (!token) {
        return NextResponse.redirect(new URL('/login', req.url));
    }
    return null; // Proceed to next middleware
}

// Logging Middleware
function logRequest(req) {
    console.log(`User requested: ${req.nextUrl.pathname}`);
    return null;
}

// Role-Based Access Middleware
function checkAdminRole(req) {
    const role = req.cookies.get('user-role');
    if (role !== 'admin') {
        return NextResponse.redirect(new URL('/unauthorized', req.url));
    }
    return null;
}

// **Middleware Chaining Function**
export function middleware(req) {
    return checkAuthentication(req) ||
           logRequest(req) ||
           checkAdminRole(req) ||
           NextResponse.next(); // Proceed if all conditions pass
}

// Apply middleware to specific routes
export const config = {
    matcher: ['/dashboard/:path*', '/admin/:path*'],
};

🔹 How It Works:

✅ Executes checkAuthentication first → If the user is unauthenticated, they get redirected to /login
✅ Executes logRequest next → Logs the request for analytics
✅ Executes checkAdminRole last → If the user is not an admin, redirect them
✅ Returns NextResponse.next() only if all conditions pass

🛠 Approach 2: Using Higher-Order Functions for Middleware Chaining

Instead of manually chaining middleware, we can create a reusable higher-order function (HOF) for middleware composition.

🔹 Example: Functional Middleware Pipeline

import { NextResponse } from 'next/server';

// Middleware composition utility
function composeMiddlewares(...middlewares) {
    return async (req) => {
        for (const middleware of middlewares) {
            const response = await middleware(req);
            if (response) return response; // Stop if middleware returns a response
        }
        return NextResponse.next();
    };
}

// Authentication Middleware
async function checkAuth(req) {
    const token = req.cookies.get('auth-token');
    if (!token) return NextResponse.redirect(new URL('/login', req.url));
    return null;
}

// Rate Limiting Middleware
async function rateLimit(req) {
    const clientIP = req.ip || req.headers.get('x-forwarded-for');
    const now = Date.now();

    if (!global.rateLimit) global.rateLimit = new Map();
    const timestamps = global.rateLimit.get(clientIP) || [];
    timestamps.push(now);

    // Keep only requests from the last 60 seconds
    global.rateLimit.set(clientIP, timestamps.filter(t => t > now - 60000));

    if (timestamps.length > 5) {
        return new Response('Too many requests', { status: 429 });
    }

    return null;
}

// Apply middleware chaining
export const middleware = composeMiddlewares(checkAuth, rateLimit);

🔹 Benefits of This Approach:

✅ More Readable & Reusable – Middlewares can be plugged in like Lego blocks
✅ Performance Optimized – Stops execution if an early middleware returns a response
✅ Better Error Handling – Middleware functions are isolated, reducing debugging complexity

2️⃣ Next.js Edge Middleware Optimizations

Next.js Edge Middleware runs on Vercel's Edge Network, providing ultra-low latency responses without needing a full request to reach your server.

🚀 Why Use Edge Middleware?

✅ Blazing Fast – Executes before the request reaches a backend
✅ Better Personalization – Geolocation-based experiences happen instantly
✅ Lower Costs – Reduces backend workload by handling lightweight logic at the edge

⚡ Edge Middleware works best for quick decision-making tasks like:

Redirecting users

Blocking requests

Rewriting URLs

Adding headers

🛠 Optimized Edge Middleware Implementation

🔹 Example: Using Edge Middleware for Geo-Based Personalization

import { NextResponse } from 'next/server';

// Run on Edge for lowest latency
export const config = {
    runtime: 'edge',
};

// Middleware function
export function middleware(req) {
    const country = req.geo?.country || 'US';

    if (country === 'IN') {
        return NextResponse.redirect(new URL('/india-homepage', req.url));
    }
    if (country === 'DE') {
        return NextResponse.redirect(new URL('/germany-homepage', req.url));
    }

    return NextResponse.next();
}

✅ Super fast – Runs directly on the edge without hitting the backend
✅ Geolocation-aware – Redirects users to country-specific pages

🛠 Using Edge Middleware for A/B Testing

Another powerful optimization is dynamically assigning users to an A/B test group at the edge.

🔹 Example: 50% Users See the New UI

export function middleware(req) {
    const random = Math.random();

    if (random < 0.5) {
        req.nextUrl.pathname = '/new-feature';
        return NextResponse.rewrite(req.nextUrl);
    }

    return NextResponse.next();
}

export const config = {
    runtime: 'edge',
};

✅ Instant A/B testing without extra backend logic
✅ Faster decision-making at the edge layer

🛠 Edge Middleware for Security

Edge middleware can block malicious traffic instantly, reducing server load.

🔹 Example: Block Bots & Suspicious Traffic at the Edge

export function middleware(req) {
    const userAgent = req.headers.get('user-agent') || '';

    if (/bot|crawler|spider|bingbot|googlebot/i.test(userAgent)) {
        return new Response('Access Denied', { status: 403 });
    }

    return NextResponse.next();
}

export const config = {
    runtime: 'edge',
};

✅ Better protection – Blocks bad actors at the network edge
✅ Reduces server costs – Stops bots before they reach the backend

🛠 Key Takeaways & Best Practices

Middleware Chaining Best Practices

✅ Use small, modular middleware functions
✅ Apply middleware selectively using matcher
✅ Use a composition utility for easy chaining

Edge Middleware Best Practices

✅ Use for fast, lightweight decision-making
✅ Avoid expensive computations at the edge
✅ Use headers, geo-location, and request metadata efficiently

🔥 Next Steps

Now that you've mastered chaining & edge optimizations, try implementing:

Custom analytics tracking middleware
Edge-based JWT authentication middleware
AI-powered personalization using Next.js Edge Functions

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

💪 Mastering Middlewares in Next.js #36

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

💪 Mastering Middlewares in Next.js #36

Uh oh!

akash-coded Feb 20, 2025 Maintainer