How to use different middleware for different routes/path

[philippegirard]

First check

• I used the GitHub search to find a similar issue and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.

Description

Is it possible to use different middleware for different routes/path?

Additional context

In my case my need comes from CORS. But, I am sure there is other cases than CORS requirements that someone would need different middlewares for different paths.

• I want myapi.com/path1 to allow origins of calls from myfrontend.com
• I want myapi.com/path2 to allow origins of calls from anywhere ('*') since it is a public facing api.

I checked if it was possible to add a middleware at a router level and did not find any documentation about it.

Code example

from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

app = FastAPI()

app.add_middleware(
    CORSMiddleware,
    allow_origins=['myfrontend.com'],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

# I want /path1 to allow only calls from 'myfrontend.com'
@app.get("/path1")
async def path1():
    return {"status": "alive"}

# I want /path2 to be a public facing api that can be accessed from anywhere ['*']
@app.get("/path2")
async def path2():
    return {"status": "alive"}

[Dustyposa]

I haven't use this way, but you can have a try.
How about use subapp?
documention

[philippegirard]

Thank you @Dustyposa this looks exactly like what I was looking for.

Here is a example implementation in case someone else stumble upon the same problem

# app1.py

from fastapi import FastAPI

app1 = FastAPI(openapi_prefix="/app1")

@app1.get("path1")
async def path1():
    return { "message": "app1"}

# app2.py

from fastapi import FastAPI

app2 = FastAPI(openapi_prefix="/app2")

@app1.get("path2")
async def path2():
    return { "message": "app2"}

# main.py

from fastapi import FastAPI
from app1 import app1
from app2 import app2


app1.add_middleware(
    CORSMiddleware,
    allow_origins=['myfrontend.com'],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

# here we can add middlewares that are only for app2 and not executed on paths of app1
# the CORS policy is different for app2. (allows '*' instead of 'myfrontend.com')
app2.add_middleware(
    CORSMiddleware,
    allow_origins=['*'],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

app = FastAPI()

app.mount("/app1", app1) # if does not work try: app.mount(app1, "/app1")
app.mount("/app2", app2) # if does not work try: app.mount(app2, "/app2")

@app.get("/")
async def root():
    return {"message": "alive"}

[tiangolo]

Thanks for your help here @Dustyposa 🙇‍♂️ 🍰

And thanks for reporting back and closing the issue @philippegirard 🚀

[mreschke]

This is a fine approach for some use cases. But having route based middleware is still a requirement for many projects I work on. I understand starlette itself cannot yet do this, so perhaps this is the wrong github page to bring it up. I will see what Tom Cristie thinks about adding route based middleware to starlette. Then perhaps fastapi can impliment it in the route decorators router.get('/path', middleware=['abc', 'xyz'] etc...

[AustinSeftonPDL]

Yes to this. I'm surprised how difficult it is just to register a middleware to a specific route, so much so, it's recommended to create multiple apps.

[HediHargam]

I'm facing a quite similar issue : I want to add custom 'Content-Security-Policy' header the easiest way to do so is to add a middleware :

@Api.middleware("http")
async def CSPMiddleware(request: Request, call_next):

response = await call_next(request)
response.headers[
    "Content-Security-Policy"
] = "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline';"
return response

However this CSP block the Swagger UI and thus it would be great to only apply the middleware to a subset of routes.

nb1 : For those who are wondering, i removed the middleware and i had to add a response headers to all routes (ie functions) except for the swaggers (not very clean)
nb2: app.mount does not solve the problem because swaggers are not available for subapps

[adriangb]

+1 for router and/or route level middleware

[tiago-lp]

Thanks @philippegirard. It's helped me, but in your example:

app.mount(app1, "/app1")
app.mount(app2, "/app2")

Not working. Checking the documentation, I realized that the correct way is swapping parameters:

app.mount("/app1", app1)
app.mount("/app2", app2)

[adriangb]

An interesting alternative is to use customization of the APIRoute class: https://fastapi.tiangolo.com/advanced/custom-request-and-route/#custom-apiroute-class-in-a-router

I wonder if we could wrap an existing middleware into an APIRouter to get something like:

router = APIRouter(route_class=SomeWrapper(middleware=[Middleware1, Middleware2]))

[adriangb]

And... here's a super quick & dirty implementation + 1 test:

from typing import List, Optional, Type

from starlette.middleware.base import BaseHTTPMiddleware
from fastapi import APIRouter, FastAPI, Response
from fastapi.routing import APIRoute
from starlette.middleware import Middleware
from starlette.types import ASGIApp


# define a vanilla middleware
class CustomHeaderMiddleware(BaseHTTPMiddleware):
    def __init__(self, app: ASGIApp, header_value: str):
        super().__init__(app)
        self.header_value = header_value

    async def dispatch(self, request, call_next):
        response: Response = await call_next(request)
        response.headers['X-Custom'] = self.header_value
        return response

# bind the middleware to an APIRoute subclass
def MiddlewareWrapper(middleware: Optional[List[Middleware]] = None) -> Type[APIRoute]:

    class CustomAPIRoute(APIRoute):
        def __init__(self, *args, **kwargs):
            super().__init__(*args, **kwargs)
            app = self.app
            for cls, options in reversed(middleware or []):
                app = cls(app, **options)
            self.app = app

    return CustomAPIRoute


app = FastAPI()
router = APIRouter(route_class=MiddlewareWrapper(middleware=[Middleware(CustomHeaderMiddleware, header_value="test")]))


@router.get("/")
async def root():
    ...


app.include_router(router)


from fastapi.testclient import TestClient


client = TestClient(app)

assert client.get("/").headers["X-Custom"] == "test"

Obviously some things will be broken: these middleware can't modify the path (this would silently fail) and there's probably other stuff that won't work 🤷 , but for a lot of things this is probably fine. As far as I can tell, this isn't accessing any private attributes or doing other breakable stuff. I'm sure the class closure thing can be cleaned up in some way. This would be even easier if we were able to edit parameters on APIRouter and/or APIRoute, but I wanted to do this without subclassing APIRouter.

[adriangb]

I opened encode/starlette#1286 to see if we can upstream #1174 (comment) into Starlette (and then get it for free in FastAPI). The implementation there is 4 LOC.

[adriangb]

encode/starlette#1286 is implemented at the route level, so it should even be possible to do something like:

app = FastAPI()

@app.get("/", middleware=[...])

As well as the original request:

router = APIRouter(middleware=[...])

@router.get("/")

Even combining both (although we'd have to determine the order in which the sequence of middlewares is combined).

[abhaynayak24]

Thank you @Dustyposa this looks exactly like what I was looking for.

Here is a example implementation in case someone else stumble upon the same problem

# app1.py

from fastapi import FastAPI

app1 = FastAPI(openapi_prefix="/app1")

@app1.get("path1")
async def path1():
    return { "message": "app1"}

# app2.py

from fastapi import FastAPI

app2 = FastAPI(openapi_prefix="/app2")

@app1.get("path2")
async def path2():
    return { "message": "app2"}

# main.py

from fastapi import FastAPI
from app1 import app1
from app2 import app2


app1.add_middleware(
    CORSMiddleware,
    allow_origins=['myfrontend.com'],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

# here we can add middlewares that are only for app2 and not executed on paths of app1
# the CORS policy is different for app2. (allows '*' instead of 'myfrontend.com')
app2.add_middleware(
    CORSMiddleware,
    allow_origins=['*'],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

app = FastAPI()

app.mount("/app1", app1) # if does not work try: app.mount(app1, "/app1")
app.mount("/app1", app1) # if does not work try: app.mount(app2, "/app2")

@app.get("/")
async def root():
    return {"message": "alive"}

@philippegirard which middleware would execute first by default? Can we control the order of execution of the middlewares?

[philippegirard]

@abhaynayak24 I am not sure. In this example there's is only one middleware per route. Therefore, there exists no routes which executes two middleware in the same request this example.

Experiment to answer your question: Add two middleware to the same route with two different logs and check in the console which one executes first. You can report back on this issue the result of your experiment.

Thank :) !

[josebrz]

It is not the cleanest thing in the world but it occurred to me to create a list with the paths that I want to go through the middleware, and within the middleware a routing condition

routes_with_middleware = [
    "/api/endpoint"
]

async def middleware(request: Request, call_next):
    if request.url.path not in routes_with_middleware:
        return await call_next(request)
   else:
        ....

In this way, if your middleware does validations, they do not block the other routes such as the api / docs for example

[dangleh]

I haven't use this way, but you can have a try. How about use subapp? documention

Hi, the document has moved to a new link .
Thank you for the recommendation 😄

[jeanlst]

I feel like having to use sub apps is not the optimal choice, I would like to be able to set in a route or path level which middlewares and their order should be running there. Is this still not possible in fastapi?

[adriangb]

It won't be possible until encode/starlette#1286 gets merged and FastAPI updates it's Starlette version. Or just copy the implementation in encode/starlette#1286 to a custom subclass of FastAPI's APIRouter if you need it today.

[IVIyg0t]

Any news here? I have a need for route specific middleware.

[gareth-leake]

Also would love to see route level middleware.

EDIT: Current work on this is pending, here: Starlette PR#1464

[adriangb]

The best way to push this forward would be to express your support in encode/starlette#1464 via a 👍.

Maybe also consider donating or having your employer donate to https://github.com/encode/ so that maintainers can spend more time working on Starlette (to the benefit of all downstream projects, including FastAPI) and less time worrying about being a person in a world run by purchasing power.

[piyushere]

A bit late to the party but,

Recently I wanted to have an authentication middleware on some of my FastAPI routers, just like you'd do in the Express.JS project.
Even though you can't define a middleware for a router, you can always have a router dependency, (instead of adding it on every individual route), And it very much works like any middleware.

Here's my StackOverflow answer to a similar question: https://stackoverflow.com/a/73233603/10123687

As for the CORS use case, it won't be possible to use the middlewares provided by Starlette, but you can easily write your own and add/modify the response headers.

something like this should work:

async def CORS(request: Request, response: Response):
    response.headers['Access-Control-Allow-Origin'] = 'http://localhost:8000'
    response.headers['Access-Control-Allow-Methods'] = 'OPTIONS,GET,POST'
    response.headers['Access-Control-Allow-Headers'] = 'Content-Type'

router = APIRouter(dependencies=[
    Depends(CORS)
])

# ... Your routes as usual
@router.get('/xyz')
# ...

[petrgazarov]

I ended up implementing the CORS functionality like in your example, although it is a bit more complex than that because you must also implement OPTIONS routes. The OPTIONS routes are required for pre-flighted requests.

def cors(allowed_origins: list[str]): # dynamic allowed_origins because I needed this function in multiple routers
    async def cors_dependency(request: Request, response: Response) -> None:
        if request.method == 'OPTIONS':
            return
        request_origin = request.headers.get('origin')
        if '*' in allowed_origins:
            response.headers['Access-Control-Allow-Origin'] = request_origin
        elif request_origin in allowed_origins:
            response.headers['Access-Control-Allow-Origin'] = request_origin
        else:
            return
        response.headers['Access-Control-Allow-Headers'] = 'Content-Type'
        response.headers['Access-Control-Allow-Credentials'] = 'true'
    return cors_dependency

router = APIRouter(
    dependencies=[
        Depends(cors(allowed_origins=['http://localhost:1234'])),
    ],
)

@router.options('/{path:path}')
def options(request: Request, response: Response) -> None:
    request_origin = request.headers.get('origin')
    if request_origin in allowed_cors_origins:
        response.headers['Access-Control-Allow-Origin'] = request_origin
        response.headers['Access-Control-Allow-Methods'] = 'GET,POST,DELETE,PATCH,PUT'
        response.headers['Access-Control-Max-Age'] = '86400'
        response.headers['Access-Control-Allow-Headers'] = 'Content-Type'
        response.headers['Access-Control-Allow-Credentials'] = 'true'
        response.headers['Vary'] = 'Origin'

[tizzo]

@adriangb it seems like per-route middlewares would be unblocked as the latest pulls in starlette 0.25 which has your changes. Would a PR adding it to FastAPI be likely to get merged? Having separate routers sort of works but for some use cases where you need some route specific configuration in the middleware it gets very clunky.

[adriangb]

I think that yes a PR to FastAPI would be accepted

[tizzo]

I've never contributed to FastAPI before (only used it). Any pointers to where to hook in would be greatly appreciated.

[InesIvanova]

Hello, everyone!
I am too late here probably, but I have an alternative suggestion and I will be more than happy to hear your opinion.

Let me describe the scenarios and problems

1. If the person is using class based architecture
2. AND we have a dedicated architecture in main.py where we are adding all the routers and there we are adding the CORS

origins = ["a.com", "b.com"]
app.include_router(api_router)
app.add_middleware(
    CORSMiddleware,
    allow_origins=origins,
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

where the api_router is an APIRouter object which includes all endpoints from some dedicated file (something like resource.py)
3. AND we want to expose only certain endpoints 1 or two, but not creating another Router object

then is it worth it a functionality like this one:

app.add_middleware(
    CustomCORSMiddleware,
    allow_origins=origins,
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
    allow_endpoints_regex=[".*some-path.*endpoint.*we-want-to-expose-without-origin.*",  "some other regex"],
)

I came up with something the below code (really fast coded, so need some refactoring). I would be really happy to hear what do you think - is it something that might be helpful? Do you see security concerns?
I mean we all know the security concerns, but I guess that the endpoint which people want to expose is either guarded with authentication and authorization or it is not harmful. If it is guarded and requires authentication, let's say with token, and this token is stored in local storage, not cookies on the front end side, do you see any other security breaches:

import functools
import re
import typing

from starlette.middleware.cors import CORSMiddleware
from starlette.datastructures import Headers, MutableHeaders
from starlette.responses import PlainTextResponse, Response
from starlette.types import ASGIApp, Message, Receive, Scope, Send

ALL_METHODS = ("DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT")
SAFELISTED_HEADERS = {"Accept", "Accept-Language", "Content-Language", "Content-Type"}


class CustomCORSMiddleware(CORSMiddleware):
    def __init__(
            self,
            app: ASGIApp,
            allow_origins: typing.Sequence[str] = (),
            allow_methods: typing.Sequence[str] = ("GET",),
            allow_headers: typing.Sequence[str] = (),
            allow_credentials: bool = False,
            allow_origin_regex: typing.Optional[str] = None,
            expose_headers: typing.Sequence[str] = (),
            max_age: int = 600,
            allow_endpoints_regex: typing.Sequence[str] = (),
    ) -> None:
        CORSMiddleware.__init__(self, app, allow_origins, allow_methods, allow_headers, allow_credentials, allow_origin_regex, expose_headers, max_age)

        compiled_endpoints_regex = None
        if allow_endpoints_regex:
            compiled_endpoints_regex = [re.compile(endpoint) for endpoint in allow_endpoints_regex]

        self.allow_endpoints_regex = compiled_endpoints_regex

    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
        if scope["type"] != "http":  # pragma: no cover
            await self.app(scope, receive, send)
            return

        endpoint = scope["path"]
        method = scope["method"]
        headers = Headers(scope=scope)
        origin = headers.get("origin")

        if origin is None:
            await self.app(scope, receive, send)
            return

        if method == "OPTIONS" and "access-control-request-method" in headers:
            response = self.preflight_response(request_headers=headers, endpoint=endpoint)
            await response(scope, receive, send)
            return

        await self.simple_response(scope, receive, send, request_headers=headers)

    def is_allowed_origin(self, origin: str) -> bool:
        if self.allow_all_origins:
            return True

        if self.allow_origin_regex is not None and self.allow_origin_regex.fullmatch(
                origin
        ):
            return True

        return origin in self.allow_origins

    def preflight_response(self, request_headers: Headers, endpoint: str) -> Response:
        requested_origin = request_headers["origin"]
        requested_method = request_headers["access-control-request-method"]
        requested_headers = request_headers.get("access-control-request-headers")

        headers = dict(self.preflight_headers)
        failures = []

        if self.is_allowed_origin(origin=requested_origin) or self.allowed_endpoint(endpoint):
            if self.preflight_explicit_allow_origin:
                # The "else" case is already accounted for in self.preflight_headers
                # and the value would be "*".
                headers["Access-Control-Allow-Origin"] = requested_origin
        else:
            failures.append("origin")

        if requested_method not in self.allow_methods:
            failures.append("method")

        # If we allow all headers, then we have to mirror back any requested
        # headers in the response.
        if self.allow_all_headers and requested_headers is not None:
            headers["Access-Control-Allow-Headers"] = requested_headers
        elif requested_headers is not None:
            for header in [h.lower() for h in requested_headers.split(",")]:
                if header.strip() not in self.allow_headers:
                    failures.append("headers")
                    break

        # We don't strictly need to use 400 responses here, since its up to
        # the browser to enforce the CORS policy, but its more informative
        # if we do.
        if failures:
            failure_text = "Disallowed CORS " + ", ".join(failures)
            return PlainTextResponse(failure_text, status_code=400, headers=headers)

        return PlainTextResponse("OK", status_code=200, headers=headers)

    async def simple_response(
            self, scope: Scope, receive: Receive, send: Send, request_headers: Headers
    ) -> None:
        endpoint = scope["path"]
        send = functools.partial(self.send, send=send, request_headers=request_headers, endpoint=endpoint)
        await self.app(scope, receive, send)

    async def send(
            self, message: Message, send: Send, request_headers: Headers, endpoint: str
    ) -> None:
        if message["type"] != "http.response.start":
            await send(message)
            return

        message.setdefault("headers", [])
        headers = MutableHeaders(scope=message)
        headers.update(self.simple_headers)
        origin = request_headers["Origin"]
        has_cookie = "cookie" in request_headers

        # If request includes any cookie headers, then we must respond
        # with the specific origin instead of '*'.
        if self.allow_all_origins and has_cookie:
            self.allow_explicit_origin(headers, origin)

        # If we only allow specific origins, then we have to mirror back
        # the Origin header in the response, BUT if there is a exception
        # for the endpoint, then we can allow the request.
        elif not self.allow_all_origins and (self.is_allowed_origin(origin=origin) or self.allowed_endpoint(endpoint)):
            self.allow_explicit_origin(headers, origin)

        await send(message)

    @staticmethod
    def allow_explicit_origin(headers: MutableHeaders, origin: str) -> None:
        headers["Access-Control-Allow-Origin"] = origin
        headers.add_vary_header("Origin")

    def allowed_endpoint(self, endpoint: str) -> bool:
        if self.allow_endpoints_regex:
            for compiled_endpoint in self.allow_endpoints_regex:
                if compiled_endpoint.match(endpoint):
                    return True
        return False
       

[matteobe]

Hi,

Not sure if this can help, but instead of overriding the functionality of the main CORSMiddleware class, I wrote a quick class that manages different CORS settings for different paths, so that multiple CORS settings can be set for the same API.

import re
from typing import List, Union, Sequence, Optional

from pydantic import BaseModel, Field

from starlette.middleware.cors import CORSMiddleware
from starlette.types import ASGIApp, Receive, Scope, Send


class CORSSettings(BaseModel):
    allow_origins: Sequence[str] = ()
    allow_methods: Sequence[str] = ("GET",)
    allow_headers: Sequence[str] = ()
    allow_credentials: bool = False
    allow_origin_regex: Optional[str] = None
    expose_headers: Sequence[str] = ()
    max_age: int = 600
    path_regex: Union[List[str], Sequence[str]] = Field(default_factory=tuple, exclude=True)


class PathsCORSMiddleware:
    """Specify different CORS settings for different paths"""

    def __init__(self, app: ASGIApp, paths_cors: List[CORSSettings], default_cors: CORSSettings) -> None:
        # Path regexes mapping
        patterns = [(idx, re.compile(path)) for idx, settings in enumerate(paths_cors) for path in settings.path_regex]
        self.indexes, self.patterns = zip(*patterns)

        # CORS settings mapping
        self.paths_cors_middlewares = {idx: CORSMiddleware(app=app, **settings.model_dump())
                                       for idx, settings in enumerate(paths_cors)}
        self.default_cors = CORSMiddleware(app=app, **default_cors.model_dump())

    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
        # Identify relevant CORS middleware
        path = scope["path"]
        matches = [pattern.fullmatch(path) is not None for pattern in self.patterns]

        if any(matches):
            if sum(matches) == 1:
                # Identify index of matching path & call middleware
                idx = matches.index(True)
                cors_middleware = self.paths_cors_middlewares[idx]
                await cors_middleware(scope=scope, receive=receive, send=send)
            else:
                matching_patterns = [pattern.pattern for match, pattern in zip(matches, self.patterns) if match]
                raise ValueError(f"Multiple CORS settings match the path. "
                                 f"Matching patterns: {','.join(matching_patterns)}")
        else:
            # Call default CORS middleware
            await self.default_cors(scope=scope, receive=receive, send=send)

The actual configuration can then be done similar to this:

PATHS_CORS = [
    CORSSettings(
        allow_origins=["*"],
        allow_credentials=True,
        allow_methods=["*"],
        allow_headers=["*"],
        path_regex=["/somepath.*"]
    )
]

DEFAULT_CORS = CORSSettings(
    allow_origins=["your.restricted.domain"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

and the CORS middleware can be added to the FastAPI application as follows:

app = FastAPI()

app.add_middleware(
    PathsCORSMiddleware,
    paths_cors=PATHS_CORS,
    default_cors=DEFAULT_CORS
)

When a request will be coming in, the PathsCORSMIddleware is called up and the relevant CORSMiddleware is then used.

[Chandan-Kalita]

You can use python higher order functions for this use case;
you can write multiple higher order functions for different use cases, and then use the decorators in the API controller,

this doc will help you
functools/wraps

example code:

# the higher order function
def authorize(func):
    @wraps(func)
    async def wrapper(request: Request, *args, **kwargs):
        try:
            auth_header = request.headers["authorization"].split()
            token = auth_header[1]
            url = ****************** 
            response: httpx.Response = await httpx.AsyncClient().get(url)
            userObj = response.json()
            if not userObj["id"]:
                raise Exception()
        except Exception as e:
            print(type(e).__name__, " : ", e)
            raise HTTPException(401)

        return await func(request, *args, **kwargs)

    return wrapper

# the controller

@router.post("/class")
@authorize
async def createClass(request: Request, item: ClassModel, db: Session = Depends(get_db)):
    return ClassServices.create_class(db=db, item=item)

• but in this way if you want to modify the request object then you have to take the request object as a parameter to the controller function

[lewisjr]

Hi guys,

I made a package to make this easily reproducible amongst other packages, it's called pyzeus and works for both sync and async route handlers, as well as on a the APIRouter dependencies array as you see fit; It has default settings but you can override them with kwargs Here's an example of the usage.

Also, no need to worry about using pydantic it works the same in case you are using a pydantic model or models for your handlers.

Router Instance

This implementation is equally

from pyzeus import zeus
from fastapi import APIRouter, Depends

router = APIRouter(dependencies=[Depends(zeus().thunder)])

@router.get("/")
async def hander():
    return { "message": "lorem ipsum" }

@router.options("/")
async def options_hander():
    return None

Specific Route

from pyzeus import zeus
from fastapi import APIRouter, Depends

router = APIRouter()

# Synchronous example
@router.get("/")
@zeus().smite
def synchronous_handler(request: Request, response: Response):
    return { "message": "lorem ipsum" }

# Asynchronous example
@router.get("/")
@zeus().smite
async def asynchronous_handler(request: Request, response: Response):
    return { "message": "lorem ipsum" }

# Pydantic example
class Item(BaseModel):
    name: str

@router.post("/")
@zeus().smite
async def asynchronous_handler(request: Request, response: Response, item: Item):
    return { "message": item }

[Kludex]

As of FastAPI 0.108.0, the APIRouter has the middleware parameter. The route itself also has this parameter.

Given the increase of granularity, we can now have middlewares per route or router.

[matteobe]

Hei @Kludex

Could you copy the link to the code where this has been implemented as could not find it on the master branch of the v0.109.0 of the package.

[Kludex]

Ignore my previous comment. It looks like FastAPI didn't apply the changes made by starlette on those levels.

[najork]

Dropping @Kludex 's PR here (kudos!) as a breadcrumb for others following along: #11010

[adityapatel-00]

Hello everyone, I don't know if the discussion is still about router- or route-based middleware.
In a recent project, I got stuck on the similar issue. After reading many articles, I learned that we can implement fastapi Depends and use dependencies=[Depends(some_middleware_function)] in route and router levels.

I have tested it and it worked well for me.

I would love to know if this helped anyone.
@philippegirard