Concept Flow - Middleware composition for auth layers
Request Received
↓
Middleware 1: Check Token
↓
Middleware 2: Check Role
↓
Next Middleware or Route Handler
The request passes through each middleware in order. Each middleware checks a condition (token, role). If a check fails, it sends an error response and stops. If all pass, the request proceeds.
This code runs two middleware functions in order before the route handler. Each middleware checks authorization and either passes control or sends an error.
Execution Table
Step
Middleware
Check
Condition Result
Action
Response Sent
1
checkToken
Is token valid?
Yes
Call next()
No
2
checkRole
Is role allowed?
Yes
Call next()
No
3
Route Handler
N/A
N/A
Send 'Secret Data'
Yes
4
End
N/A
N/A
Request completed
No
💡 Request completes successfully after passing all middleware checks and reaching route handler.
Variable Tracker
Variable
Start
After checkToken
After checkRole
Final
req.user
undefined
{id:1, role:'admin'}
{id:1, role:'admin'}
{id:1, role:'admin'}
res.statusCode
200
200
200
200
responseSent
false
false
false
true
Key Moments - 3 Insights
Why does the request stop if the token is invalid?
Because in the execution_table row 1, if the token check fails, the middleware sends a 401 response and does not call next(), stopping further middleware.
What happens if the role check fails?
As shown in execution_table row 2, if the role is not allowed, the middleware sends a 403 response and does not call next(), so the route handler is not reached.
Why is the route handler only called after all middleware pass?
Because each middleware calls next() only if its check passes, allowing the request to continue to the next middleware or route handler, as seen in rows 1 and 2.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the responseSent value after checkRole middleware if the role is allowed?
Atrue
Bundefined
Cfalse
Dnull
💡 Hint
Check the 'responseSent' variable in variable_tracker after 'After checkRole' column.
At which step does the request send the 'Secret Data' response?
AStep 1
BStep 3
CStep 2
DStep 4
💡 Hint
Look at execution_table row where 'Route Handler' sends the response.
If the token is invalid, what action does the middleware take?
ASends 401 Unauthorized and stops
BCalls next() to continue
CSends 403 Forbidden and stops
DIgnores and continues
💡 Hint
Refer to execution_table step 1 where token validity is checked.
Concept Snapshot
Middleware composition in Express:
- Middleware run in order on each request
- Each middleware checks auth (token, role)
- If check fails, send error response and stop
- If passes, call next() to continue
- Route handler runs after all middleware pass
Full Transcript
Middleware composition for auth layers in Express means running multiple middleware functions one after another. Each middleware checks something about the request, like if the token is valid or if the user role is allowed. If a check fails, the middleware sends an error response and stops the request from going further. If the check passes, it calls next() to let the request continue to the next middleware or the final route handler. This way, the request only reaches the route handler if all auth checks pass.