Bird
Raised Fist0
NextJSframework~10 mins

Protected routes with middleware in NextJS - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to import NextResponse from Next.js.

NextJS
import { [1] } from 'next/server';
Drag options to blanks, or click blank then click option'
AuseMiddleware
BwithAuth
ChandleRequest
DNextResponse
Attempts:
3 left
💡 Hint
Common Mistakes
Using a non-existent import name like 'useMiddleware'.
Trying to import default instead of named export.
2fill in blank
medium

Complete the code to check if the user is authenticated inside the middleware.

NextJS
export function middleware(request) {
  const token = request.cookies.get('[1]');
  if (!token) {
    return NextResponse.redirect(new URL('/login', request.url));
  }
}
Drag options to blanks, or click blank then click option'
Atoken
Bauth_token
Cuser_token
Dsession_id
Attempts:
3 left
💡 Hint
Common Mistakes
Using a cookie name that does not exist in the app.
Confusing session_id with token.
3fill in blank
hard

Fix the error in the middleware to correctly redirect unauthenticated users.

NextJS
if (!token) {
  return [1](new URL('/login', request.url));
}
Drag options to blanks, or click blank then click option'
ANextResponse.redirect
BredirectResponse
Cres.redirect
Dredirect
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'redirect' as a function without NextResponse prefix.
Using Express style 'res.redirect' which does not exist here.
4fill in blank
hard

Fill both blanks to allow middleware only on protected routes and exclude public ones.

NextJS
export const config = {
  matcher: ['/dashboard[1]', '/settings[2]']
};
Drag options to blanks, or click blank then click option'
A/*
B/public
C/api
D/login
Attempts:
3 left
💡 Hint
Common Mistakes
Using exact paths without wildcards, missing nested routes.
Including public paths in matcher causing unwanted middleware runs.
5fill in blank
hard

Fill all three blanks to extract the token, check it, and redirect if missing.

NextJS
export function middleware(request) {
  const token = request.cookies.get([1]);
  if (!token) {
    return NextResponse.[2](new URL([3], request.url));
  }
}
Drag options to blanks, or click blank then click option'
A'token'
B'/login'
Credirect
DNextResponse.redirect
Attempts:
3 left
💡 Hint
Common Mistakes
Omitting quotes around cookie name or URL path.
Using incorrect method names for redirect.

Practice

(1/5)
1. What is the main purpose of middleware in Next.js when protecting routes?
easy
A. To check user authentication before allowing access to certain pages
B. To style the pages dynamically based on user preferences
C. To preload images for faster page loading
D. To manage database connections automatically

Solution

  1. Step 1: Understand middleware role

    Middleware runs before a page loads to control access or modify requests.

  2. Step 2: Identify protection purpose

    In protected routes, middleware checks if a user is authenticated before allowing access.

  3. Final Answer:

    To check user authentication before allowing access to certain pages -> Option A

  4. Quick Check:

    Middleware protects routes by checking authentication [OK]
Hint: Middleware runs before page load to check user access [OK]
Common Mistakes:
  • Thinking middleware styles pages
  • Confusing middleware with database management
  • Assuming middleware preloads images
2. Which of the following is the correct way to export middleware in Next.js to protect routes?
easy
A. export function middleware() { /* code */ }
B. function middleware() { /* code */ } export middleware
C. export middleware = () => { /* code */ }
D. export default function middleware(req) { /* code */ }

Solution

  1. Step 1: Recall Next.js middleware export syntax

    Middleware must be exported as the default export function named middleware.

  2. Step 2: Check options for correct syntax

    Only export default function middleware(req) { /* code */ } uses "export default function middleware(req)" which is valid syntax.

  3. Final Answer:

    export default function middleware(req) { /* code */ } -> Option D

  4. Quick Check:

    Middleware uses default export function [OK]
Hint: Middleware must be default exported as a function named middleware [OK]
Common Mistakes:
  • Using named export instead of default
  • Assigning middleware to a variable without export default
  • Incorrect export statement syntax
3. Given this middleware code snippet, what happens when a user is not authenticated?
import { NextResponse } from 'next/server';

export default function middleware(req) {
  const token = req.cookies.get('token');
  if (!token) {
    return NextResponse.redirect(new URL('/login', req.url));
  }
  return NextResponse.next();
}
medium
A. The user stays on the current page without any change
B. The user is redirected to the /login page
C. The middleware throws an error and stops loading
D. The user is redirected to the homepage

Solution

  1. Step 1: Analyze token check in middleware

    The middleware checks if the 'token' cookie exists; if not, it triggers a redirect.

  2. Step 2: Understand redirect behavior

    If no token, middleware returns a redirect response to '/login' page.

  3. Final Answer:

    The user is redirected to the /login page -> Option B

  4. Quick Check:

    No token causes redirect to login [OK]
Hint: No token cookie means redirect to login page [OK]
Common Mistakes:
  • Assuming user stays on page without token
  • Thinking middleware throws error on missing token
  • Confusing redirect target URL
4. Identify the error in this middleware code that aims to protect routes:
import { NextResponse } from 'next/server';

export default function middleware(req) {
  const token = req.cookies.token;
  if (!token) {
    return NextResponse.redirect('/login');
  }
  return NextResponse.next();
}
medium
A. Missing async keyword in middleware function
B. Redirect URL should be absolute, not relative
C. Accessing cookies incorrectly; should use req.cookies.get('token')
D. NextResponse.next() should be replaced with NextResponse.continue()

Solution

  1. Step 1: Check cookie access method

    In Next.js middleware, cookies are accessed with req.cookies.get('token'), not req.cookies.token.

  2. Step 2: Verify redirect usage

    Redirect can accept a relative path, so that is valid here.

  3. Final Answer:

    Accessing cookies incorrectly; should use req.cookies.get('token') -> Option C

  4. Quick Check:

    Use req.cookies.get('token') to read cookies [OK]
Hint: Use req.cookies.get('token') to read cookies in middleware [OK]
Common Mistakes:
  • Using dot notation for cookies object
  • Thinking redirect URL must be absolute
  • Confusing NextResponse.next() with continue()
5. You want to protect only the routes starting with /dashboard using middleware. Which is the correct way to apply middleware only to these routes?
hard
A. export const config = { matcher: ['/dashboard/:path*'] };
B. export const config = { matcher: ['/dashboard*'] };
C. export const config = { matcher: ['/dashboard'] };
D. export const config = { matcher: ['/dashboard/**'] };

Solution

  1. Step 1: Understand matcher pattern syntax

    The matcher uses path patterns where ':path*' matches all subpaths under /dashboard.

  2. Step 2: Compare options for correct pattern

    export const config = { matcher: ['/dashboard/:path*'] }; uses '/dashboard/:path*' which correctly matches /dashboard and all nested routes.

  3. Final Answer:

    export const config = { matcher: ['/dashboard/:path*'] }; -> Option A

  4. Quick Check:

    Use '/dashboard/:path*' to match dashboard and subpaths [OK]
Hint: Use ':path*' to match all subpaths under a route [OK]
Common Mistakes:
  • Using wildcard * without colon for subpaths
  • Matching only exact /dashboard without subpaths
  • Using invalid glob pattern like /**