Bird
Raised Fist0
NextJSframework~3 mins

Why Protected routes with middleware in NextJS? - Purpose & Use Cases

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
The Big Idea

What if you could protect your whole site with just one simple check?

The Scenario

Imagine you have a website where some pages should only be seen by logged-in users. You try to check if a user is logged in on every page manually by adding code everywhere.

The Problem

Manually checking login status on every page is tiring and easy to forget. If you miss one page, anyone can see it. It also makes your code messy and hard to update.

The Solution

Using middleware for protected routes lets you write the login check once. Middleware runs before your pages load and blocks access if the user is not logged in, keeping your code clean and secure.

Before vs After
Before
if (!user) { redirect('/login') } // on every page
After
import { NextResponse } from 'next/server';

export function middleware(req) {
  if (!req.cookies.get('token')) {
    return NextResponse.redirect(new URL('/login', req.url));
  }
}
What It Enables

This lets you protect many pages easily and keep your app safe without repeating code everywhere.

Real Life Example

Think of a gym where only members can enter certain rooms. Middleware is like a guard checking membership at the door, so you don't need a guard inside every room.

Key Takeaways

Manual checks on every page are slow and error-prone.

Middleware runs once before pages load to protect routes.

This keeps your app secure and your code simple.

Practice

(1/5)
1. What is the main purpose of middleware in Next.js when protecting routes?
easy
A. To check user authentication before allowing access to certain pages
B. To style the pages dynamically based on user preferences
C. To preload images for faster page loading
D. To manage database connections automatically

Solution

  1. Step 1: Understand middleware role

    Middleware runs before a page loads to control access or modify requests.

  2. Step 2: Identify protection purpose

    In protected routes, middleware checks if a user is authenticated before allowing access.

  3. Final Answer:

    To check user authentication before allowing access to certain pages -> Option A

  4. Quick Check:

    Middleware protects routes by checking authentication [OK]
Hint: Middleware runs before page load to check user access [OK]
Common Mistakes:
  • Thinking middleware styles pages
  • Confusing middleware with database management
  • Assuming middleware preloads images
2. Which of the following is the correct way to export middleware in Next.js to protect routes?
easy
A. export function middleware() { /* code */ }
B. function middleware() { /* code */ } export middleware
C. export middleware = () => { /* code */ }
D. export default function middleware(req) { /* code */ }

Solution

  1. Step 1: Recall Next.js middleware export syntax

    Middleware must be exported as the default export function named middleware.

  2. Step 2: Check options for correct syntax

    Only export default function middleware(req) { /* code */ } uses "export default function middleware(req)" which is valid syntax.

  3. Final Answer:

    export default function middleware(req) { /* code */ } -> Option D

  4. Quick Check:

    Middleware uses default export function [OK]
Hint: Middleware must be default exported as a function named middleware [OK]
Common Mistakes:
  • Using named export instead of default
  • Assigning middleware to a variable without export default
  • Incorrect export statement syntax
3. Given this middleware code snippet, what happens when a user is not authenticated?
import { NextResponse } from 'next/server';

export default function middleware(req) {
  const token = req.cookies.get('token');
  if (!token) {
    return NextResponse.redirect(new URL('/login', req.url));
  }
  return NextResponse.next();
}
medium
A. The user stays on the current page without any change
B. The user is redirected to the /login page
C. The middleware throws an error and stops loading
D. The user is redirected to the homepage

Solution

  1. Step 1: Analyze token check in middleware

    The middleware checks if the 'token' cookie exists; if not, it triggers a redirect.

  2. Step 2: Understand redirect behavior

    If no token, middleware returns a redirect response to '/login' page.

  3. Final Answer:

    The user is redirected to the /login page -> Option B

  4. Quick Check:

    No token causes redirect to login [OK]
Hint: No token cookie means redirect to login page [OK]
Common Mistakes:
  • Assuming user stays on page without token
  • Thinking middleware throws error on missing token
  • Confusing redirect target URL
4. Identify the error in this middleware code that aims to protect routes:
import { NextResponse } from 'next/server';

export default function middleware(req) {
  const token = req.cookies.token;
  if (!token) {
    return NextResponse.redirect('/login');
  }
  return NextResponse.next();
}
medium
A. Missing async keyword in middleware function
B. Redirect URL should be absolute, not relative
C. Accessing cookies incorrectly; should use req.cookies.get('token')
D. NextResponse.next() should be replaced with NextResponse.continue()

Solution

  1. Step 1: Check cookie access method

    In Next.js middleware, cookies are accessed with req.cookies.get('token'), not req.cookies.token.

  2. Step 2: Verify redirect usage

    Redirect can accept a relative path, so that is valid here.

  3. Final Answer:

    Accessing cookies incorrectly; should use req.cookies.get('token') -> Option C

  4. Quick Check:

    Use req.cookies.get('token') to read cookies [OK]
Hint: Use req.cookies.get('token') to read cookies in middleware [OK]
Common Mistakes:
  • Using dot notation for cookies object
  • Thinking redirect URL must be absolute
  • Confusing NextResponse.next() with continue()
5. You want to protect only the routes starting with /dashboard using middleware. Which is the correct way to apply middleware only to these routes?
hard
A. export const config = { matcher: ['/dashboard/:path*'] };
B. export const config = { matcher: ['/dashboard*'] };
C. export const config = { matcher: ['/dashboard'] };
D. export const config = { matcher: ['/dashboard/**'] };

Solution

  1. Step 1: Understand matcher pattern syntax

    The matcher uses path patterns where ':path*' matches all subpaths under /dashboard.

  2. Step 2: Compare options for correct pattern

    export const config = { matcher: ['/dashboard/:path*'] }; uses '/dashboard/:path*' which correctly matches /dashboard and all nested routes.

  3. Final Answer:

    export const config = { matcher: ['/dashboard/:path*'] }; -> Option A

  4. Quick Check:

    Use '/dashboard/:path*' to match dashboard and subpaths [OK]
Hint: Use ':path*' to match all subpaths under a route [OK]
Common Mistakes:
  • Using wildcard * without colon for subpaths
  • Matching only exact /dashboard without subpaths
  • Using invalid glob pattern like /**