Skip to main content

Middleware

Middleware are hooks that run before or after a request is handled by a controller. They are registered in start/kernel.ts.

Global Middleware

These run on every HTTP request.

  1. force_json_response: Ensures the client always gets JSON, even on 404/500 errors (avoids HTML error pages).
  2. security_headers: Sets Helmet-like headers (HSTS, No-Sniff, XSS Protection).
  3. cors: Handles Cross-Origin Resource Sharing.
  4. prometheus: Collects RED metrics (Rate, Error, Duration) for Grafana.
  5. http_metrics: Logs custom metrics like "Active Request Count".

Named Middleware

These are applied to specific routes (mostly in start/routes.ts).

auth

Verifies the Bearer Token (JWT).

  • If valid: Attaches ctx.auth.user.
  • If invalid: Throws 401 Unauthorized.

permission

RBAC Enforcer. Usage: .middleware(middleware.permission({ permission: 'camera:view' }))

  • Checks if ctx.auth.user has the required permission via PermissionScopeService.

rateLimit

Protects sensitive endpoints (Login, Reset Password) using Redis sliding window.

  • Default: 5 attempts per 1 minute.

apiResponse

Standardizes the output format.

  • Wraps the return value in { data: ..., meta: ... }.