Seems like you're implying I should just set headers on the request. Is that correct?

yes, just set a custom header

Yup, let me know if you face any more issues

Mark this message as a solution if your issue is resolved

Ok, I can do it this way. It does seem a little unsafe for my route handler to just trust a plain-text header. Middleware is garunteed to run every time? Are there any best practices around passing sensitive information in a header?

thats the only way to pass data from your middleware, is it unsafe.. yes, is it recomended.. no lol, what data would you be needing anyways from your middleware which is "sensitive"

I have an access token in a cookie. I want to validate and parse that in middleware, and have it available to me in the route handler.

The access token proves you're logged in and what user ID you are.

I can do it once in the middleware, or run it at the top of every single route handler and action - so I'd rather do it once in the middleware.

Yea it is

just save it to cookies lol

no need to pass a header to every page, when you can just apply a server cookie

It's in a cookie already...

the value of the cookie is a JWT, which can be parsed to get the logged-in user's ID.

in that case, its better to just decrypt the jwt in every route and page that needs it

In middleware, just pass the info in headers, it’ll reach the api route safely.

totally defeats the purpose of middleware to parse the cookie/jwt on every page/route.

not really, middleware is to run quick and small actions on every request...
you can just make a function to easily decrypt the jwt and call it lol

you cant just trust your headers man

anyone can modify it

@Anay-208 - The thing I don't like about passing it as a header, is that what if someone figures out how to send a request to my route handler while skipping middleware somehow, then my validation is gone and I just trust whatever is in there header...

How can they skip middleware?

^ as Arinji says - you can't just trust headers, and I agree with him.

:/

idk how, but it could maybe happen...

How could it even happen?

your middleware will always run, but headers can be bypassed

issue was never with middleware not running

issue was that if someone figures out your header (which is very easy) they can just change it

and since its not encrypted

^ yup

that just means its visible publicly

I'm actually testing it if it actually is

Well - in theory, it's a request header, so if it get's added in the middleware, it would stop at the route handler and no where else. The problem is, idk how Vercel routes their requests from middleware -> route handlers... is that request going on the public internet? idk, but I don't want to rick it.

I doubt a request header gets returned to the client as a response header by default.

Aside - do you know if middleware runs before server-actions?

:/

middleware runs before everythng

^ cool

you can just see the request headers for any site in the network tab

:/

But... if you add a header to the request in the middleware, can you see that?

I'm guessing no.

If I'm right, the client side can't see that

^ I think that's true.

Actually, you'll have to remove it manually from response headers

so dumb.

just to get this right, you are willing to send over unencrypted client data in request headers, because it cant be modified but can be read by anyone... just because you dont want to call a function multiple times?

I wouldnt take those chances.. but to each thier own ig.
Anyways anay can take over :D

I will try making a function that gets called in every handler... but I'm annoyed I have to do that. It makes the whole app more prone to human error since I have to remember to do this everywhere instead of once in the middleware... you know, like how middleware should work.

The Sveltekit story for middleware and attaching data to request objects as they flow through your system is way better than this. I don't want to run middleware on the edge anyway, I just want to run it on my server before anything else....

^ That's how it works in almost every server framework, express, fastify, etc...