Routing and Middleware

Advanced Routing in Express

Routing is the core of any web application. Express provides a powerful and flexible routing system that allows you to create clean, maintainable API endpoints.

Learning Objectives

Understand Express Router and modular routing
Learn route parameters and query strings
Master middleware types and patterns
Build reusable middleware functions

Express Router

The Express Router is a mini Express application capable of handling routes and middleware. It helps organize your routes into separate modules.

Creating a Router

javascript
// routes/products.js
const express = require('express');
const router = express.Router();

// All routes here are relative to /api/products
router.get('/', (req, res) => {
  res.json({ message: 'Get all products' });
});

router.get('/:id', (req, res) => {
  res.json({ message: `Get product ${req.params.id}` });
});

router.post('/', (req, res) => {
  res.status(201).json({ message: 'Create product' });
});

module.exports = router;

Mounting Routers

javascript
// app.js
const express = require('express');
const productsRouter = require('./routes/products');
const usersRouter = require('./routes/users');
const ordersRouter = require('./routes/orders');

const app = express();

// Mount routers with prefixes
app.use('/api/products', productsRouter);
app.use('/api/users', usersRouter);
app.use('/api/orders', ordersRouter);

module.exports = app;

Route Parameters

Basic Route Parameters

javascript
// Single parameter
app.get('/users/:id', (req, res) => {
  const userId = req.params.id;
  res.json({ userId });
});

// Example: GET /users/123
// req.params = { id: '123' }

Query Strings

Query strings are used for filtering, pagination, and search:

javascript
// GET /api/products?category=electronics&sort=price&order=desc&page=1&limit=10

app.get('/api/products', (req, res) => {
  const {
    category,
    sort = 'createdAt',
    order = 'asc',
    page = 1,
    limit = 10
  } = req.query;

  console.log({
    category,     // 'electronics'
    sort,         // 'price'
    order,        // 'desc'
    page,         // '1' (string!)
    limit         // '10' (string!)
  });

  // Convert to numbers
  const pageNum = parseInt(page, 10);
  const limitNum = parseInt(limit, 10);
  const skip = (pageNum - 1) * limitNum;

  // Build query...
  res.json({
    data: [],
    pagination: {
      page: pageNum,
      limit: limitNum,
      total: 100
    }
  });
});

Important

Query string values are always strings! Remember to parse numbers with parseInt() or parseFloat().

Middleware Deep Dive

Middleware functions are the heart of Express. They execute in the order they're defined and can:

Execute code
Modify request and response objects
End the request-response cycle
Call the next middleware

Types of Middleware

Creating Custom Middleware

Authentication Middleware

javascript
// middleware/auth.js
const jwt = require('jsonwebtoken');

const authenticate = (req, res, next) => {
  const authHeader = req.headers.authorization;

  if (!authHeader || !authHeader.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'No token provided' });
  }

  const token = authHeader.split(' ')[1];

  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    req.user = decoded;
    next();
  } catch (error) {
    return res.status(401).json({ error: 'Invalid token' });
  }
};

// Role-based authorization
const authorize = (...roles) => {
  return (req, res, next) => {
    if (!roles.includes(req.user.role)) {
      return res.status(403).json({ 
        error: 'Not authorized to access this resource' 
      });
    }
    next();
  };
};

module.exports = { authenticate, authorize };

Request Validation Middleware

javascript
// middleware/validate.js
const validateBody = (schema) => {
  return (req, res, next) => {
    const { error, value } = schema.validate(req.body);
    
    if (error) {
      return res.status(400).json({
        error: 'Validation error',
        details: error.details.map(d => d.message)
      });
    }
    
    req.body = value; // Use validated/sanitized data
    next();
  };
};

// Usage with Joi
const Joi = require('joi');

const createUserSchema = Joi.object({
  name: Joi.string().min(2).max(50).required(),
  email: Joi.string().email().required(),
  password: Joi.string().min(8).required()
});

router.post('/users', 
  validateBody(createUserSchema),
  usersController.create
);

Rate Limiting Middleware

javascript
// middleware/rateLimit.js
const rateLimit = (options = {}) => {
  const { 
    windowMs = 60000, // 1 minute
    max = 100,        // requests per window
    message = 'Too many requests'
  } = options;

  const requests = new Map();

  return (req, res, next) => {
    const key = req.ip;
    const now = Date.now();
    
    // Clean old entries
    const windowStart = now - windowMs;
    
    if (!requests.has(key)) {
      requests.set(key, []);
    }
    
    const userRequests = requests.get(key)
      .filter(time => time > windowStart);
    
    if (userRequests.length >= max) {
      return res.status(429).json({ error: message });
    }
    
    userRequests.push(now);
    requests.set(key, userRequests);
    
    next();
  };
};

// Usage
app.use('/api', rateLimit({ max: 100, windowMs: 60000 }));

Middleware Execution Order

Middleware Chain

javascript
app.use(helmet());              // 1. Security headers
app.use(cors());                // 2. CORS
app.use(morgan('dev'));         // 3. Logging
app.use(express.json());        // 4. Parse body
app.use(rateLimit());           // 5. Rate limiting

// 6. Routes (with their own middleware)
app.use('/api', authenticate, apiRoutes);
app.use('/public', publicRoutes);

// 7. 404 Handler
app.use((req, res) => {
  res.status(404).json({ error: 'Not found' });
});

// 8. Error Handler (always last!)
app.use((err, req, res, next) => {
  res.status(500).json({ error: err.message });
});

Route Chaining

Express allows you to chain route handlers:

javascript
// Method 1: Multiple callbacks
app.get('/users/:id',
  validateParams,
  authenticate,
  authorize('admin'),
  async (req, res) => {
    // All middleware passed!
    res.json(user);
  }
);

// Method 2: router.route() for same path, different methods
router.route('/users')
  .get(getUsers)
  .post(validateBody(userSchema), createUser);

router.route('/users/:id')
  .get(getUser)
  .patch(validateBody(updateSchema), updateUser)
  .delete(authorize('admin'), deleteUser);

Best Practices

✅ Routing & Middleware Best Practices

Keep routes organized — Group related routes in separate files
Use async/await with try-catch — Or use an async handler wrapper
Validate input early — Use validation middleware before handlers
Keep middleware focused — One middleware, one responsibility
Order matters — Error handlers must be last
Use meaningful HTTP status codes — 200, 201, 400, 401, 403, 404, 500

Next Steps

Continue Learning

Now that you understand routing and middleware, let's connect to a database and build real CRUD operations!

Next Lesson:Database Integration with MongoDB/PostgreSQL