Home/ Questions/Q 8667477
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T17:58:21+00:00

I’m trying to add authentication to my Express-based server. I am noticing some strange

  • 0

I’m trying to add authentication to my Express-based server. I am noticing some strange behavior of the routing.

I’ve distilled the problem to this Express code:

app.get('/', function (req, res) {
    console.log('this is reached first');
    res.send('Hello');
});

app.get('/', function (req, res) {
    console.log('this is not reached');
});

app.get('*', function (req, res) {
    console.log('this is reached');
});

Upon requesting ‘/’ the 1st handler is called. It provides a response and does not call next(). Therefore I am surprised to see that the 3rd handler (‘*’) is also called!
Another surprise is that the response (‘res’) passed to the 3rd handler is not the same as the one passed to the first handler. (If I were to call next() from the 1st handler then the 2nd handler would be called, and with the same response object.)

Now for my real scenario: I want to process requests and verify authentication in a global manner. Some routes, however, should remain available for non-authenticated users. I based my solution on Zikes’ answer.
I routed the “free” paths first. Then I included an route handler for all (‘*’). It would call next() if the user is authenticated or next(err) otherwise. Following are all the “restricted” routes. And finally, my own error handler using app.use. It looks something like this:

app.use(app.router);
app.use(function(err, req, res, next) {
    console.log('An error occurred: ' + err);
    res.send(401, 'Unauthorized');
});

app.get('/', function (req, res) {
    res.send('Hello all');
});

app.all('*', function (req, res, next) {
    if (req.user) {
        next(); // authorized
    } else {
        next(new Error('401')); // unauthorized
    }
});

app.get('/members', function (req, res) {
    res.send('Hello member');
});

This works rather well, blocking access to ‘/members’. However, it has bug: the authentication check and error handling happens even when accessing the non-restricted path (‘/’). After the intended response is sent, the error handler tries to send a 401 error response. The latter does not get sent, but the code should not run.

Also, a side effect of this mechanism is that unauthenticated users get an 401 error for non-existing pages. I may want to return a 404 in some of those cases. But now I’m just pushing it…

I kinda have 2 questions:

  1. Is this behavior a bug? Should the general handler be called without next being called?
  2. What would be a good solution for hooking many but not all routes, without having to mark them individually?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    For the first question, my guess is that the browser is sending more than one request.

    For example, when you browse to http://localhost:3000/ Chrome will also request the http://localhost:3000/favicon.ico

    You can print the request that is being caught with something like this:

    app.get('*', function (req, res) {
    console.log('this is reached');
    console.log('url ' + req.url );
});
    • 0