Chapters
Chapters

Chapters

Hide chapters

Server-Side Swift with Vapor

Third Edition · iOS 13 · Swift 5.2 - Vapor 4 Framework · Xcode 11.4

Before You Begin

Section 0: 3 chapters
Show chapters Hide chapters

Section I: Creating a Simple Web API

Section 1: 13 chapters
Show chapters Hide chapters

Section II: Making a Simple Web App

Section 2: 4 chapters
Show chapters Hide chapters

Section III: Validation, Users & Authentication

Section 3: 7 chapters
Show chapters Hide chapters

Section IV: Advanced Server-Side Swift

Section 4: 7 chapters
Show chapters Hide chapters

Section V: Production & External Deployment

Section 5: 7 chapters
Show chapters Hide chapters

29. Middleware
Written by Tanner Nelson

Heads up... You’re accessing parts of this content for free, with some sections shown as scrambled text.

Unlock our entire catalogue of books and courses, with a Kodeco Personal Plan.

Unlock now

Heads up... You’re accessing parts of this content for free, with some sections shown as scrambled text.

Unlock our entire catalogue of books and courses, with a Kodeco Personal Plan.

Unlock now

In the course of building your application, you’ll often find it necessary to integrate your own steps into the request pipeline. The most common mechanism for accomplishing this is to use one or more pieces of middleware. They allow you to do things like:

  • Log incoming requests.
  • Catch errors and display messages.
  • Rate-limit traffic to particular routes.

Middleware instances sit between your router and the client connected to your server. This allows them to view, and potentially mutate, incoming requests before they reach your controllers. A middleware instance may choose to return early by generating its own response, or it can forward the request to the next responder in the chain. The final responder is always your router. When the response from the next responder is generated, the middleware can make any modifications it deems necessary, or choose to forward it back to the client as is. This means each middleware instance has control over both incoming requests and outgoing responses.

As you can see in the diagram above, the first middleware instance in your application — Middleware A — receives incoming requests from the client first. The first middleware may then choose to pass this request on to the next middleware — Middleware B — and so on.

Eventually, some component generates a response, which then traverses back through the middleware in the opposite direction. Take note that this means the first middleware receives responses last.

The protocol for Middleware is fairly simple and should help you better understand the previous diagram:

public protocol Middleware {
  func respond(
    to request: Request, 
    chainingTo next: Responder
  ) -> EventLoopFuture<Response>
}

In the case of Middleware A, request is the incoming data from the client, while next is Middleware B. The asynchronous response returned by Middleware A goes directly to the client.

For Middleware B, request is the request passed on from Middleware A. next is the router. The future response returned by Middleware B goes to Middleware A.

Vapor’s middleware

Vapor includes some middleware out of the box. This section introduces you to the available options to give you an idea of what middleware is commonly used for.

Error middleware

The most commonly used middleware in Vapor is ErrorMiddleware. It’s responsible for converting both synchronous and asynchronous Swift errors into HTTP responses. Uncaught errors cause the HTTP server to immediately close the connection and print an internal error log.

throw Abort(.badRequest, "Something's not quite right.")

File middleware

Another common type of middleware is FileMiddleware. This middleware serves files from the Public folder in your application directory. This is useful when you’re using Vapor to create a front-end website that may require static files like images or style sheets.

Other Middleware

Vapor also provides a SessionsMiddleware, responsible for tracking sessions with connected clients. Other packages may provide middleware to help them integrate into your application. For example, Vapor’s Authentication package contains middleware for protecting your routes using basic passwords, simple bearer tokens, and even JWTs (JSON Web Tokens).

Example: Todo API

Now that you have an understanding of how various types of middleware function, you’re ready to learn how to configure them and how to create your own custom middleware types.

$ swift run Run routes
+--------+--------------+
| GET    | /todos       |
+--------+--------------+
| POST   | /todos       |
+--------+--------------+
| DELETE | /todos/:todo |
+--------+--------------+

Log middleware

The first middleware you’ll create will log incoming requests. It will display the following information for each request:

open Package.swift

final class LogMiddleware: Middleware {
  // 1
  func respond(
    to req: Request, 
    chainingTo next: Responder
  ) -> EventLoopFuture<Response> {
    // 2
    req.logger.info("\(req)")
    // 3
    return next.respond(to: req)
  }
}

app.middleware.use(LogMiddleware())

curl localhost:8080/todos

[ INFO ] GET /todos HTTP/1.1
Host: localhost:8080
User-Agent: curl/7.64.1
Accept: */*
 [request-id: 4D528CE6-8C10-443A-A5BB-9A6F2BB3A6E7]

func respond(
  to req: Request, 
  chainingTo next: Responder
) -> EventLoopFuture<Response> {
  // 1
  let start = Date()
  return next.respond(to: req).map { res in
    // 2
    self.log(res, start: start, for: req)
    return res
  }
}

// 3
func log(_ res: Response, start: Date, for req: Request) {
  let reqInfo = "\(req.method.string) \(req.url.path)"
  let resInfo = "\(res.status.code) " + 
    "\(res.status.reasonPhrase)"
  // 4
  let time = Date()
    .timeIntervalSince(start)
    .readableMilliseconds
  // 5
  req.logger.info("\(reqInfo) -> \(resInfo) [\(time)]")
}

curl localhost:8080/todos

[ INFO ] GET /todos -> 200 OK [1.7ms] [request-id: ...]

Secret middleware

Now that you’ve learned how to create middleware and apply it globally, you’ll learn how to apply middleware to specific routes.

final class SecretMiddleware: Middleware {
  // 1
  let secret: String

  init(secret: String) {
    self.secret = secret
  }

  // 2
  func respond(
    to request: Request,
    chainingTo next: Responder
  ) -> EventLoopFuture<Response> {
    // 3
    guard
      request.headers.first(name: .xSecret) == secret
    else {
      // 4
      return request.eventLoop.makeFailedFuture(
        Abort(
          .unauthorized, 
          reason: "Incorrect X-Secret header."))
    }
    // 5
    return next.respond(to: request)
  }
}

extension SecretMiddleware {
  // 1
  static func detect() throws -> Self {
    // 2
    guard let secret = Environment.get("SECRET") else {
      // 3
      throw Abort(
        .internalServerError, 
        reason: """
          No SECRET set on environment. \
          Use export SECRET=<secret>
          """)
    }
    // 4
    return .init(secret: secret)
  }
}

// 1
try app.group(SecretMiddleware.detect()) { secretGroup in
  // 2
  secretGroup.post("todos", use: todoController.create)
  secretGroup.delete(
    "todos", 
    ":id", 
    use: todoController.delete)
}

SECRET=foo


{
    "error": true,
    "reason": "Incorrect X-Secret header."
}

Where to go from here?

Middleware is extremely useful for creating large web applications. It allows you to apply restrictions and transformations globally or to just a few routes using discrete, re-usable components. In this chapter, you learned how to create a global LogMiddleware that displayed information about all incoming requests to your app. You then created SecretMiddleware, which could protect select routes from public access.

28. Caching
30. WebSockets
Have a technical question? Want to report a bug? You can ask questions and report bugs to the book authors in our official book forum here.
© 2025 Kodeco Inc.

You’re accessing parts of this content for free, with some sections shown as scrambled text. Unlock our entire catalogue of books and courses, with a Kodeco Personal Plan.

Unlock now