Middleware Architecture 🔗

Process HTTP requests through a stack of middleware for authentication, logging, CORS, rate limiting, and more.

What You'll Learn in This Lesson

• What middleware is and how request pipelines work
• Build a chainable middleware pipeline from scratch
• Create auth, CORS, rate limiting, and logging middleware
• Apply middleware conditionally to specific routes
• Middleware ordering and the difference from filters/events

Note: PHP runs on a server. Our examples simulate PHP logic using JavaScript. To run real PHP, install PHP.

🎯 Real-World Analogy: Middleware is like airport security checkpoints. Your request (passenger) passes through multiple layers: ticket check (authentication), passport control (authorization), baggage scan (validation), and metal detector (security headers). Each layer can approve you to the next, or reject you. The order matters — you can't go through customs before checking in!

Building a Middleware Pipeline

A middleware pipeline processes requests through a chain of functions. Each middleware receives the request and a $next callback. It can modify the request, call $next to continue, or return early to short-circuit the pipeline (e.g., rejecting unauthenticated requests).

Try It: Middleware Pipeline

Build a pipeline with logging, CORS, rate limiting, and auth middleware

Try it Yourself »

JavaScript

// Middleware Pipeline: Processing Requests
console.log("=== What is Middleware? ===");
console.log();
console.log("Middleware = functions that process a request BEFORE it reaches");
console.log("your controller. Each middleware can:");
console.log("  1. Modify the request (add data, parse headers)");
console.log("  2. Short-circuit (reject unauthorized requests)");
console.log("  3. Modify the response (add headers, compress)");
console.log("  4. Pass to the next middleware in the stack");
cons
...

Practical Middleware Patterns

In production, you'll apply different middleware to different routes. Public pages need CORS and logging but not authentication. API endpoints need auth and rate limiting. Admin routes need both auth and admin-role checks. Learning to compose middleware stacks is a core skill for framework-level PHP development.

Try It: Practical Middleware

Apply middleware conditionally to routes and understand ordering

Try it Yourself »

JavaScript

// Practical Middleware Examples
console.log("=== Common Middleware Stack ===");
console.log();
console.log("Order matters! Typical stack:");
console.log("  1. Error Handler     — Catch exceptions from all layers");
console.log("  2. CORS              — Handle cross-origin requests");
console.log("  3. Rate Limiter      — Throttle excessive requests");
console.log("  4. Body Parser       — Parse JSON/form bodies");
console.log("  5. Authentication    — Verify JWT/session tokens");
console.log(" 
...

⚠️ Common Mistakes

⚠️

Wrong middleware order — put error handling first and authentication before authorization. A misplaced CORS middleware can cause browsers to reject valid requests.

⚠️

Forgetting to call $next — if a middleware doesn't call $next($request), the request stops there. Only skip it intentionally (like rejecting unauthenticated requests).

⚠️

Heavy middleware on every route — don't run database queries in middleware that applies to static assets. Use route groups to target middleware precisely.

💡

Pro Tip: In Laravel, use middleware groups ('web', 'api') to apply common stacks. Custom middleware should implement MiddlewareInterface for consistency.

📋 Quick Reference — Middleware

Middleware	Purpose
Auth	Verify JWT/session, attach user to request
CORS	Add cross-origin headers for browser requests
Rate Limiter	Throttle requests per IP/user
Logger	Log request method, path, timing
Body Parser	Parse JSON/form request bodies
Error Handler	Catch exceptions, return formatted errors

🎉 Lesson Complete!

You understand middleware pipelines! Next, dive into advanced PDO with transactions, prepared statements, and stored procedures.