Middleware
Our backend (NestJS) and frontend (Next.js) architecture relies on a structured and purposeful use of middlewares to ensure security, flexibility, and scalability across the platform. Middlewares act as intermediate processing layers for requests, enabling validation, access control, and certain cross-cutting logic while keeping business logic clean and decoupled.
Role and Operation
When a request reaches our servers, it passes through multiple middlewares before reaching the main application handlers. These layers serve several critical purposes:
Data validation and normalization, preventing malformed or malicious requests from affecting business logic.
Authentication and authorization, including validation of JWT tokens and verification of user roles (Studio).
Preventive security checks, such as spam detection and automated request filtering.
This modular approach ensures that new rules or features can be introduced without impacting core application logic.
Implemented Middlewares
Our middleware implementation is organized into several categories:
1. Authentication and Authorization
JsonWebToken (JWT): Signs and validates tokens, ensuring proper expiration.
Role Middleware: Verifies user permissions based on assigned roles (Studio).
2. File Handling
Multer-based Interceptor: Extracts and processes files sent via
form-data.
3. Security and Anti-Bot
Rate Limiting: Leveraging NestJS Throttler to mitigate request spamming.
Custom Anti-Bot Middleware: Monitors and limits requests based on multiple criteria (IP, phone number, email, and a fingerprint derived from request headers).
Implements progressive blocking and temporary suspensions for suspicious behavior.
Detects massive coordinated attacks and can temporarily halt service access under extreme conditions.
Together, these middlewares protect the platform from brute force attacks, spam, and API abuse, while maintaining granular control over user access.
Frontend (Next.js)
On the client side, Next.js middlewares further enhance security and user experience:
Session Protection: Pages requiring authentication automatically redirect unauthorized or non-owner users.
Pre-validation: JWT tokens are validated before triggering API calls.
Header Injection / Internationalization: Middleware is designed to inject headers (e.g., user language) to enable future multilingual support.
Last updated