Middleware
Middleware sits between the request and your route handler. Noor includes several built-in middleware classes.
Built-in Middleware
| Name | Class | Purpose |
|---|---|---|
csrf | CsrfMiddleware | Validates CSRF tokens on mutating requests |
auth | AuthMiddleware | Requires an authenticated user |
guest | GuestMiddleware | Redirects authenticated users away |
throttle | ThrottleMiddleware | Simple rate limiter by IP |
Applying Middleware
Per Route
Route::get('/dashboard', $handler)->middleware('auth');
Route::get('/login', $handler)->middleware('guest');
Route::post('/form', $handler)->middleware('csrf');
Multiple Middleware
Route::get('/admin', $handler)->middleware(['auth', 'throttle:60,1']);
In Groups
Route::group(['middleware' => ['auth']], function () {
Route::get('/dashboard', $handler);
Route::get('/settings', $handler);
});
Custom Middleware
Create a class that extends Middleware:
class LogMiddleware extends Middleware {
public function handle(Request $request, callable $next): mixed {
// Before the request
error_log('Request: ' . $request->method() . ' ' . $request->path());
$response = $next($request);
// After the request
error_log('Response sent');
return $response;
}
}
Register it:
Middleware::register('log', LogMiddleware::class);
// Use on routes
Route::get('/users', $handler)->middleware('log');
CSRF Exclusions
Exclude certain routes from CSRF validation:
// Pass excepted paths to the middleware
Route::post('/webhook/payment', $handler)->middleware('csrf');
// By default the CSRF middleware runs on all routes;
// exclude specific patterns by handling in the route definition
Throttle Configuration
// throttle:max_attempts,decay_minutes
Route::get('/api/users', $handler)->middleware('throttle:30,1'); // 30 req/min
Route::post('/login', $handler)->middleware('throttle:5,1'); // 5 req/min