77bdf7921a
Previously, for regular handlers the request body was read in routing() before the route was matched, so the pre-request handler always saw an already-read body. The ContentReader path, in contrast, ran the pre-request handler before the body was read. This inconsistency made it impossible to reject a request (e.g. failed per-route authentication via req.matched_route) without buffering a potentially large body. Move the read_content() call into dispatch_request(), after route matching and the pre-request handler, so both paths behave the same: route matching -> pre_request_handler -> body read -> handler. A request rejected by the pre-request handler no longer reads the body at all; the existing keep-alive drain logic still consumes any framed body afterwards. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body. Inspect headers, path, query parameters, or matched_route instead. Also document the handler execution order in README and update the pre-request cookbook pages (en/ja).
2.2 KiB
title, order, status
| title | order | status |
|---|---|---|
| S11. Authenticate Per Route with a Pre-Request Handler | 30 | draft |
The set_pre_routing_handler() from S09. Add pre-processing to all routes runs before routing, so it has no idea which route matched. When you want per-route behavior, set_pre_request_handler() is what you need.
Pre-routing vs. pre-request
| Hook | When it runs | Route info | Request body |
|---|---|---|---|
set_pre_routing_handler |
Before routing | Not available | Not read yet |
set_pre_request_handler |
After routing, right before the route handler | Available via req.matched_route |
Not read yet |
In a pre-request handler, req.matched_route holds the pattern string that matched. You can vary behavior based on the route definition itself.
Because the body has not been read when the pre-request handler runs, you can reject a request — for example on a failed auth check — without consuming a (potentially large) request body. Note that this also means req.body and form fields parsed from the body are not available here; inspect headers, the path, query parameters, or req.matched_route instead.
Switch auth per route
svr.set_pre_request_handler(
[](const httplib::Request &req, httplib::Response &res) {
// require auth for routes starting with /admin
if (req.matched_route.rfind("/admin", 0) == 0) {
auto token = req.get_header_value("Authorization");
if (!is_admin_token(token)) {
res.status = 403;
res.set_content("forbidden", "text/plain");
return httplib::Server::HandlerResponse::Handled;
}
}
return httplib::Server::HandlerResponse::Unhandled;
});
matched_route is the pattern before path parameters are expanded (e.g. /admin/users/:id). You compare against the route definition, not the actual request path, so IDs or names don't throw you off.
Return values
Same as pre-routing — return HandlerResponse.
Unhandled: continue (the route handler runs)Handled: we're done, skip the route handler
Passing auth info to the route handler
To pass decoded user info into the route handler, use res.user_data. See S12. Pass data between handlers with res.user_data.