mirror of
https://github.com/yhirose/cpp-httplib.git
synced 2026-06-10 16:47:14 +00:00
77bdf7921a
Previously, for regular handlers the request body was read in routing() before the route was matched, so the pre-request handler always saw an already-read body. The ContentReader path, in contrast, ran the pre-request handler before the body was read. This inconsistency made it impossible to reject a request (e.g. failed per-route authentication via req.matched_route) without buffering a potentially large body. Move the read_content() call into dispatch_request(), after route matching and the pre-request handler, so both paths behave the same: route matching -> pre_request_handler -> body read -> handler. A request rejected by the pre-request handler no longer reads the body at all; the existing keep-alive drain logic still consumes any framed body afterwards. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body. Inspect headers, path, query parameters, or matched_route instead. Also document the handler execution order in README and update the pre-request cookbook pages (en/ja).
50 lines
2.2 KiB
Markdown
50 lines
2.2 KiB
Markdown
---
|
|
title: "S11. Authenticate Per Route with a Pre-Request Handler"
|
|
order: 30
|
|
status: "draft"
|
|
---
|
|
|
|
The `set_pre_routing_handler()` from [S09. Add pre-processing to all routes](s09-pre-routing) runs **before routing**, so it has no idea which route matched. When you want per-route behavior, `set_pre_request_handler()` is what you need.
|
|
|
|
## Pre-routing vs. pre-request
|
|
|
|
| Hook | When it runs | Route info | Request body |
|
|
| --- | --- | --- | --- |
|
|
| `set_pre_routing_handler` | Before routing | Not available | Not read yet |
|
|
| `set_pre_request_handler` | After routing, right before the route handler | Available via `req.matched_route` | Not read yet |
|
|
|
|
In a pre-request handler, `req.matched_route` holds the **pattern string** that matched. You can vary behavior based on the route definition itself.
|
|
|
|
Because the body has not been read when the pre-request handler runs, you can reject a request — for example on a failed auth check — without consuming a (potentially large) request body. Note that this also means `req.body` and form fields parsed from the body are not available here; inspect headers, the path, query parameters, or `req.matched_route` instead.
|
|
|
|
## Switch auth per route
|
|
|
|
```cpp
|
|
svr.set_pre_request_handler(
|
|
[](const httplib::Request &req, httplib::Response &res) {
|
|
// require auth for routes starting with /admin
|
|
if (req.matched_route.rfind("/admin", 0) == 0) {
|
|
auto token = req.get_header_value("Authorization");
|
|
if (!is_admin_token(token)) {
|
|
res.status = 403;
|
|
res.set_content("forbidden", "text/plain");
|
|
return httplib::Server::HandlerResponse::Handled;
|
|
}
|
|
}
|
|
return httplib::Server::HandlerResponse::Unhandled;
|
|
});
|
|
```
|
|
|
|
`matched_route` is the pattern **before** path parameters are expanded (e.g. `/admin/users/:id`). You compare against the route definition, not the actual request path, so IDs or names don't throw you off.
|
|
|
|
## Return values
|
|
|
|
Same as pre-routing — return `HandlerResponse`.
|
|
|
|
- `Unhandled`: continue (the route handler runs)
|
|
- `Handled`: we're done, skip the route handler
|
|
|
|
## Passing auth info to the route handler
|
|
|
|
To pass decoded user info into the route handler, use `res.user_data`. See [S12. Pass data between handlers with `res.user_data`](s12-user-data).
|