Middleware in Next.js – The Right Way
When you start working with middleware in Next.js, it feels easy enough:
add a couple of redirects, protect some routes, done.
But here’s the problem: most developers (including past me) end up writing middleware like this:
export async function middleware(request: NextRequest, user: User | null) { const { pathname } = request.nextUrl; if (pathname.startsWith("/dashboard")) { if (!user) { return NextResponse.redirect(new URL("/login", request.url)); } } else if (pathname.startsWith("/onboarding")) { if (!user) { return NextResponse.redirect(new URL("/login", request.url)); } } if (pathname.startsWith("/login")) { if (user) { return NextResponse.redirect(new URL("/dashboard", request.url)); } } else if (pathname.startsWith("/signup")) { if (user) { return NextResponse.redirect(new URL("/dashboard", request.url)); } } return NextResponse.next(); } Even though this works fine at a first glance. But there's a big problem in this approach.
As soon as you add more routes (e.g. /profile, /settings, /forgot-password, etc.)... your file turns into a giant mess of if/else.
And it will only become worse as your project scales.
Not fun, not scalable, and definitely - not clean.
Think in Rules, Not Conditions
Instead of hardcoding every redirect, we must only define conditions.
Think of a middleware as of a traffic cop.
The cop doesn't care who you are. It only checks where you’re going and whether you’re allowed to be there.
So let’s describe our rules in a structured way.
Step 1: Define Route Groups
We’ll split our routes into two simple groups:
const PROTECTED_ROUTES = ["/dashboard", "/onboarding"]; const AUTH_ROUTES = ["/login", "/signup"]; - Protected routes: only logged-in users can access them.
- Auth routes: only logged-out users should see them.
Already, much cleaner than writing 20 if checks.
Step 2: Describe Rules
Now let’s create a type for rules:
interface RouteRule { routes: string[]; condition: (user: User | null) => boolean; redirect: string; } Each rule says:
- Which routes it applies to
- The condition that triggers a redirect
- Where to redirect to
Step 3: Write the Rules
Here’s what our two rules look like:
const routeRules: RouteRule[] = [ { routes: PROTECTED_ROUTES, condition: (user) => !user, // if no user, redirect redirect: "/login", }, { routes: AUTH_ROUTES, condition: (user) => !!user, // if logged in, redirect redirect: "/dashboard", }, ]; That’s it. Add more groups? Just add more objects.
No need to touch the logic again.
Step 4: Apply Rules in Middleware
Now we loop through the rules:
export class Middleware { private routeRules = routeRules; async handle(request: NextRequest, user: User | null) { const { pathname } = request.nextUrl; for (const rule of this.routeRules) { const isMatch = rule.routes.some((r) => pathname.startsWith(r) ); if (isMatch && rule.condition(user)) { return NextResponse.redirect( new URL(rule.redirect, request.url) ); } } return NextResponse.next(); } } No clutter. No chaos. Just clear logic.
Why This Is the “Right Way”
- Scalable – Add new routes in seconds
- Readable – No jungle of if/else
- Reusable – One central place for rules
- Extensible – Can be expanded for roles, permissions, etc.
- SOLID compliant.
Middleware must feel like a middleware, not a nightmare.
Final Thoughts
The trick is simple:
Stop hardcoding conditions. Start thinking in rules.
This pattern will save you headaches, especially if your app has authentication and a growing set of protected pages.
If you found this interesting, comment, and let's have a talk!
Top comments (0)