Documentation unclear with before and after middleware

[scorgn]

The middleware concepts page for Slim documentation is not exactly clear on the difference between before and after middleware.

On lines 5-9 it says that you can have middleware complete before and after the Slim application, and that before middleware would be useful to protect from cross-site request forgery.

Then on lines 73-81 it shows an example of two different middleware callables, one being $beforeMiddleware and the after being $afterMiddleware.

I think that this gives off the impression that the $beforeMiddleware callable is the same type of middleware that is described as middleware that would execute before the Slim application runs. The $beforeMiddleware callable is actually an "after middleware" though, because the first thing it does in the callable is handle the request.

I know that the behavior of the middleware is defined in PSR-15 but it may be good to clarify how to perform middleware logic before the application runs and how to perform middleware logic after the application runs. An example of a middleware that short-circuits the middleware flow and returns a response without calling $handler->handle() may be good to have as well.

[odan]

I think you are right. The $beforeMiddleware is actually an outgoing middleware because it handles things after the handle method. I agree, it is confusing and should be changed as follows:

$beforeMiddleware = function (Request $request, RequestHandler $handler) {
    $authorization = $request->getHeaderLine('Authorization');

    // Validate bearer token
    // If invalid, throw a HttpForbiddenException
    // ...

    return $handler->handle($request);
};

or this:

$beforeMiddleware = function (Request $request, RequestHandler $handler) {
    $csrfToken = $request->getHeaderLine('X-CSRF-Token');

    // Validate CSRF token
    // If invalid, throw a HttpForbiddenException
    // ...

    return $handler->handle($request);
};