software-mansion-labs
diff --git a/‎apps/router-e2e/__e2e__/server-middleware-async/app/+middleware.ts‎
Lines changed: 63 additions & 0 deletions b/‎apps/router-e2e/__e2e__/server-middleware-async/app/+middleware.ts‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎apps/router-e2e/__e2e__/server-middleware-async/app/api+api.ts‎
Lines changed: 17 additions & 0 deletions b/‎apps/router-e2e/__e2e__/server-middleware-async/app/api+api.ts‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎apps/router-e2e/__e2e__/server-middleware-async/app/index.tsx‎
Lines changed: 15 additions & 0 deletions b/‎apps/router-e2e/__e2e__/server-middleware-async/app/index.tsx‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎apps/router-e2e/__e2e__/server-middleware-async/app/second.tsx‎
Lines changed: 15 additions & 0 deletions b/‎apps/router-e2e/__e2e__/server-middleware-async/app/second.tsx‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎apps/router-e2e/app.config.js‎
Lines changed: 1 addition & 0 deletions b/‎apps/router-e2e/app.config.js‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/router-e2e/package.json‎
Lines changed: 1 addition & 0 deletions b/‎apps/router-e2e/package.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/constants/navigation.js‎
Lines changed: 1 addition & 0 deletions b/‎docs/constants/navigation.js‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/pages/router/basics/notation.mdx‎
Lines changed: 14 additions & 2 deletions b/‎docs/pages/router/basics/notation.mdx‎
Lines changed: 14 additions & 2 deletions
diff --git a/‎docs/pages/router/reference/middleware.mdx‎
Lines changed: 207 additions & 0 deletions b/‎docs/pages/router/reference/middleware.mdx‎
Lines changed: 207 additions & 0 deletions
diff --git a/‎packages/@expo/cli/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎packages/@expo/cli/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,63 @@
+import { MiddlewareFunction } from 'expo-router/server';
+import { jwtVerify, SignJWT } from 'jose';
+
+const secret = new TextEncoder().encode(process.env.TEST_SECRET_KEY);
+const secret2 = new TextEncoder().encode(process.env.TEST_SECRET_KEY  + '111');
+
+const middleware: MiddlewareFunction = async (request) => {
+  const url = new URL(request.url);
+  const scenario = url.searchParams.get('e2e');
+
+  if (scenario === 'redirect') {
+    return Response.redirect(new URL('/second', url.origin));
+  }
+
+  if (scenario === 'redirect-301') {
+    return Response.redirect(new URL('/second', url.origin), 301);
+  }
+
+  if (scenario === 'error') {
+    throw new Error('The middleware threw an error');
+  }
+
+  if (scenario === 'read-env') {
+    return Response.json({
+      ...process.env,
+    })
+  }
+
+  if (scenario === 'custom-response') {
+    return new Response(`<html><h1 data-testid="title">Custom response from middleware</h1></html>`, {
+      headers: {
+        'content-type': 'text/html',
+      }
+    });
+  }
+
+  if (scenario === 'sign-jwt') {
+    const jwt = await new SignJWT({ foo: 'bar' })
+      .setProtectedHeader({ alg: "HS256" })
+      .setIssuedAt()
+      .setExpirationTime("1h")
+      .sign(secret);
+    return new Response(JSON.stringify({ token: jwt }), {
+      headers: {
+        'content-type': 'application/json',
+      }
+    });
+  }
+
+  if (scenario === 'verify-jwt') {
+    const token = request.headers.get('authorization')!;
+    const decoded = await jwtVerify(token, secret);
+    return new Response(JSON.stringify({ payload: decoded.payload }), {
+      headers: {
+        'content-type': 'application/json',
+      }
+    });
+  }
+
+  // If no E2E scenario is specified, continue to normal routing
+}
+
+export default middleware;
@@ -0,0 +1,17 @@
+/** @type {import('expo-router/server').RequestHandler} */
+export function GET() {
+  return new Response(
+    JSON.stringify({
+      method: 'get',
+    })
+  );
+}
+
+/** @type {import('expo-router/server').RequestHandler} */
+export function POST() {
+  return new Response(
+    JSON.stringify({
+      method: 'post',
+    })
+  );
+}
@@ -0,0 +1,15 @@
+import { Text, View } from "react-native";
+
+export default function Index() {
+  return (
+    <View
+      style={{
+        flex: 1,
+        justifyContent: "center",
+        alignItems: "center",
+      }}
+    >
+      <Text testID="title">Index</Text>
+    </View>
+  );
+}
@@ -0,0 +1,15 @@
+import { Text, View } from "react-native";
+
+export default function Index() {
+  return (
+    <View
+      style={{
+        flex: 1,
+        justifyContent: "center",
+        alignItems: "center",
+      }}
+    >
+      <Text testID="title">Second</Text>
+    </View>
+  );
+}
@@ -74,6 +74,7 @@ module.exports = {
         rewrites: process.env.E2E_ROUTER_REWRITES
           ? JSON.parse(process.env.E2E_ROUTER_REWRITES)
           : undefined,
+        unstable_useServerMiddleware: process.env.E2E_ROUTER_SERVER_MIDDLEWARE === 'true',
       },
     ],
   ],
 
@@ -42,6 +42,7 @@
     "expo-router": "^5.0.7",
     "expo-speech": "~13.1.7",
     "expo-sqlite": "~15.2.10",
+    "jose": "^5",
     "react": "19.1.0",
     "react-native": "0.81.0-rc.5",
     "react-native-safe-area-context": "5.5.2",
 
@@ -275,6 +275,7 @@ export const general = [
     makeGroup('Reference', [
       makePage('router/error-handling.mdx'),
       makePage('router/reference/url-parameters.mdx'),
+      makePage('router/reference/middleware.mdx'),
       makePage('router/reference/redirects.mdx'),
       makePage('router/reference/static-rendering.mdx'),
       makePage('router/reference/async-routes.mdx'),
 
@@ -47,9 +47,21 @@ Layout routes are rendered before the actual page routes inside their directory.
 
 ### Plus sign
 
-<FileTree files={[['app/+not-found.tsx'], ['app/+html.tsx'], ['app/+native-intent.tsx']]} />
+<FileTree
+  files={[
+    ['app/+not-found.tsx'],
+    ['app/+html.tsx'],
+    ['app/+native-intent.tsx'],
+    ['app/+middleware.ts'],
+  ]}
+/>
+
+Routes that include a `+` have special significance to Expo Router, and are used for specific purposes. A few examples:
 
-Routes starting with a `+` have special significance to Expo Router, and are used for specific purposes. One example is [`+not-found`](/router/error-handling/#unmatched-routes), which catches any requests that don't match a route in your app. [`+html`](/router/reference/static-rendering/#root-html) is used to customize the HTML boilerplate used by your app on web. [`+native-intent`](/router/advanced/native-intent/) is used to handle deep links into your app that don't match a specific route, such as links generated by third party services.
+- [`+not-found`](/router/error-handling/#unmatched-routes), which catches any requests that don't match a route in your app.
+- [`+html`](/router/reference/static-rendering/#root-html) is used to customize the HTML boilerplate used by your app on web.
+- [`+native-intent`](/router/advanced/native-intent/) is used to handle deep links into your app that don't match a specific route, such as links generated by third-party services.
+- [`+middleware`](/router/reference/middleware/) is used to run code before a route is rendered, allowing you to perform tasks like authentication or redirection for every request.
 
 ## Route notation applied
 
 
@@ -0,0 +1,207 @@
+---
+title: Server middleware
+description: Learn how to create middleware that runs for every request to the server in Expo Router.
+---
+
+import { Collapsible } from '~/ui/components/Collapsible';
+import { Terminal } from '~/ui/components/Snippet';
+import { Step } from '~/ui/components/Step';
+
+> **important** Server middleware is an experimental feature, and requires a [deployed server](/router/reference/api-routes/#deployment) for production use.
+
+Server middleware in Expo Router allows you to run code before requests reach your routes, enabling powerful server-side functionality like authentication and logging for every request. Unlike [API routes](/router/reference/api-routes) that handle specific endpoints, middleware runs for **every** request in your app, so it should run as quickly as possible to avoid slowing down your app's performance. Client-side navigation such as on native, or in a web app when using [`<Link />`](/versions/latest/sdk/router/#link), will not move through the server middleware.
+
+## Setup
+
+<Step label="1">
+
+### Enable server middleware in your app configuration
+
+First, configure your app to use server output by adding the server configuration to your [app config](/versions/latest/config/app/):
+
+```json app.json
+{
+  "expo": {
+    /* @hide ... */
+    /* @end */
+    "web": {
+      /* @info Middleware is only supported in server mode */
+      "output": "server"
+      /* @end */
+    },
+    "plugins": [
+      [
+        "expo-router",
+        {
+          /* @info Enables server middleware */
+          "unstable_useServerMiddleware": true
+          /* @end */
+        }
+      ]
+    ]
+  }
+}
+```
+
+</Step>
+
+<Step label="2">
+
+### Create your middleware file
+
+Create a **+middleware.ts** file in your **app** directory, to define your server middleware function:
+
+```ts app/+middleware.ts
+export default function middleware(request) {
+  console.log(`Middleware executed for: ${request.url}`);
+  // Your middleware logic goes here
+}
+```
+
+The middleware function must be the default export of the file. It receives an [immutable request](#request-immutability) and can return either a [`Response`](https://developer.mozilla.org/en-US/docs/Web/API/Response), or nothing to let the request pass through unmodified. The request is immutable to prevent side effects; you can read headers and properties, but you cannot modify headers or consume the request body.
+
+</Step>
+
+<Step label="3">
+
+### Start your development server
+
+Run your development server to test the middleware:
+
+<Terminal cmd={['$ npx expo start']} />
+
+Your middleware will now run for all requests to your app.
+
+</Step>
+
+<Step label="4">
+
+### Test middleware functionality
+
+Visit your app in a browser or make requests to test that your middleware is working. Check your console for the log messages from the middleware function.
+
+</Step>
+
+## How it works
+
+Middleware functions are executed before any route handlers, allowing you to perform actions like logging, authentication, or modifying responses. It runs exclusively on the server and only for actual HTTP requests.
+
+### Request/response flow
+
+When a request comes to your app, Expo Router processes it in this order:
+
+1. The middleware function runs first with an [immutable request](#request-immutability).
+2. If middleware returns a `Response`, that response is sent immediately
+3. If middleware returns nothing, the request continues to the matching route
+4. The route handler processes the request and returns its response
+
+### Middleware execution order
+
+Expo Router supports a single middleware file named **+middleware.ts** that runs for all server requests. Middleware executes before any route matching or rendering occurs, letting you control the request lifecycle.
+
+### When middleware runs
+
+Middleware executes only for actual HTTP requests to your server. This means it is executed for:
+
+- Initial page loads, like when a user first visits your site
+- Full page refreshes
+- Direct URL navigation
+- API route calls from any client (native/web apps, external services)
+- Server-side rendering requests
+
+Middleware does not run for:
+
+- Client-side navigation using [`<Link />`](/versions/latest/sdk/router/#link) or [`router`](/versions/latest/sdk/router/#router)
+- Native app screen transitions
+- Prefetched routes
+- Static asset requests like images and fonts
+
+## Examples
+
+<Collapsible summary="Authentication">
+
+Middleware is often used to perform authorization checks before a route has loaded. You can check headers, cookies, or query parameters to determine if a user has access to certain routes:
+
+```ts app/+middleware.ts
+import { jwtVerify } from 'jose';
+
+export default function middleware(request) {
+  const token = request.headers.get('authorization');
+
+  const decoded = jwtVerify(token, process.env.SECRET_KEY);
+  if (!decoded.payload) {
+    return new Response('Forbidden', { status: 403 });
+  }
+}
+```
+
+</Collapsible>
+
+<Collapsible summary="Logging">
+
+You can use middleware to log requests for debugging or analytics purposes. This can help you track user activity or diagnose issues in your app:
+
+```ts app/+middleware.ts
+export default function middleware(request) {
+  console.log(`${request.method} ${request.url}`);
+}
+```
+
+</Collapsible>
+
+<Collapsible summary="Dynamic redirects">
+
+Middleware can also be used to perform dynamic redirects. This allows you to control user navigation based on specific conditions:
+
+```ts app/+middleware.ts
+export default function middleware(request) {
+  if (request.headers.has('specific-header')) {
+    return Response.redirect('https://expo.dev');
+  }
+}
+```
+
+</Collapsible>
+
+## Additional notes
+
+### Best practices
+
+- Keep middleware lightweight because it runs synchronously on every server request and directly impacts response times.
+- For native apps, use API routes for secure data fetching. When native apps call API routes, those requests will pass through middleware first.
+
+### Typed middleware
+
+```ts app/+middleware.ts
+import { MiddlewareFunction } from 'expo-router';
+
+const middleware: MiddlewareFunction = request => {
+  if (request.headers.has('specific-header')) {
+    return Response.redirect('https://expo.dev');
+  }
+};
+
+export default middleware;
+```
+
+### Limitations
+
+- Middleware runs exclusively on the server and only for HTTP requests. It does not execute during client-side navigation, for example, with [`<Link />`](/versions/latest/sdk/router/#link) or native app screen transitions.
+- The request object passed to middleware is [immutable](#request-immutability) to prevent side effects. You cannot modify headers or consume the request body, ensuring it remains available for route handlers.
+- You can only have one root-level **+middleware.ts** in your app.
+- The same limitations that [apply to API routes](/router/reference/api-routes/#known-limitations) also apply to middleware.
+
+### Request immutability
+
+To prevent unintended side effects and ensure the request body remains available for route handlers, the [`Request`](https://developer.mozilla.org/en-US/docs/Web/API/Request) passed to middleware is immutable. This means you can:
+
+- Read all request properties like `url`, `method`, `headers`, and so on
+- Read header values using `request.headers.get()`
+- Check for header existence with `request.headers.has()`
+- Access URL parameters and query strings
+
+But you won't be able to:
+
+- Modify headers with `set()`, `append()`, `delete()`
+- Consume the request body with `text()`, `json()`, `formData()`, and so on
+- Access the `body` property directly
@@ -16,6 +16,7 @@
 - Support external URLs with static redirects ([#38041](https://github.com/expo/expo/pull/38041) by [@hassankhan](https://github.com/hassankhan))
 - Add `EXPO_UNSTABLE_LIVE_BINDINGS` to allow developer to disable live binding in `experimentalImportSupport`. ([#38135](https://github.com/expo/expo/pull/38135) by [@krystofwoldrich](https://github.com/krystofwoldrich))
 - Add `location.origin`, Expo SDK version and Hermes version to sitemap UI ([#38201](https://github.com/expo/expo/pull/38201) by [@hassankhan](https://github.com/hassankhan))
+- Allow running server middleware with `+middleware.ts` ([#38330](https://github.com/expo/expo/pull/38330) by [@hassankhan](https://github.com/hassankhan))
 
 ### 🐛 Bug fixes