Auth Middleware

TL;DR: Use createAuth({type: 'bearer' | 'api-key'}). Validate tokens. Return 401 on fail. GitHub sigs app-specific.

Auth Flows
Error Codes
Hono Usage
GitHub Sigs
Mismatch Quiz

Auth Flows

Secure routes. Choose bearer or api-key.

From packages/hono-middleware/src/middleware/auth.ts:

Type	Header	Validate?	Flow
bearer	Authorization: Bearer	Optional	Extract token. Call validate(token). Set c.set('user')
api-key	x-api-key: (custom)	Optional	Extract key. Call validate(key). Set c.set('user')

Imperative: Always validate in prod.

Error Codes

Standard 401 responses.

Scenario	Response
No header	{error: 'Unauthorized', message: 'Missing bearer token'}
Invalid token	{error: 'Unauthorized', message: 'Invalid token'}
No api-key	{error: 'Unauthorized', message: 'Missing API key'}

Hono Usage

Protect routes easily.

// Example Hono app
import { createAuth } from '@duyetbot/hono-middleware';
 
const auth = createAuth({
  type: 'bearer',
  validate: async (token, c) => {
    // Your validation logic
    return { id: 'user123' }; // Or null
  }
});
 
app.use('/secure/*', auth);
app.get('/secure/data', (c) => {
  const user = c.get('user');
  return c.json({ data: 'secret', user });
});

Test: curl -H "Authorization: Bearer invalid" http://localhost/secure/data.

GitHub Sigs

App-specific. See apps/github-bot/src/middlewares/signature.ts.

Verifies webhook payload HMAC. Rejects tampered requests.

Imperative: Enable for all webhook routes.

Mismatch Quiz

Q: Bearer header wrong?

A: Slice(7), check startsWith('Bearer ') -> 401 ✅
B: Accept anyway
C: Use api-key fallback

Run bun test --filter auth. Verify 401 responses!

Auth Middleware

Table of Contents

Auth Flows

Error Codes

Hono Usage

GitHub Sigs

Mismatch Quiz

On this page

Auth Middleware

Table of Contents

Auth Flows

Error Codes

Hono Usage

GitHub Sigs

Mismatch Quiz

Related

On this page