Filters & Middleware

Run code before and after every request. DRY principle for APIs.

Detailed Guide

The Rule: If you're writing the same code in 10 controllers, you're doing it wrong. Use Middleware or Filters.

1. The Zomato Problem - Why You Need This

Without Middleware: Log request time in 50 controllers. Change log format? Edit 50 files. Miss 1? Bug in prod.

With Middleware: Write logging once in Program.cs. Runs for every request. Change once. Done.

🎯 Real Example

Every Zomato API call logs: UserId, Endpoint, Time, StatusCode. 1 Middleware handles it for all 500 APIs. That's why their debugging is fast.

2. Middleware vs Filters - The 10 Second Decision

	Middleware	Filters
Runs When	Every HTTP request. Even if no controller.	Only when request hits MVC/API controller.
Order	Configured in `Program.cs`. You control exact order.	Fixed pipeline: Auth → Action → Result.
Access To	`HttpContext`. Raw request/response.	`ActionContext`. Knows controller, action, model.
Use For	Logging, Exceptions, Auth, CORS, Static Files	Validation, Caching, Custom Auth per action

Rule: App-wide concerns = Middleware. Controller-specific = Filter.

3. Code It: Global Exception Middleware

Goal: If any controller throws exception, return clean JSON {"error":"Server failed"} instead of HTML crash page.

// Middleware/GlobalExceptionMiddleware.cs
public class GlobalExceptionMiddleware {
  private readonly RequestDelegate _next;
  private readonly ILogger _logger;

  public GlobalExceptionMiddleware(RequestDelegate next, ILogger logger) {
    _next = next;
    _logger = logger;
  }

  public async Task InvokeAsync(HttpContext context) {
    try {
      await _next(context); // Call next middleware/controller
    }
    catch (Exception ex) {
      _logger.LogError(ex, "Unhandled exception");
      context.Response.StatusCode = 500;
      context.Response.ContentType = "application/json";
      await context.Response.WriteAsync("{\"error\":\"An internal server error occurred\"}");
    }
  }
}

// Program.cs - Order matters!
var app = builder.Build();
app.UseMiddleware(); // 1st - catches all errors
app.UseAuthentication(); // 2nd
app.UseAuthorization(); // 3rd
app.MapControllers(); // Last
app.Run();

Test: Throw new Exception() in any controller. API returns 500 JSON, not HTML. Logs error.

4. Code It: Action Filter for Logging

Goal: Log execution time for specific slow actions only.

// Filters/LogTimeAttribute.cs
public class LogTimeAttribute : ActionFilterAttribute {
  private Stopwatch _timer;
  public override void OnActionExecuting(ActionExecutingContext context) {
    _timer = Stopwatch.StartNew();
  }
  public override void OnActionExecuted(ActionExecutedContext context) {
    _timer.Stop();
    var logger = context.HttpContext.RequestServices.GetService>();
    logger?.LogInformation($"Action {context.ActionDescriptor.DisplayName} took {_timer.ElapsedMilliseconds}ms");
  }
}

// Controller usage
[HttpGet("slow-report")]
[LogTime] // Only this action gets timed
public IActionResult GetSlowReport() {...}

Career-Killer Mistake: app.UseExceptionHandler() AFTER app.MapControllers()
Result: Exception handler never runs. Controllers throw → crash → HTML error page.
Fix: Middleware is a pipeline. Order is critical. Exception handler must be FIRST. Auth must be before Controllers. Request flows down, response flows up.

1. Theory: The ASP.NET Core Middleware Pipeline

Request comes in → Passes through middleware 1 → 2 → 3 → Controller → 3 → 2 → 1 → Response out.

Each middleware can:

Do work before calling await _next()
Call _next to pass to next middleware
Do work after _next returns
Short-circuit: NOT call _next and return response directly

Example: Auth middleware checks JWT. If invalid, returns 401 and never calls _next. Controller never runs.

2. Filter Pipeline - The 5 Filter Types

Inside MVC, after Middleware, filters run in this order:

Authorization Filters: [Authorize]. Run first. Can short-circuit.
Resource Filters: Run before model binding. Good for caching.
Action Filters: OnActionExecuting / OnActionExecuted. Run before/after action method. Access to arguments.
Exception Filters: IExceptionFilter. Handle exceptions from action.
Result Filters: Run before/after IActionResult executes. Modify response.

Interview Q: "Difference between Middleware and Action Filter?"
A: "Middleware = app-wide, no MVC context, runs for all requests. Filter = MVC-specific, has ActionContext, runs only for controller actions. Use Middleware for global logging, Filter for per-action caching."

3. Short-Circuiting - The Performance Win

Use Case: Caching Middleware. If response in cache, return it + never call DB.

public class CacheMiddleware {
  public async Task InvokeAsync(HttpContext ctx) {
    var cacheKey = ctx.Request.Path;
    if(_cache.TryGetValue(cacheKey, out var cached)) {
      ctx.Response.ContentType = "application/json";
      await ctx.Response.WriteAsync(cached); // Return cached
      return; // DON'T call _next. Short-circuit!
    }
    await _next(ctx); // Call controller
    // Cache the response for next time...
  }
}

Impact: 100ms DB call → 1ms cache hit. 100x faster. This is how Zomato handles menu lists.

4. `app.Use` vs `app.Run` vs `app.Map`

Method	Calls Next?	Use Case
`app.Use()`	Yes, if you call `await next()`	Most middleware. Logging, Auth.
`app.Run()`	No. Terminal middleware.	End of pipeline. "404 Not Found" handler.
`app.Map()`	Branches pipeline	`/health` endpoint runs different pipeline.

Career-Killer Mistake #2: Doing DB calls in Middleware constructor.
Middleware is Singleton. Constructor runs once at startup. DB call fails = app won't start.
Fix: Inject IServiceScopeFactory. Create scope inside InvokeAsync. Resolve Scoped services there.
Rule: Never inject Scoped services into Singleton Middleware constructor. Captive dependency crash.

Next: You can run global code. Next: CORS & Security Headers - How to let your React app call your API from localhost:3000 without "CORS error". And how to add security headers that stop XSS/clickjacking. Critical for production.

Quick Check 🧠

Middleware mastered. Next: CORS & Security Headers - Fix the "CORS error" every React dev hits, and add headers that get you A+ on security scans. Continue →

← Authentication & JWT

CORS & Security Headers →

Comments on Filters & Middleware (0)

No comments yet. Be the first to share your thoughts!

C# Tutorial

C# Tutorial

Filters & Middleware

1. The Zomato Problem - Why You Need This

🎯 Real Example

2. Middleware vs Filters - The 10 Second Decision

3. Code It: Global Exception Middleware

4. Code It: Action Filter for Logging

1. Theory: The ASP.NET Core Middleware Pipeline

2. Filter Pipeline - The 5 Filter Types

3. Short-Circuiting - The Performance Win

4. `app.Use` vs `app.Run` vs `app.Map`

Quick Check 🧠

Comments on Filters & Middleware (0)

C# Tutorial

C# Tutorial

Filters & Middleware

1. The Zomato Problem - Why You Need This

🎯 Real Example

2. Middleware vs Filters - The 10 Second Decision

3. Code It: Global Exception Middleware

4. Code It: Action Filter for Logging

1. Theory: The ASP.NET Core Middleware Pipeline

2. Filter Pipeline - The 5 Filter Types

3. Short-Circuiting - The Performance Win

4. app.Use vs app.Run vs app.Map

Quick Check 🧠

Comments on Filters & Middleware (0)

4. `app.Use` vs `app.Run` vs `app.Map`