Middleware route exclusion behavior change when upgrading from 9.3.2 to 9.3.3

[adskragnar]

Did you read the migration guide?

• I have read the whole migration guide

Is there an existing issue that is already proposing this?

• I have searched the existing issues

Potential Commit/PR that introduced the regression

No response

NestJS version

9.2.1->9.3.0

Describe the regression

I have a /health path that is excluded from the global prefix. I also have some auth-related middleware that should be applied to all paths except the /health endpoint. This worked fine up to version 9.2.1 using consumer.apply(MyMiddleware).exclude('/health').forRoutes('*').

When upgrading to version 9.3.0, the exclusion no longer works and the auth middleware is applied. I have also tried version 9.4.0 with the same result.

Minimum reproduction code

No response

Input code

In main:

  const app = await NestFactory.create(AppModule, { logger });

  const globalPrefix = 'my/prefix';
  app.setGlobalPrefix(globalPrefix, {
    exclude: [{ path: 'health', method: RequestMethod.GET }],
  });
  app.enableVersioning({ type: VersioningType.URI, defaultVersion: '1' });

in app.module.ts:

@Module( /*... imports etc ...*/ )
export class AppModule implements NestModule {
  configure(consumer: MiddlewareConsumer) {
    consumer
      .apply(MyMiddleware)
      .exclude('/health')
      .forRoutes('*');
  }
}

Expected behavior

The middleware is not applied to requests for the /health path.

Other

No response

[adskragnar]

The versioning is added by Nest, so all "real" endpoints are in the format /my/prefix/v1/some/endpoint (these should have the middleware applied), but the prefix exclusion for health leaves that endpoint as just /health (and should not have the middleware applied).

Of course, I am open to the possibility that I am doing this completely wrong, but at least with version 9.2.1 this seemed to work as I expected it.

[josephaw1022]

Just as a sanity check, does this still not work with the versioning removed?

[josephaw1022]

I only ask because, I have had issues with uri versioning before

[adskragnar]

I tried now with v 9.4.0 with versioning removed, but no change - the Middleware is still applied. Removing the prefix entirely makes the exclusion work again. So it does seem like the prefix plays a part in this.

[micalevisk]

Hi @adskragnar

as you didn't shared any repro code, could you please checkout the changelog https://github.com/nestjs/nest/releases/tag/v9.3.0 to see if you find some change that could be related with your issue? It would help a lot :) PRs are more than welcomed as well.

[adskragnar]

Thanks for the quick responses! First, apologies - I seem to have made a mistake in determining when the behavior changed - I believe the change occurred in between versions 9.3.2 -> 9.3.3.

Looking through the changes from 9.3.2...9.3.3 lists the commit fix(core): add global prefix to exclude paths for middleware, which at least given the apparent connection from the issue to the global prefix looks to be interesting.
There is also a merge of a branch that seems to touch on related subjects at Merge branch 'CodyTseng-fix-middleware-exclude'.

Note that these are not listed as fixes when looking at the 9.3.3 release.

[micalevisk]

@adskragnar thanks! That was a fix to this issue: #9990

Since you have enabled the global versioning with a default version, there's no {prefix}/health endpoint but {prefix}/v1/health, right?

What if you do this instead:

app.setGlobalPrefix(globalPrefix, {
  exclude: [{ path: '/v1/health', method: RequestMethod.GET }],
});

[adskragnar]

The Health Controller in this case is set up as VERSION_NEUTRAL so it is indeed at {prefix}/health and not at {prefix}/v1/health. Changing the health controller to be affected by version and changing the global prefix exclude to v1/health as suggested causes the health endpoint to be at /v1/health. However the middleware is still applied (I tried with both setting .exclude('/health') as in the original code as well as .exclude('/v1/health') but in both cases the middleware is still applied.

For completeness, I also tried removing the global prefix exclusion for health (but leaving the prefix). This places the health endpoint at {prefix}/v1/health. If I then use .exclude('/v1/health') for the middleware the health endpoint is excluded. Removing versioning then also works, with the health endpoint at {prefix}/health and using .exclude('/health').

(All tests here conducted using version 9.3.3).

[kamilmysliwiec]

This issue should be fixed in this PR #11650

[lukeclifton]

Just for context, we also have just faced this issue.

After updating from version 9.2.1 to 9.4.2 our application broke and it was related to exclude path behaviour no longer working as it was before 9.3.3.

Our previously working code:

 .exclude(`${globalPrefix}/api/(.*)`, healthCheckEndpoint)

After updating to 9.4.2 we had to change to:

 .exclude('/api/(.*)', healthCheckEndpoint)

Summary:
Needed to remove the manually added global prefix from our exclude paths as this commit in version 4.3.3 now automatically includes the global prefix.

[omeha2]

The issue still exists.
repo with reproduce
https://codesandbox.io/p/sandbox/exciting-banzai-53ccsy
maintenance middleware shouldn't be applied to endpoint api/hello2
@kamilmysliwiec should we reopen this issue or create separate one?