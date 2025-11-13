Advisory boards aren’t only for executives. Join the LogRocket Content Advisory Board today
2025-11-13
1045
#react
Ikeh Akinyemi
209351
116
Nov 13, 2025 ⋅ 3 min read

How to fix React routing loopholes with the React Router Middleware

Ikeh Akinyemi Ikeh Akinyemi is a software engineer based in Rivers State, Nigeria. He’s passionate about learning pure and applied mathematics concepts, open source, and software engineering.

See how LogRocket's Galileo AI surfaces the most severe issues for you

No signup required

Check it out

When protecting route segments in React Router, a common pattern is to add an authentication check inside the layout route’s loader, such as in dashboard.tsx. This loader typically checks for a user session and throws redirect('/login') if none is found.

How to fix React routing loopholes with the React Router Middleware

However, this approach introduces two architectural problems due to React Router’s parallel data-loading model:

  1. Leaky redirects: Child loaders (e.g., /dashboard/overview) execute in parallel with the parent loader. A redirect in the parent does not short-circuit the child loaders, causing them to run even when unauthenticated.
  2. Redundant data fetching: Because loaders run in parallel, child routes cannot access data returned by parent loaders. A parent loader may fetch the user, but each child must re-fetch it independently.

These behaviors create unnecessary server load, duplicated fetches, and potential errors. The new Middleware API in React Router 7.9+ (via the future.v8_middleware flag) solves these issues by introducing a sequential step before loaders execute.

In this article, we’ll build a simple dashboard that demonstrates the “old way” problems, then refactor it step by step using middleware for clean authentication and safe data passing.

🚀 Sign up for The Replay newsletter

The Replay is a weekly newsletter for dev and engineering leaders.

Delivered once a week, it's your curated guide to the most important conversations around frontend dev, emerging AI tools, and the state of modern software.

The problem: Our broken dashboard

We’ll start by building a dashboard using traditional loader patterns to surface the issues. First, create a project:

npx create-react-router@latest

Inside app/, create a mock authentication file:

// app/auth.ts
export interface User {
  id: string;
  name: string;
  email: string;
}

let FAKE_LOGGED_IN_USER: User | null = null;
// let FAKE_LOGGED_IN_USER = { id: "123", name: "Jane Doe", email: "[email protected]" };

export async function getUserFromRequest(request: Request): Promise<User | null> {
  await new Promise((res) => setTimeout(res, 100));
  return FAKE_LOGGED_IN_USER;
}

Our route structure will look like:

app/
├── auth.ts
├── root.tsx
├── routes/
│   ├── login.tsx
│   ├── dashboard.tsx
│   └── dashboard.overview.tsx

Now let’s implement the protected dashboard layout:

// app/routes/dashboard.tsx
import { Outlet, useLoaderData } from "react-router";
import type { LoaderFunctionArgs } from "react-router";
import { getUserFromRequest } from "~/auth";
import type { User } from "~/auth";

export async function loader({ request }: LoaderFunctionArgs) {
  console.log("Checking auth in _dashboard layout loader...");
  const user = await getUserFromRequest(request);

  if (!user) {
    console.log("No user, redirecting to /login");
    // This redirect *should* stop everything, but it won't.
    throw Response.redirect(new URL("/login", request.url));
  }

  console.log("User found, returning from layout loader.");
  return new Response(JSON.stringify({ user }), {
    headers: { "Content-Type": "application/json" },
  });
}

export default function DashboardLayout() {
  const { user } = useLoaderData() as { user: User };
  return (
    <div>
      <nav style={{ padding: "10px", background: "#eee" }}>
        <b>Dashboard Layout</b> | Welcome, {user!.name}
      </nav>
      <hr />
      <main>
        <Outlet />
      </main>
    </div>
  );
}

Next, the child route:

// app/routes/dashboard.overview.tsx
import { Outlet, useLoaderData } from "react-router";
import type { LoaderFunctionArgs } from "react-router";
import { getUserFromRequest } from "~/auth";

async function getOverviewData(userId: string) {
  console.log(`Fetching overview data for user ${userId}...`);
  return { totalRevenue: 5000 };
}

export async function loader({ request }: LoaderFunctionArgs) {
  console.log("❌ ERROR: _dashboard.overview loader IS RUNNING!");

  // Problem: Redundant data fetching.
  const user = await getUserFromRequest(request);

  if (!user) {
    console.log("Overview loader found no user.");
    return new Response(JSON.stringify({ error: "User not found" }), {
      status: 401,
      headers: { "Content-Type": "application/json" },
    });
  }

  const overviewData = await getOverviewData(user.id);
  return new Response(JSON.stringify(overviewData), {
    headers: { "Content-Type": "application/json" },
  });
}

export default function DashboardOverview() {
  return <h3>Overview Page Content</h3>;
}

Now reproduce the issues:

  • Set FAKE_LOGGED_IN_USER to null.
  • Navigate to /dashboard/overview.

You’ll see:

Checking auth in dashboard...
❌ Child loader IS RUNNING!
No user, redirecting...
Overview loader found no user.

Server log showing parallel loader execution

This confirms:

  • Redirects leak: the child loader still runs.
  • Data is fetched twice when logged in.

React Router middleware is designed to fix both issues.

The fix: Using React Router Middleware

Step 1: Enable the middleware flag

// react-router.config.ts
export default {
  future: {
    v8_middleware: true,
  },
};

Step 2: Create a type-safe context

Middleware doesn’t return data directly. It stores shared values in context:

// app/context.ts
import { createContext } from "react-router";
import type { User } from "~/auth";

export const userContext = createContext<User | null>(null);

Step 3: Refactor the protected dashboard

// app/routes/dashboard.tsx
import { Outlet, useLoaderData } from "react-router";
import type { LoaderFunctionArgs, MiddlewareFunction } from "react-router";
import { getUserFromRequest } from "~/auth";
import type { User } from "~/auth";
import { userContext } from "~/context";

const authMiddleware: MiddlewareFunction = async ({ request, context }) => {
  console.log("Running auth middleware in _dashboard...");
  const user = await getUserFromRequest(request);

  if (!user) {
    console.log("Middleware: No user, redirecting to /login");

    throw new Response(null, {
      status: 302,
      headers: {
        "Location": "/login",
      },
    });
  }

  console.log("Middleware: User found, setting in context.");
  context.set(userContext, user);
};

export const middleware: MiddlewareFunction[] = [authMiddleware];

export async function loader({ context }: LoaderFunctionArgs) {
  const user = context.get(userContext);
  console.log("Layout loader running (user guaranteed).");
  return new Response(JSON.stringify({ user }), {
    headers: { "Content-Type": "application/json" },
  });
}

export default function DashboardLayout() {
  const { user } = useLoaderData() as { user: User };
  return (
    <div>
      <nav style={{ padding: "10px", background: "#eee" }}>
        <b>Dashboard Layout</b> | Welcome, {user!.name}
      </nav>
      <hr />
      <main>
        <Outlet />
      </main>
    </div>
  );
}

Step 4: Verify short-circuiting

With FAKE_LOGGED_IN_USER = null:

Running auth middleware...
Redirecting to /login

Middleware log

No child loaders ran. Problem #1 solved.

Step 5: Refactor the child loader

// app/routes/dashboard.overview.tsx
import { Outlet, useLoaderData } from "react-router";
import type { LoaderFunctionArgs } from "react-router";
import { userContext } from "~/context";

async function getOverviewData(userId: string) {
  console.log(`Fetching overview data for user ${userId}...`);
  return { totalRevenue: 5000 };
}

export async function loader({ context }: LoaderFunctionArgs) {
  console.log("✅ _dashboard.overview loader IS RUNNING (sequentially)");
  const user = context.get(userContext);
  const overviewData = await getOverviewData(user!.id);
  return new Response(JSON.stringify(overviewData), {
    headers: { "Content-Type": "application/json" },
  });
}

export default function DashboardOverview() {
  return <h3>Overview Page Content</h3>;
}

The output now shows the correct sequence:

Running auth middleware...
User found, setting context.
Layout loader running...
Child loader running...
Fetching overview data...

Conclusion

We started with a common pattern in React Router that easily leads to leaky redirects and redundant data fetching due to parallel loader execution. These issues make route protection inefficient and error-prone.

The new Middleware API introduces a sequential step before loaders, enabling:

  • Short-circuited redirects before child loaders run
  • Safe, centralized authentication
  • Shared context that eliminates duplicate fetches

Middleware finally aligns React Router with real-world security and data-loading needs, enabling practical, maintainable protected routes.

Get set up with LogRocket's modern React error tracking in minutes:

  1. Visit https://logrocket.com/signup/ to get an app ID

  2. Install LogRocket via npm or script tag. LogRocket.init() must be called client-side, not server-side 

    $ npm i --save logrocket 

// Code:

import LogRocket from 'logrocket'; 
LogRocket.init('app/id');
                    
    // Add to your HTML:

<script src="https://cdn.lr-ingest.com/LogRocket.min.js"></script>
<script>window.LogRocket && window.LogRocket.init('app/id');</script>
  3. (Optional) Install plugins for deeper integrations with your stack:
    • Redux middleware
    • NgRx middleware
    • Vuex plugin
Get started now

Stop guessing about your digital experience with LogRocket

Get started for free

Recent posts:

How I used Mastra to build a prize-winning RAG agent

How I used Mastra to build a prize-winning RAG agent

A developer’s retrospective on creating an AI video transcription agent with Mastra, an open-source TypeScript framework for building AI agents.

Chinwike Maduabuchi
Nov 13, 2025 ⋅ 12 min read

Ensuring frontend data integrity with TanStack DB transactions

Learn how TanStack DB transactions ensure data consistency on the frontend with atomic updates, rollbacks, and optimistic UI in a simple order manager app.

Emmanuel John
Nov 13, 2025 ⋅ 11 min read
the replay november 12

The Replay (11/12/25): Stop making these useEffect mistakes

Discover what’s new in The Replay, LogRocket’s newsletter for dev and engineering leaders, in the November 5th issue.

Matt MacCormack
Nov 12, 2025 ⋅ 33 sec read
15 most common useEffect mistakes

15 common useEffect mistakes to avoid in your React apps

Shruti Kapoor breaks down the confusion around useEffect and goes over 15 common mistakes she’s seen in the React apps she’s reviewed.

Shruti Kapoor
Nov 12, 2025 ⋅ 8 min read
View all posts

Leave a Reply

Would you be interested in joining LogRocket's developer community?

Join LogRocket’s Content Advisory Board. You’ll help inform the type of content we create and get access to exclusive meetups, social accreditation, and swag.

Sign up now