Middleware

As per our main principle, you can use any default Django middleware with your API. But, it has several minor problems by default:

1. Any middleware responses won’t show up in your schema

2. Responses won’t have the right 'Content-Type'

3. Responses won’t be validated

That’s why django-modern-rest provides a powerful middleware system that allows you to wrap Django middleware around your controllers while maintaining proper OpenAPI documentation and response handling.

The main function for this is wrap_middleware(), which creates reusable decorators that can be applied to controller classes.

How it works

wrap_middleware is a factory function that creates decorators with pre-configured middleware. It takes:

1. A middleware function or class

2. One or more ResponseSpec objects

3. Returns a decorator factory that takes a response converter function

The created decorator: - Wraps the controller’s dispatch method with the specified middleware - Handles both sync and async controllers automatically - Applies response conversion when the middleware returns a specific status code - Adds the response descriptions to the controller’s OpenAPI schema

Basic Usage

Let’s create a simple middleware decorator for CSRF protection:

Show imports... 12 lines hidden

[source]

from http import HTTPStatus

from django.http import HttpResponse
from django.views.decorators.csrf import csrf_protect

from dmr import Controller, ResponseSpec
from dmr.decorators import wrap_middleware
from dmr.errors import ErrorModel, format_error
from dmr.plugins.pydantic import PydanticSerializer
from dmr.response import build_response


@wrap_middleware(
    csrf_protect,
    ResponseSpec(
        return_type=ErrorModel,
        status_code=HTTPStatus.FORBIDDEN,
    ),
)
def csrf_protect_json(response: HttpResponse) -> HttpResponse:
    """Convert CSRF failure responses to JSON."""
    return build_response(
        PydanticSerializer,
        raw_data=format_error(
            'CSRF verification failed. Request aborted.',
        ),
        status_code=HTTPStatus(response.status_code),
    )


@csrf_protect_json
class MyController(Controller[PydanticSerializer]):
    """Example controller using CSRF protection middleware."""

    responses = csrf_protect_json.responses

    def post(self) -> dict[str, str]:
        return {'message': 'ok'}

In this example:

1. We create a middleware decorator using wrap_middleware

2. The decorator wraps csrf_protect middleware around the controller

3. When CSRF verification fails, our converter function transforms the response to JSON

4. The response description is automatically added to the OpenAPI schema

Custom Middleware

You can also create custom middleware functions. Here’s an example of a rate limiting middleware:

Show imports... 12 lines hidden

[source]

from collections.abc import Callable
from http import HTTPStatus

from django.http import HttpRequest, HttpResponse

from dmr import Controller, ResponseSpec
from dmr.decorators import wrap_middleware
from dmr.errors import ErrorModel, format_error
from dmr.plugins.pydantic import PydanticSerializer
from dmr.response import build_response


def rate_limit_middleware(
    get_response: Callable[[HttpRequest], HttpResponse],
) -> Callable[[HttpRequest], HttpResponse]:
    """Middleware that simulates rate limiting."""

    def decorator(request: HttpRequest) -> HttpResponse:
        if request.headers.get('X-Rate-Limited') == 'true':
            return build_response(
                PydanticSerializer,
                raw_data=format_error('Rate limit exceeded'),
                status_code=HTTPStatus.TOO_MANY_REQUESTS,
            )
        return get_response(request)

    return decorator


@wrap_middleware(
    rate_limit_middleware,
    ResponseSpec(
        return_type=ErrorModel,
        status_code=HTTPStatus.TOO_MANY_REQUESTS,
    ),
)
def rate_limit_json(response: HttpResponse) -> HttpResponse:
    """Pass through the rate limit response."""
    return response


@rate_limit_json
class RateLimitedController(Controller[PydanticSerializer]):
    """Example controller with custom rate limit middleware."""

    responses = rate_limit_json.responses

    def post(self) -> dict[str, str]:
        return {'message': 'Request processed'}

Run result

$ curl http://127.0.0.1:8000/api/ratelimit/ -X POST
{"message":"Request processed"}

$ curl http://127.0.0.1:8000/api/ratelimit/ -D - -X POST -H 'X-Rate-Limited: true'
HTTP/1.1 429 Too Many Requests
date: Sun, 05 Apr 2026 17:51:04 GMT
server: uvicorn
Content-Type: application/json
X-Frame-Options: DENY
Vary: Accept-Language
Content-Language: en
Content-Length: 42
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

{"detail":[{"msg":"Rate limit exceeded"}]}

Multiple Response Descriptions

You can specify multiple response descriptions for different status codes:

Show imports... 11 lines hidden

[source]

from collections.abc import Callable
from http import HTTPStatus

from django.http import HttpRequest, HttpResponse

from dmr import ResponseSpec
from dmr.decorators import wrap_middleware
from dmr.plugins.pydantic import PydanticSerializer
from dmr.response import build_response


def custom_middleware(
    get_response: Callable[[HttpRequest], HttpResponse],
) -> Callable[[HttpRequest], HttpResponse]:
    """Dummy middleware for demonstration purposes."""

    def decorator(request: HttpRequest) -> HttpResponse:
        """Just pass the request through unchanged."""
        return get_response(request)

    return decorator


@wrap_middleware(
    custom_middleware,
    ResponseSpec(
        return_type=dict[str, str],
        status_code=HTTPStatus.BAD_REQUEST,
    ),
    ResponseSpec(
        return_type=dict[str, str],
        status_code=HTTPStatus.UNAUTHORIZED,
    ),
)
def multi_status_middleware(response: HttpResponse) -> HttpResponse:
    """Handle multiple status codes."""
    if response.status_code == HTTPStatus.BAD_REQUEST:
        return build_response(
            PydanticSerializer,
            raw_data={'error': 'Bad request'},
            status_code=HTTPStatus(response.status_code),
        )
    if response.status_code == HTTPStatus.UNAUTHORIZED:
        return build_response(
            PydanticSerializer,
            raw_data={'error': 'Unauthorized'},
            status_code=HTTPStatus(response.status_code),
        )
    return response

Async Controllers

wrap_middleware works seamlessly with both sync and async controllers:

Show imports... 5 lines hidden

[source]

from dmr import Controller
from dmr.plugins.pydantic import PydanticSerializer
from examples.middleware.csrf_protect_json import csrf_protect_json


@csrf_protect_json
class AsyncController(Controller[PydanticSerializer]):
    """Example async controller using CSRF protection middleware."""

    responses = csrf_protect_json.responses

    async def post(self) -> dict[str, str]:
        # Your async logic here
        return {'message': 'async response'}

The middleware will automatically detect whether the controller is async and handle it appropriately.

Response Converter Function

The response converter function is called when the middleware returns a response with a status code that matches one of the provided response descriptions. This allows you to:

• Transform error responses to JSON format

• Add custom headers

• Modify response content

• Apply consistent error formatting across your API

The converter function receives the original response and should return a modified django.http.HttpResponse.

Understanding the Two-Phase Middleware Pattern

Django middleware operates in two distinct phases around the view execution. Understanding this pattern is crucial for effectively using middleware with django-modern-rest.

get_response callback

Every Django middleware receives a get_response callable parameter. This is not the actual response - it’s a callback that represents the next middleware in the chain or the final view function.

Show imports... 5 lines hidden

[source]

from collections.abc import Callable

from django.http import HttpRequest, HttpResponse


def my_middleware(
    get_response: Callable[[HttpRequest], HttpResponse],
) -> Callable[[HttpRequest], HttpResponse]:
    """
    get_response is a callback.

    It will:
    1. Call the next middleware (if any)
    2. Eventually call your controller/view
    3. Return the response
    """

    def factory(request: HttpRequest) -> HttpResponse:
        # Your middleware logic here:
        return get_response(request)  # Call the view

    return factory

Phase 1: Process Request (before get_response)

Before calling get_response, you can:

• Read and validate request data

• Add attributes to the request object

• Perform authentication/authorization

• Short-circuit and return early (without calling the view)

Show imports... 6 lines hidden

[source]

import uuid
from collections.abc import Callable
from typing import Any, TypeAlias

from django.http import HttpRequest, HttpResponse

_CallableAny: TypeAlias = Callable[..., Any]


def add_request_id_middleware(
    get_response: Callable[[HttpRequest], HttpResponse],
) -> _CallableAny:
    """Middleware that adds request_id to both request and response.

    This demonstrates the two-phase middleware pattern:
    1. Process request BEFORE calling get_response (adds request.request_id)
    2. Process response AFTER calling get_response (adds X-Request-ID header)
    """

    def decorator(request: HttpRequest) -> Any:
        request_id = str(uuid.uuid4())
        request.request_id = request_id  # type: ignore[attr-defined]

        response = get_response(request)
        response['X-Request-ID'] = request_id

        return response

    return decorator

Wrap your middleware:

Show imports... 9 lines hidden

[source]

from http import HTTPStatus

from django.http import HttpResponse

from dmr import ResponseSpec
from dmr.decorators import wrap_middleware
from examples.middleware.add_request_id import add_request_id_middleware


@wrap_middleware(
    add_request_id_middleware,
    ResponseSpec(
        return_type=dict[str, str],
        status_code=HTTPStatus.OK,
    ),
)
def add_request_id_json(response: HttpResponse) -> HttpResponse:
    """Pass through response - ``request_id`` is added automatically."""
    return response

Now your controller can access self.request.request_id:

Show imports... 7 lines hidden

[source]

from django.http import HttpRequest

from dmr import Controller
from dmr.plugins.pydantic import PydanticSerializer
from examples.middleware.wrap_add_request_id import add_request_id_json


class _RequestWithID(HttpRequest):
    request_id: str


@add_request_id_json
class RequestIdController(Controller[PydanticSerializer]):
    """Controller that uses request_id added by middleware."""

    responses = add_request_id_json.responses

    # Use request with request_id field
    request: _RequestWithID

    def get(self) -> dict[str, str]:
        """GET endpoint that returns request_id from modified request."""
        return {
            'request_id': self.request.request_id,
            'message': 'Request ID tracked',
        }

Phase 2: Process Response (after get_response)

After calling get_response, you can:

• Modify the response object

• Add headers

• Log response details

• Transform response content

Show imports... 5 lines hidden

[source]

from collections.abc import Callable
from typing import Any, TypeAlias

from django.http import HttpRequest, HttpResponse

_CallableAny: TypeAlias = Callable[..., Any]


def custom_header_middleware(
    get_response: Callable[[HttpRequest], HttpResponse],
) -> _CallableAny:
    """Simple middleware that adds a custom header to response."""

    def decorator(request: HttpRequest) -> Any:
        response = get_response(request)
        response['X-Custom-Header'] = 'CustomValue'
        return response

    return decorator

Short-Circuiting: Returning Without Calling get_response

Middleware can return a response without calling get_response. This is called “short-circuiting” - the view is never executed.

Common use cases:

• Rate limiting (return 429)

• Request validation failures (return 400)

• Cache hits (return cached response)

• Custom authentication/authorization checks

Example with rate limiting:

Show imports... 12 lines hidden

[source]

from collections.abc import Callable
from http import HTTPStatus

from django.http import HttpRequest, HttpResponse

from dmr import Controller, ResponseSpec
from dmr.decorators import wrap_middleware
from dmr.errors import ErrorModel, format_error
from dmr.plugins.pydantic import PydanticSerializer
from dmr.response import build_response


def rate_limit_middleware(
    get_response: Callable[[HttpRequest], HttpResponse],
) -> Callable[[HttpRequest], HttpResponse]:
    """Middleware that simulates rate limiting."""

    def decorator(request: HttpRequest) -> HttpResponse:
        if request.headers.get('X-Rate-Limited') == 'true':
            return build_response(
                PydanticSerializer,
                raw_data=format_error('Rate limit exceeded'),
                status_code=HTTPStatus.TOO_MANY_REQUESTS,
            )
        return get_response(request)

    return decorator


@wrap_middleware(
    rate_limit_middleware,
    ResponseSpec(
        return_type=ErrorModel,
        status_code=HTTPStatus.TOO_MANY_REQUESTS,
    ),
)
def rate_limit_json(response: HttpResponse) -> HttpResponse:
    """Pass through the rate limit response."""
    return response


@rate_limit_json
class RateLimitedController(Controller[PydanticSerializer]):
    """Example controller with custom rate limit middleware."""

    responses = rate_limit_json.responses

    def post(self) -> dict[str, str]:
        return {'message': 'Request processed'}

Run result

$ curl http://127.0.0.1:8000/api/ratelimit/ -X POST
{"message":"Request processed"}

$ curl http://127.0.0.1:8000/api/ratelimit/ -D - -X POST -H 'X-Rate-Limited: true'
HTTP/1.1 429 Too Many Requests
date: Sun, 05 Apr 2026 17:51:05 GMT
server: uvicorn
Content-Type: application/json
X-Frame-Options: DENY
Vary: Accept-Language
Content-Language: en
Content-Length: 42
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

{"detail":[{"msg":"Rate limit exceeded"}]}

Wrapping Django’s Built-in Decorators

You can wrap Django’s built-in authentication decorators like login_required to make them REST API friendly. By default, login_required returns a 302 redirect, but you can convert it to a JSON 401 response:

Show imports... 12 lines hidden

[source]

from http import HTTPStatus

from django.contrib.auth.decorators import login_required
from django.http import HttpResponse

from dmr import Controller, ResponseSpec
from dmr.decorators import wrap_middleware
from dmr.errors import ErrorModel, format_error
from dmr.plugins.pydantic import PydanticSerializer
from dmr.response import build_response


@wrap_middleware(
    login_required,
    ResponseSpec(
        return_type=ErrorModel,
        status_code=HTTPStatus.UNAUTHORIZED,
    ),
    ResponseSpec(  # Uses for proxy authed response with HTTPStatus.OK
        return_type=dict[str, str],
        status_code=HTTPStatus.OK,
    ),
)
def login_required_json(response: HttpResponse) -> HttpResponse:
    """Convert Django's login_required redirect to JSON 401 response."""
    if response.status_code == HTTPStatus.FOUND:
        return build_response(
            PydanticSerializer,
            raw_data=format_error(
                'Authentication credentials were not provided',
            ),
            status_code=HTTPStatus.UNAUTHORIZED,
        )
    return response


@login_required_json
class LoginRequiredController(Controller[PydanticSerializer]):
    """Controller that uses Django's login_required decorator.

    Demonstrates wrapping Django's built-in authentication decorators.
    Converts 302 redirect to JSON 401 response for REST API compatibility.
    """

    responses = login_required_json.responses

    def get(self) -> dict[str, str]:
        """GET endpoint that requires Django authentication."""
        # Access Django's authenticated user
        user = self.request.user
        username = user.username if user.is_authenticated else 'anonymous'  # type: ignore[attr-defined]

        return {
            'username': username,
            'message': 'Successfully accessed protected resource',
        }

Visual Flow

Here’s how a request flows through middleware:

        ---
config:
  theme: forest

---
  graph TB
    A[HTTP Request] --> B1[Middleware 1<br/>Phase 1: process request]
    B1 --> B2[Middleware 2<br/>Phase 1: process request]
    B2 --> C[Controller/View executes]
    C --> D2[Middleware 2<br/>Phase 2: process response]
    D2 --> D1[Middleware 1<br/>Phase 2: process response]
    D1 --> E[HTTP Response]
    

Middleware execution flow

Best Practices

1. Always include response descriptions: This ensures your OpenAPI documentation is complete and accurate.

2. Use consistent error formatting: Create reusable converter functions that format errors consistently across your API.

3. Handle both sync and async: The same middleware decorator works with both sync and async controllers.

4. Test your middleware: Make sure to test both the success and error cases for your middleware.

5. Document your middleware: Add docstrings to explain what your middleware does and when it’s triggered.

Example: Complete CSRF Protection Setup

Here’s a complete example showing how to set up CSRF protection for a REST API:

Show imports... 11 lines hidden

[source]

from http import HTTPStatus

from django.http import HttpResponse
from django.views.decorators.csrf import ensure_csrf_cookie

from dmr import Controller, ResponseSpec
from dmr.decorators import wrap_middleware
from dmr.plugins.pydantic import PydanticSerializer
from examples.middleware.csrf_protect_json import csrf_protect_json


# CSRF cookie for GET requests
@wrap_middleware(
    ensure_csrf_cookie,
    ResponseSpec(
        return_type=dict[str, str],
        status_code=HTTPStatus.OK,
    ),
)
def ensure_csrf_cookie_json(response: HttpResponse) -> HttpResponse:
    """Return response ensuring CSRF cookie is set."""
    return response


@csrf_protect_json
class ProtectedController(Controller[PydanticSerializer]):
    """Protected API controller requiring CSRF token."""

    responses = csrf_protect_json.responses

    def get(self) -> dict[str, str]:
        """Get CSRF token."""
        return {'message': 'Use this endpoint to get CSRF token'}

    def post(self) -> dict[str, str]:
        """Protected endpoint requiring CSRF token."""
        return {'message': 'Successfully created resource'}


@ensure_csrf_cookie_json
class PublicController(Controller[PydanticSerializer]):
    responses = ensure_csrf_cookie_json.responses

    def get(self) -> dict[str, str]:
        """Public endpoint that sets CSRF cookie."""
        return {'message': 'CSRF cookie set'}

Run result

$ curl http://127.0.0.1:8000/api/publiccontroller/ -D - -X GET
HTTP/1.1 200 OK
date: Sun, 05 Apr 2026 17:51:05 GMT
server: uvicorn
Content-Type: application/json
Vary: Cookie, Accept-Language
X-Frame-Options: DENY
Content-Language: en
Content-Length: 29
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Set-Cookie: csrftoken=RxCKuaEz2p3U8da7XSNf2hEcpDtRAEIs; expires=Sun, 04 Apr 2027 17:51:05 GMT; Max-Age=31449600; Path=/; SameSite=Lax

{"message":"CSRF cookie set"}