Add configurable route existence check before authentication middleware execution

[BelovedYaoo]

What version of Hono are you using?

4.11.9

What runtime/platform is your app running on? (with version if possible)

Node 20.19.4 (but not important)

What steps can reproduce the bug?

1. Set up a Hono app with authentication middleware
2. Add some routes with authentication
3. Make requests to non-existent paths

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

// Authentication middleware
app.use('*', jwt({ secret: 'my-secret' }))

// Actual route
app.get('/protected', (c) => c.text('Protected content'))

// Request to non-existent path still triggers JWT validation
// GET /non-existent-route

What is the expected behavior?

When accessing non-existent routes:

1. The server should first check if the route exists
2. If route doesn't exist, return 404 immediately
3. Authentication middleware should only run for valid routes

What do you see instead?

1. Authentication middleware runs for ALL requests, even to non-existent routes
2. This causes unnecessary CPU-intensive authentication processing
3. Only after authentication does the framework return 404 for invalid routes

Additional information

Security Impact:

• Creates a potential DoS vulnerability where attackers can spam random URLs to trigger expensive auth checks

• Particularly problematic for JWT/OAuth/other crypto-heavy authentication

Performance Impact:

• Wastes server resources validating authentication for invalid routes

• Can significantly impact performance under high traffic

Suggested Solutions:

1. Add global config option:

new Hono({ checkRouteBeforeAuth: true })

2. Provide route validation middleware:

app.use(routeValidator()) // Checks route existence
app.use(authMiddleware)  // Then authenticates

3. Expose routing inspection API for custom solutions

[yusukebe]

@BelovedYaoo

That is not a bug. It's intended and designed. If you want to apply the authentication middleware specific path, you should write like this:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

// Actual route
app.get('/protected', jwt({ secret: 'my-secret' }), (c) => c.text('Protected content'))

export default app

[BelovedYaoo]

@BelovedYaoo

That is not a bug. It's intended and designed. If you want to apply the authentication middleware specific path, you should write like this:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

// Actual route
app.get('/protected', jwt({ secret: 'my-secret' }), (c) => c.text('Protected content'))

export default app

@yusukebe
Thank you for the clarification. While the current behavior is indeed intentional, there's an important edge case worth considering:

The Parent-Route Protection Scenario

const app = new Hono()

// Parent route protection
app.use('/admin/*', jwt({ secret: 'my-secret' }))

// Existing admin routes
app.get('/admin/dashboard', (c) => c.text('Admin Dashboard'))
app.post('/admin/users', (c) => c.text('User Management'))

// Problem: These will still trigger JWT validation:
// GET /admin/non-existent-path
// POST /admin/invalid-route

Perhaps a configuration is needed to enable it to first check whether the route exists, rather than triggering the middleware.

[BelovedYaoo]

@yusukebe
I understand the current behavior is by design, but I'd like to highlight another critical production scenario that demonstrates why route-existence checking before authentication would be valuable:

Root Route Protection Use Case

const app = new Hono()

// Global protection (most routes need auth)
app.use('*', jwt({ secret: 'my-secret' }))

// Whitelisted routes
app.get('/public', (c) => c.text('Public Content')) 

// Protected routes
app.get('/api/user', (c) => c.text('User Data'))

// Current behavior issues:
// 1. GET /non-existent-route → Runs JWT validation before 404
// 2. POST /public → Runs JWT validation before 405
// 3. GET /api/non-existent → Runs JWT validation before 404

Why This Matters

1. Security: Malicious actors can exploit this to launch CPU-intensive attacks by flooding random endpoints
2. Performance: Every invalid request (40%+ in some APIs) incurs full auth processing
3. This is a safer and more intuitive approach consistent with common logic

Suggested Improvement Path

We could:

1.Add a route-checking middleware​ (opt-in):

import { routeChecker } from 'hono/route-checker'
app.use('*', routeChecker()) // Returns 404 for non-existent routes
app.use('*', jwt({ secret: 'my-secret' }))

2.Add a new global configuration item:

const app = new Hono({
    checkRoutes: true // New option
})

If possible, I would be willing to contribute a PR for this :)

[BelovedYaoo]

@yusukebe

Please reopen this issue and change the label to "enhancement" as it proposes a valuable feature improvement :)

[yusukebe]

Hey @usualoma

What do you think of this issue? I created PR #4703 to implement Route Check Middleware to resolve this issue. You can understand what the middleware does by looking at the code.

[BelovedYaoo]

Hey @yusukebe and @usualoma

Hope you're having a great week. I wanted to gently bring up a small suggestion regarding the route-checking middleware improvements we're working on.

I'm the author who opened the PR #4714 for performance optimization, which introduces a WeakMap cache to make the routeCheck()middleware from #4703 more efficient. As both PRs are related to the same feature, I was wondering if we could consider integrating the cache optimization from #4714 into the main implementation in #4703 before merging?

The cache optimization simply ensures that route existence checks don't re-run expensive recursive lookups on every request — making the middleware scale better under load while keeping the same functionality.

I'd be happy to help with any adjustments or reviews needed to make this integration smooth! Let me know what you think, or if there's a better way to coordinate these two changes.

Thanks for all your hard work on Hono! 🙏

[yusukebe]

@BelovedYaoo

Thanks. I'm thinking about that.