feat: Middleware support for WebServer

Moving default middlewares (cors, authc, logging) to examples

Author: mathieucarbou

libraries/WebServer/examples/Middleware/Middleware.ino

@@ -0,0 +1,54 @@
+#include <WiFi.h>
+#include <WebServer.h>
+#include <Middlewares.h>
+
+// Your AP WiFi Credentials
+// ( This is the AP your ESP will broadcast )
+const char *ap_ssid = "ESP32_Demo";
+const char *ap_password = "";
+
+WebServer server(80);
+
+LoggingMiddleware logger(Serial);
+CorsMiddleware cors;
+AuthenticationMiddleware auth;
+
+void setup(void) {
+  Serial.begin(115200);
+  WiFi.softAP(ap_ssid, ap_password);
+
+  Serial.print("IP address: ");
+  Serial.println(WiFi.AP.localIP());
+
+  cors.origin("http://192.168.4.1");
+  cors.methods("POST, GET, OPTIONS, DELETE");
+  cors.headers("X-Custom-Header");
+  cors.allowCredentials(false);
+  cors.maxAge(600);
+
+  auth.authenticate("admin", "admin");
+
+  server
+    .on(
+      "/",
+      []() {
+        server.send(200, "text/plain", "Home");
+      }
+    )
+    .addMiddleware(&logger)
+    .addMiddleware(&cors)
+    .addMiddleware(&auth);
+
+  server.onNotFound([]() {
+    server.send(404, "text/plain", "Page not found");
+  });
+
+  server.collectAllHeaders();
+  server.begin();
+  Serial.println("HTTP server started");
+}
+
+void loop(void) {
+  server.handleClient();
+  delay(2);  //allow the cpu to switch to other tasks
+}

libraries/WebServer/examples/Middleware/Middlewares.h

@@ -0,0 +1,208 @@
+#ifndef MIDDLEWARES_H
+#define MIDDLEWARES_H
+
+#include <WebServer.h>
+#include <Stream.h>
+
+#include <assert.h>
+
+// curl-like logging middleware
+class LoggingMiddleware : public Middleware {
+private:
+  Stream *_out;
+
+public:
+  explicit LoggingMiddleware(Stream &out) : _out(&out) {}
+
+  bool run(WebServer &server, Middleware::Callback next) override {
+    _out->print(F("* Connection from "));
+    _out->print(server.client().remoteIP().toString());
+    _out->print(F(":"));
+    _out->println(server.client().remotePort());
+
+    _out->print(F("< "));
+    HTTPMethod method = server.method();
+    if (method == HTTP_ANY) {
+      _out->print(F("HTTP_ANY"));
+    } else {
+      _out->print(http_method_str((http_method)method));
+    }
+    _out->print(F(" "));
+    _out->print(server.uri());
+    _out->print(F(" "));
+    _out->println(server.version());
+
+    int n = server.headers();
+    for (int i = 0; i < n; i++) {
+      String v = server.header(i);
+      if (!v.isEmpty()) {
+        // because these 2 are always there, eventually empty: "Authorization", "If-None-Match"
+        _out->print(F("< "));
+        _out->print(server.headerName(i));
+        _out->print(F(": "));
+        _out->println(server.header(i));
+      }
+    }
+
+    _out->println(F("<"));
+
+    bool ret = next();
+
+    if (ret) {
+      _out->println(F("* Processed!"));
+
+      _out->print(F("> "));
+      _out->print(F("HTTP/1."));
+      _out->print(server.version());
+      _out->print(F(" "));
+      _out->print(server.responseCode());
+      _out->print(F(" "));
+      _out->println(WebServer::responseCodeToString(server.responseCode()));
+
+      n = server.responseHeaders();
+      for (int i = 0; i < n; i++) {
+        _out->print(F("> "));
+        _out->print(server.responseHeaderName(i));
+        _out->print(F(": "));
+        _out->println(server.responseHeader(i));
+      }
+
+      _out->println(F(">"));
+
+    } else {
+      _out->println(F("* Not processed!"));
+    }
+
+    return ret;
+  }
+};
+
+class AuthenticationMiddleware : public Middleware {
+private:
+  // authenticate state
+  // 0: not authenticated
+  // 1: callback
+  // 2: username/password
+  // 3: sha1
+  int _auth = 0;
+  WebServer::THandlerFunctionAuthCheck _fn;
+  String _username;
+  String _password;
+  String _sha1;
+
+  // authenticate request
+  HTTPAuthMethod _mode = BASIC_AUTH;
+  String _realm;
+  String _authFailMsg;
+
+public:
+  AuthenticationMiddleware &authenticate(WebServer::THandlerFunctionAuthCheck fn) {
+    assert(fn);
+    _fn = fn;
+    _auth = 1;
+    return *this;
+  }
+
+  AuthenticationMiddleware &authenticate(const char *username, const char *password) {
+    if (strlen(username) == 0 || strlen(password) == 0) {
+      _auth = 0;
+      return *this;
+    } else {
+      _username = username;
+      _password = password;
+      _auth = 2;
+      return *this;
+    }
+  }
+
+  AuthenticationMiddleware &authenticateBasicSHA1(const char *username, const char *sha1AsBase64orHex) {
+    if (strlen(username) == 0 || strlen(sha1AsBase64orHex) == 0) {
+      _auth = 0;
+      return *this;
+    }
+    _username = username;
+    _sha1 = sha1AsBase64orHex;
+    _auth = 3;
+    return *this;
+  }
+
+  bool run(WebServer &server, Middleware::Callback next) override {
+    switch (_auth) {
+      case 1:
+        if (server.authenticate(_fn)) {
+          return next();
+        } else {
+          server.requestAuthentication(_mode, _realm.c_str(), _authFailMsg);
+          return true;
+        }
+
+      case 2:
+        if (server.authenticate(_username.c_str(), _password.c_str())) {
+          return next();
+        } else {
+          server.requestAuthentication(_mode, _realm.c_str(), _authFailMsg);
+          return true;
+        }
+
+      case 3:
+        if (server.authenticate(_username.c_str(), _sha1.c_str())) {
+          return next();
+        } else {
+          server.requestAuthentication(_mode, _realm.c_str(), _authFailMsg);
+          return true;
+        }
+
+      default: return next();
+    }
+  }
+};
+
+class CorsMiddleware : public Middleware {
+private:
+  String _origin = F("*");
+  String _methods = F("*");
+  String _headers = F("*");
+  bool _credentials = true;
+  uint32_t _maxAge = 86400;
+
+public:
+  CorsMiddleware &origin(const char *origin) {
+    _origin = origin;
+    return *this;
+  }
+
+  CorsMiddleware &methods(const char *methods) {
+    _methods = methods;
+    return *this;
+  }
+
+  CorsMiddleware &headers(const char *headers) {
+    _headers = headers;
+    return *this;
+  }
+
+  CorsMiddleware &allowCredentials(bool credentials) {
+    _credentials = credentials;
+    return *this;
+  }
+
+  CorsMiddleware &maxAge(uint32_t seconds) {
+    _maxAge = seconds;
+    return *this;
+  }
+
+  bool run(WebServer &server, Middleware::Callback next) override {
+    if (server.method() == HTTP_OPTIONS) {
+      server.sendHeader(F("Access-Control-Allow-Origin"), _origin.c_str());
+      server.sendHeader(F("Access-Control-Allow-Methods"), _methods.c_str());
+      server.sendHeader(F("Access-Control-Allow-Headers"), _headers.c_str());
+      server.sendHeader(F("Access-Control-Allow-Credentials"), _credentials ? F("true") : F("false"));
+      server.sendHeader(F("Access-Control-Max-Age"), String(_maxAge).c_str());
+      server.send(200);
+      return true;
+    }
+    return next();
+  }
+};
+
+#endif

libraries/WebServer/examples/Middleware/README.md

@@ -0,0 +1,109 @@
+This example shows how to load all request headers and use middleware.
+
+### CORS Middleware
+
+```bash
+❯  curl -i -X OPTIONS http://192.168.4.1
+HTTP/1.1 200 OK
+Content-Type: text/html
+Access-Control-Allow-Origin: http://192.168.4.1
+Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
+Access-Control-Allow-Headers: X-Custom-Header
+Access-Control-Allow-Credentials: false
+Access-Control-Max-Age: 600
+Content-Length: 0
+Connection: close
+```
+
+Output of logger middleware:
+
+```
+* Connection from 192.168.4.2:57597
+< OPTIONS / HTTP/1.1
+< Host: 192.168.4.1
+< User-Agent: curl/8.9.1
+< Accept: */*
+<
+* Processed!
+> HTTP/1.HTTP/1.1 200 OK
+> Content-Type: text/html
+> Access-Control-Allow-Origin: http://192.168.4.1
+> Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
+> Access-Control-Allow-Headers: X-Custom-Header
+> Access-Control-Allow-Credentials: false
+> Access-Control-Max-Age: 600
+> Content-Length: 0
+> Connection: close
+>
+```
+
+### Authentication Middleware
+
+```bash
+❯  curl -i -X GET http://192.168.4.1
+HTTP/1.1 401 Unauthorized
+Content-Type: text/html
+WWW-Authenticate: Basic realm=""
+Content-Length: 0
+Connection: close
+```
+
+Output of logger middleware:
+
+```
+* Connection from 192.168.4.2:57705
+< GET / HTTP/1.1
+< Host: 192.168.4.1
+< User-Agent: curl/8.9.1
+< Accept: */*
+<
+* Processed!
+> HTTP/1.HTTP/1.1 401 Unauthorized
+> Content-Type: text/html
+> WWW-Authenticate: Basic realm=""
+> Content-Length: 0
+> Connection: close
+>
+```
+
+Sending auth...
+
+```bash
+Note: Unnecessary use of -X or --request, GET is already inferred.
+*   Trying 192.168.4.1:80...
+* Connected to 192.168.4.1 (192.168.4.1) port 80
+* Server auth using Basic with user 'admin'
+> GET / HTTP/1.1
+> Host: 192.168.4.1
+> Authorization: Basic YWRtaW46YWRtaW4=
+> User-Agent: curl/8.9.1
+> Accept: */*
+> 
+* Request completely sent off
+< HTTP/1.1 200 OK
+< Content-Type: text/plain
+< Content-Length: 4
+< Connection: close
+< 
+* shutting down connection #0
+Home
+
+```
+
+Output of logger middleware:
+
+```
+* Connection from 192.168.4.2:62099
+< GET / HTTP/1.1
+< Authorization: Basic YWRtaW46YWRtaW4=
+< Host: 192.168.4.1
+< User-Agent: curl/8.9.1
+< Accept: */*
+<
+* Processed!
+> HTTP/1.HTTP/1.1 200 OK
+> Content-Type: text/plain
+> Content-Length: 4
+> Connection: close
+>
+```

libraries/WebServer/examples/Middleware/ci.json

@@ -0,0 +1,5 @@
+{
+  "targets": {
+    "esp32h2": false
+  }
+}

libraries/WebServer/src/Parsing.cpp

@@ -78,8 +78,14 @@ bool WebServer::_parseRequest(NetworkClient &client) {
   String req = client.readStringUntil('\r');
   client.readStringUntil('\n');
   //reset header value
-  for (int i = 0; i < _headerKeysCount; ++i) {
-    _currentHeaders[i].value = String();
+  if (_collectAllHeaders) {
+    // clear previous headers
+    collectAllHeaders();
+  } else {
+    // clear previous headers
+    for (RequestArgument *header = _currentHeaders; header; header = header->next) {
+      header->value = String();
+    }
   }
 
   // First line of HTTP request looks like "GET /path HTTP/1.1"
@@ -154,9 +160,6 @@ bool WebServer::_parseRequest(NetworkClient &client) {
       headerValue.trim();
       _collectHeader(headerName.c_str(), headerValue.c_str());
 
-      log_v("headerName: %s", headerName.c_str());
-      log_v("headerValue: %s", headerValue.c_str());
-
       if (headerName.equalsIgnoreCase(FPSTR(Content_Type))) {
         using namespace mime;
         if (headerValue.startsWith(FPSTR(mimeTable[txt].mimeType))) {
@@ -253,9 +256,6 @@ bool WebServer::_parseRequest(NetworkClient &client) {
       headerValue = req.substring(headerDiv + 2);
       _collectHeader(headerName.c_str(), headerValue.c_str());
 
-      log_v("headerName: %s", headerName.c_str());
-      log_v("headerValue: %s", headerValue.c_str());
-
       if (headerName.equalsIgnoreCase("Host")) {
         _hostHeader = headerValue;
       }
@@ -271,12 +271,29 @@ bool WebServer::_parseRequest(NetworkClient &client) {
 }
 
 bool WebServer::_collectHeader(const char *headerName, const char *headerValue) {
-  for (int i = 0; i < _headerKeysCount; i++) {
-    if (_currentHeaders[i].key.equalsIgnoreCase(headerName)) {
-      _currentHeaders[i].value = headerValue;
+  RequestArgument *last = nullptr;
+  for (RequestArgument *header = _currentHeaders; header; header = header->next) {
+    if (header->next == nullptr) {
+      last = header;
+    }
+    if (header->key.equalsIgnoreCase(headerName)) {
+      header->value = headerValue;
+      log_v("header collected: %s: %s", headerName, headerValue);
       return true;
     }
   }
+  assert(last);
+  if (_collectAllHeaders) {
+    last->next = new RequestArgument();
+    last->next->key = headerName;
+    last->next->value = headerValue;
+    _headerKeysCount++;
+    log_v("header collected: %s: %s", headerName, headerValue);
+    return true;
+  }
+
+  log_v("header skipped: %s: %s", headerName, headerValue);
+
   return false;
 }
 

libraries/WebServer/src/WebServer.cpp

@@ -41,31 +41,27 @@ static const char WWW_Authenticate[] = "WWW-Authenticate";
 static const char Content_Length[] = "Content-Length";
 static const char ETAG_HEADER[] = "If-None-Match";
 
-WebServer::WebServer(IPAddress addr, int port)
-  : _corsEnabled(false), _server(addr, port), _currentMethod(HTTP_ANY), _currentVersion(0), _currentStatus(HC_NONE), _statusChange(0), _nullDelay(true),
-    _currentHandler(nullptr), _firstHandler(nullptr), _lastHandler(nullptr), _currentArgCount(0), _currentArgs(nullptr), _postArgsLen(0), _postArgs(nullptr),
-    _headerKeysCount(0), _currentHeaders(nullptr), _contentLength(0), _clientContentLength(0), _chunked(false) {
+WebServer::WebServer(IPAddress addr, int port) : _server(addr, port) {
   log_v("WebServer::Webserver(addr=%s, port=%d)", addr.toString().c_str(), port);
 }
 
-WebServer::WebServer(int port)
-  : _corsEnabled(false), _server(port), _currentMethod(HTTP_ANY), _currentVersion(0), _currentStatus(HC_NONE), _statusChange(0), _nullDelay(true),
-    _currentHandler(nullptr), _firstHandler(nullptr), _lastHandler(nullptr), _currentArgCount(0), _currentArgs(nullptr), _postArgsLen(0), _postArgs(nullptr),
-    _headerKeysCount(0), _currentHeaders(nullptr), _contentLength(0), _clientContentLength(0), _chunked(false) {
+WebServer::WebServer(int port) : _server(port) {
   log_v("WebServer::Webserver(port=%d)", port);
 }
 
 WebServer::~WebServer() {
   _server.close();
-  if (_currentHeaders) {
-    delete[] _currentHeaders;
-  }
+
+  _clearRequestHeaders();
+  _clearResponseHeaders();
+
   RequestHandler *handler = _firstHandler;
   while (handler) {
     RequestHandler *next = handler->next();
     delete handler;
     handler = next;
   }
+  _firstHandler = nullptr;
 }
 
 void WebServer::begin() {
@@ -435,6 +431,8 @@ void WebServer::handleClient() {
           _currentClient.setTimeout(HTTP_MAX_SEND_WAIT); /* / 1000 removed, WifiClient setTimeout changed to ms */
           if (_parseRequest(_currentClient)) {
             _contentLength = CONTENT_LENGTH_NOT_SET;
+            _responseCode = 0;
+            _clearResponseHeaders();
             _handleRequest();
 
             if (_currentClient.isSSE()) {
@@ -494,16 +492,22 @@ void WebServer::stop() {
 }
 
 void WebServer::sendHeader(const String &name, const String &value, bool first) {
-  String headerLine = name;
-  headerLine += F(": ");
-  headerLine += value;
-  headerLine += "\r\n";
+  RequestArgument *header = new RequestArgument();
+  header->key = name;
+  header->value = value;
 
-  if (first) {
-    _responseHeaders = headerLine + _responseHeaders;
+  if (!_responseHeaders || first) {
+    header->next = _responseHeaders;
+    _responseHeaders = header;
   } else {
-    _responseHeaders += headerLine;
+    RequestArgument *last = _responseHeaders;
+    while (last->next) {
+      last = last->next;
+    }
+    last->next = header;
   }
+
+  _responseHeaderCount++;
 }
 
 void WebServer::setContentLength(const size_t contentLength) {
@@ -528,10 +532,13 @@ void WebServer::enableETag(bool enable, ETagFunction fn) {
 }
 
 void WebServer::_prepareHeader(String &response, int code, const char *content_type, size_t contentLength) {
-  response = String(F("HTTP/1.")) + String(_currentVersion) + ' ';
+  _responseCode = code;
+
+  response = version();
+  response += ' ';
   response += String(code);
   response += ' ';
-  response += _responseCodeToString(code);
+  response += responseCodeToString(code);
   response += "\r\n";
 
   using namespace mime;
@@ -557,19 +564,21 @@ void WebServer::_prepareHeader(String &response, int code, const char *content_t
   }
   sendHeader(String(F("Connection")), String(F("close")));
 
-  response += _responseHeaders;
-  response += "\r\n";
-  _responseHeaders = "";
+  for (RequestArgument *header = _responseHeaders; header; header = header->next) {
+    response += header->key;
+    response += F(": ");
+    response += header->value;
+    response += F("\r\n");
+  }
+
+  response += F("\r\n");
 }
 
 void WebServer::send(int code, const char *content_type, const String &content) {
   String header;
   // Can we assume the following?
   //if(code == 200 && content.length() == 0 && _contentLength == CONTENT_LENGTH_NOT_SET)
   //  _contentLength = CONTENT_LENGTH_UNKNOWN;
-  if (content.length() == 0) {
-    log_w("content length is zero");
-  }
   _prepareHeader(header, code, content_type, content.length());
   _currentClientWrite(header.c_str(), header.length());
   if (content.length()) {
@@ -727,52 +736,93 @@ bool WebServer::hasArg(String name) {
 }
 
 String WebServer::header(String name) {
-  for (int i = 0; i < _headerKeysCount; ++i) {
-    if (_currentHeaders[i].key.equalsIgnoreCase(name)) {
-      return _currentHeaders[i].value;
+  for (RequestArgument *current = _currentHeaders; current; current = current->next) {
+    if (current->key.equalsIgnoreCase(name)) {
+      return current->value;
     }
   }
   return "";
 }
 
 void WebServer::collectHeaders(const char *headerKeys[], const size_t headerKeysCount) {
-  _headerKeysCount = headerKeysCount + 2;
-  if (_currentHeaders) {
-    delete[] _currentHeaders;
-  }
-  _currentHeaders = new RequestArgument[_headerKeysCount];
-  _currentHeaders[0].key = FPSTR(AUTHORIZATION_HEADER);
-  _currentHeaders[1].key = FPSTR(ETAG_HEADER);
+  collectAllHeaders();
+  _collectAllHeaders = false;
+
+  _headerKeysCount += headerKeysCount;
+
+  RequestArgument *last = _currentHeaders->next;
+
   for (int i = 2; i < _headerKeysCount; i++) {
-    _currentHeaders[i].key = headerKeys[i - 2];
+    last->next = new RequestArgument();
+    last->next->key = headerKeys[i - 2];
+    last = last->next;
   }
 }
 
+void WebServer::collectAllHeaders() {
+  _clearRequestHeaders();
+
+  _currentHeaders = new RequestArgument();
+  _currentHeaders->key = FPSTR(AUTHORIZATION_HEADER);
+
+  _currentHeaders->next = new RequestArgument();
+  _currentHeaders->next->key = FPSTR(ETAG_HEADER);
+
+  _headerKeysCount = 2;
+  _collectAllHeaders = true;
+}
+
 String WebServer::header(int i) {
-  if (i < _headerKeysCount) {
-    return _currentHeaders[i].value;
+  RequestArgument *current = _currentHeaders;
+  while (current && i--) {
+    current = current->next;
   }
-  return "";
+  return current ? current->value : emptyString;
 }
 
 String WebServer::headerName(int i) {
-  if (i < _headerKeysCount) {
-    return _currentHeaders[i].key;
+  RequestArgument *current = _currentHeaders;
+  while (current && i--) {
+    current = current->next;
   }
-  return "";
+  return current ? current->key : emptyString;
 }
 
 int WebServer::headers() {
   return _headerKeysCount;
 }
 
 bool WebServer::hasHeader(String name) {
-  for (int i = 0; i < _headerKeysCount; ++i) {
-    if ((_currentHeaders[i].key.equalsIgnoreCase(name)) && (_currentHeaders[i].value.length() > 0)) {
-      return true;
+  return header(name).length() > 0;
+}
+
+const String &WebServer::responseHeader(String name) {
+  for (RequestArgument *current = _responseHeaders; current; current = current->next) {
+    if (current->key.equalsIgnoreCase(name)) {
+      return current->value;
     }
   }
-  return false;
+  return emptyString;
+}
+
+const String &WebServer::responseHeader(int i) {
+  RequestArgument *current = _responseHeaders;
+  while (current && i--) {
+    current = current->next;
+  }
+  return current ? current->value : emptyString;
+}
+
+const String &WebServer::responseHeaderName(int i) {
+  RequestArgument *current = _responseHeaders;
+  while (current && i--) {
+    current = current->next;
+  }
+  return current ? current->key : emptyString;
+}
+
+bool WebServer::hasResponseHeader(String name) {
+  return header(name).length() > 0;
 }
 
 String WebServer::hostHeader() {
@@ -792,7 +842,7 @@ void WebServer::_handleRequest() {
   if (!_currentHandler) {
     log_e("request handler not found");
   } else {
-    handled = _currentHandler->handle(*this, _currentMethod, _currentUri);
+    handled = _currentHandler->process(*this, _currentMethod, _currentUri);
     if (!handled) {
       log_e("request handler failed to handle request");
     }
@@ -818,7 +868,29 @@ void WebServer::_finalizeResponse() {
   }
 }
 
-String WebServer::_responseCodeToString(int code) {
+void WebServer::_clearResponseHeaders() {
+  _responseHeaderCount = 0;
+  RequestArgument *current = _responseHeaders;
+  while (current) {
+    RequestArgument *next = current->next;
+    delete current;
+    current = next;
+  }
+  _responseHeaders = nullptr;
+}
+
+void WebServer::_clearRequestHeaders() {
+  _headerKeysCount = 0;
+  RequestArgument *current = _currentHeaders;
+  while (current) {
+    RequestArgument *next = current->next;
+    delete current;
+    current = next;
+  }
+  _currentHeaders = nullptr;
+}
+
+String WebServer::responseCodeToString(int code) {
   switch (code) {
     case 100: return F("Continue");
     case 101: return F("Switching Protocols");

libraries/WebServer/src/WebServer.h

@@ -92,6 +92,7 @@ typedef struct {
   void *data;  // additional data
 } HTTPRaw;
 
+#include "detail/Middleware.h"
 #include "detail/RequestHandler.h"
 
 namespace fs {
@@ -181,11 +182,31 @@ class WebServer {
   int args();                                                                   // get arguments count
   bool hasArg(String name);                                                     // check if argument exists
   void collectHeaders(const char *headerKeys[], const size_t headerKeysCount);  // set the request headers to collect
+  void collectAllHeaders();                                                     // collect all request headers
   String header(String name);                                                   // get request header value by name
   String header(int i);                                                         // get request header value by number
   String headerName(int i);                                                     // get request header name by number
   int headers();                                                                // get header count
   bool hasHeader(String name);                                                  // check if header exists
+  const String version() const {
+    String v;
+    v.reserve(8);
+    v.concat(F("HTTP/1."));
+    v.concat(_currentVersion);
+    return v;
+  }
+
+  int responseCode() {
+    return _responseCode;
+  }
+  int responseHeaders() {
+    return _responseHeaderCount;
+  }
+  const String &responseHeader(String name);
+  const String &responseHeader(int i);
+  const String &responseHeaderName(int i);
+
+  bool hasResponseHeader(String name);  // check if response header exists
 
   int clientContentLength() {
     return _clientContentLength;
@@ -228,6 +249,8 @@ class WebServer {
   bool _eTagEnabled = false;
   ETagFunction _eTagFunction = nullptr;
 
+  static String responseCodeToString(int code);
+
 protected:
   virtual size_t _currentClientWrite(const char *b, size_t l) {
     return _currentClient.write(b, l);
@@ -241,7 +264,6 @@ class WebServer {
   void _finalizeResponse();
   bool _parseRequest(NetworkClient &client);
   void _parseArguments(String data);
-  static String _responseCodeToString(int code);
   bool _parseForm(NetworkClient &client, String boundary, uint32_t len);
   bool _parseFormUploadAborted();
   void _uploadWriteByte(uint8_t b);
@@ -255,44 +277,51 @@ class WebServer {
   // for extracting Auth parameters
   String _extractParam(String &authReq, const String &param, const char delimit = '"');
 
+  void _clearResponseHeaders();
+  void _clearRequestHeaders();
+
   struct RequestArgument {
     String key;
     String value;
+    RequestArgument *next;
   };
 
-  boolean _corsEnabled;
+  boolean _corsEnabled = false;
   NetworkServer _server;
 
   NetworkClient _currentClient;
-  HTTPMethod _currentMethod;
+  HTTPMethod _currentMethod = HTTP_ANY;
   String _currentUri;
-  uint8_t _currentVersion;
-  HTTPClientStatus _currentStatus;
-  unsigned long _statusChange;
-  boolean _nullDelay;
-
-  RequestHandler *_currentHandler;
-  RequestHandler *_firstHandler;
-  RequestHandler *_lastHandler;
-  THandlerFunction _notFoundHandler;
-  THandlerFunction _fileUploadHandler;
-
-  int _currentArgCount;
-  RequestArgument *_currentArgs;
-  int _postArgsLen;
-  RequestArgument *_postArgs;
+  uint8_t _currentVersion = 0;
+  HTTPClientStatus _currentStatus = HC_NONE;
+  unsigned long _statusChange = 0;
+  boolean _nullDelay = true;
+
+  RequestHandler *_currentHandler = nullptr;
+  RequestHandler *_firstHandler = nullptr;
+  RequestHandler *_lastHandler = nullptr;
+  THandlerFunction _notFoundHandler = nullptr;
+  THandlerFunction _fileUploadHandler = nullptr;
+
+  int _currentArgCount = 0;
+  RequestArgument *_currentArgs = nullptr;
+  int _postArgsLen = 0;
+  RequestArgument *_postArgs = nullptr;
 
   std::unique_ptr<HTTPUpload> _currentUpload;
   std::unique_ptr<HTTPRaw> _currentRaw;
 
-  int _headerKeysCount;
-  RequestArgument *_currentHeaders;
-  size_t _contentLength;
-  int _clientContentLength;  // "Content-Length" from header of incoming POST or GET request
-  String _responseHeaders;
+  bool _collectAllHeaders = false;
+  int _headerKeysCount = 0;
+  RequestArgument *_currentHeaders = nullptr;
+  size_t _contentLength = 0;
+  int _clientContentLength = 0;  // "Content-Length" from header of incoming POST or GET request
+  RequestArgument *_responseHeaders = nullptr;
+  int _responseHeaderCount = 0;
+  int _responseCode = 0;
 
   String _hostHeader;
-  bool _chunked;
+  bool _chunked = false;
 
   String _snonce;  // Store noance and opaque for future comparison
   String _sopaque;

libraries/WebServer/src/detail/Middleware.h

@@ -0,0 +1,119 @@
+#ifndef MIDDLEWARE_H
+#define MIDDLEWARE_H
+
+#include <assert.h>
+
+class MiddlewareChain;
+class WebServer;
+
+class Middleware {
+public:
+  typedef std::function<bool(void)> Callback;
+  typedef std::function<bool(WebServer &server, Callback next)> Function;
+  virtual ~Middleware() {}
+  virtual bool run(WebServer &server, Callback next) {
+    return next();
+  };
+
+private:
+  friend MiddlewareChain;
+  Middleware *_next = nullptr;
+  bool _managed = false;
+};
+
+class MiddlewareHandle : public Middleware {
+private:
+  Middleware::Function _fn;
+
+public:
+  MiddlewareHandle(Middleware::Function fn) : _fn(fn) {
+    assert(fn);
+  }
+
+  bool run(WebServer &server, Middleware::Callback next) override {
+    return _fn(server, next);
+  }
+};
+
+class MiddlewareChain {
+private:
+  Middleware *_root = nullptr;
+  Middleware *_current = nullptr;
+
+public:
+  ~MiddlewareChain() {
+    Middleware *current = _root;
+    while (current) {
+      Middleware *next = current->_next;
+      if (current->_managed) {
+        delete current;
+      }
+      current = next;
+    }
+    _root = nullptr;
+  }
+
+  Middleware *add(Middleware *middleware) {
+    if (!_root) {
+      _root = middleware;
+      return middleware;
+    }
+    Middleware *current = _root;
+    while (current->_next) {
+      current = current->_next;
+    }
+    current->_next = middleware;
+    return middleware;
+  }
+
+  Middleware *add(Middleware::Function fn) {
+    MiddlewareHandle *middleware = new MiddlewareHandle(fn);
+    middleware->_managed = true;
+    return add(middleware);
+  }
+
+  bool remove(Middleware *middleware) {
+    if (!_root) {
+      return false;
+    }
+    if (_root == middleware) {
+      _root = _root->_next;
+      if (middleware->_managed) {
+        delete middleware;
+      }
+      return true;
+    }
+    Middleware *current = _root;
+    while (current->_next) {
+      if (current->_next == middleware) {
+        current->_next = current->_next->_next;
+        if (middleware->_managed) {
+          delete middleware;
+        }
+        return true;
+      }
+      current = current->_next;
+    }
+    return false;
+  }
+
+  bool run(WebServer &server, Middleware::Callback finalizer) {
+    if (!_root) {
+      return finalizer();
+    }
+    _current = _root;
+    Middleware::Callback next;
+    next = [this, &server, &next, finalizer]() {
+      if (_current) {
+        Middleware *that = _current;
+        _current = _current->_next;
+        return that->run(server, next);
+      } else {
+        return finalizer();
+      }
+    };
+    return next();
+  }
+};
+
+#endif

libraries/WebServer/src/detail/RequestHandler.h

@@ -6,7 +6,11 @@
 
 class RequestHandler {
 public:
-  virtual ~RequestHandler() {}
+  virtual ~RequestHandler() {
+    if (_chain) {
+      delete _chain;
+    }
+  }
 
   /*
     note: old handler API for backward compatibility
@@ -75,8 +79,35 @@ class RequestHandler {
     _next = r;
   }
 
+  RequestHandler &addMiddleware(Middleware *middleware) {
+    if (!_chain) {
+      _chain = new MiddlewareChain();
+    }
+    _chain->add(middleware);
+    return *this;
+  }
+
+  RequestHandler &addMiddleware(Middleware::Function fn) {
+    if (!_chain) {
+      _chain = new MiddlewareChain();
+    }
+    _chain->add(fn);
+    return *this;
+  }
+
+  bool process(WebServer &server, HTTPMethod requestMethod, String requestUri) {
+    if (_chain) {
+      return _chain->run(server, [this, &server, &requestMethod, &requestUri]() {
+        return handle(server, requestMethod, requestUri);
+      });
+    } else {
+      return handle(server, requestMethod, requestUri);
+    }
+  }
+
 private:
   RequestHandler *_next = nullptr;
+  MiddlewareChain *_chain = nullptr;
 
 protected:
   std::vector<String> pathArgs;