DEV Community: Juan Torchia The latest articles on DEV Community by Juan Torchia (@jtorchia). https://dev.to/jtorchia https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F885942%2F5b3b3860-d364-4de0-a335-cb7c251109d9.jpeg DEV Community: Juan Torchia https://dev.to/jtorchia en Rate limiting in web apps: what to protect before picking a library Juan Torchia Fri, 05 Jun 2026 12:02:54 +0000 https://dev.to/jtorchia/rate-limiting-in-web-apps-what-to-protect-before-picking-a-library-4fki https://dev.to/jtorchia/rate-limiting-in-web-apps-what-to-protect-before-picking-a-library-4fki <h1> Rate limiting in web apps: what to protect before picking a library </h1> <p>I made the mistake of adding rate limiting like it was a convenience dependency — <code>npm install</code>, copy middleware from a tutorial, paste the magic number of 100 requests per minute, and get back to the sprint. I did it because "security" was on the backlog and I wanted to tick the box. The result was predictable: the middleware existed, but it wasn't protecting anything in particular. And the first time I actually looked at the logs with fresh eyes, I realized I had no idea what would have happened if someone had abused the login endpoint.</p> <p>I'm telling you this because that exact pattern is what I keep seeing recycled in Next.js tutorials: install a library, wrap it as global middleware, call it "security." That's not security. That's security vibes.</p> <p><strong>My take is concrete:</strong> rate limiting isn't a dependency; it's an abuse policy. And a policy without a definition is a rule without a subject.</p> <h2> What rate limiting in Next.js actually is — and what it isn't </h2> <p>Rate limiting is a mechanism to reject or delay requests that exceed a defined threshold within a time window. That's all it is, technically. The real value isn't in the threshold — it's in the decision that led to that threshold.</p> <p>OWASP, in its <a href="https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html" rel="noopener noreferrer">Authentication Cheat Sheet</a>, recommends specific defensive controls around authentication: temporary account lockout after failed attempts, progressive throttling, and uniform responses to avoid leaking whether a user exists. What OWASP does <em>not</em> say is "install library X and set 100 req/min on all routes." That's an interpretation, not a prescription.</p> <p>The difference matters: the OWASP guide gives you the <em>what to protect</em> (authentication, password recovery, endpoints that expose account state). The concrete implementation depends on your stack, your traffic, and the cost you're willing to absorb when you block a legitimate user.</p> <p>In Next.js App Router, the natural interception point is Middleware (<code>middleware.ts</code>), which runs at the edge before the request reaches the route — I covered that in detail in <a href="https://juanchi.dev/en/blog/nextjs-16-middleware-authorization-patterns-race-conditions" rel="noopener noreferrer">this post on authorization patterns in Next.js 16 Middleware</a>. But the execution layer doesn't replace the policy; it just enforces it.</p> <h2> The classic mistake: copying middleware before defining the asset </h2> <p>The typical tutorial starts like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — example of what NOT to do first</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Ratelimit</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@upstash/ratelimit</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Redis</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@upstash/redis</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ratelimit</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Ratelimit</span><span class="p">({</span> <span class="na">redis</span><span class="p">:</span> <span class="nx">Redis</span><span class="p">.</span><span class="nf">fromEnv</span><span class="p">(),</span> <span class="na">limiter</span><span class="p">:</span> <span class="nx">Ratelimit</span><span class="p">.</span><span class="nf">slidingWindow</span><span class="p">(</span><span class="mi">100</span><span class="p">,</span> <span class="dl">"</span><span class="s2">1 m</span><span class="dl">"</span><span class="p">),</span> <span class="c1">// why 100? why 1 minute?</span> <span class="p">});</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">ip</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">127.0.0.1</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">success</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ratelimit</span><span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="nx">ip</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">success</span><span class="p">)</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span><span class="dl">"</span><span class="s2">Too Many Requests</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">429</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/((?!_next|favicon.ico).*)</span><span class="dl">"</span><span class="p">],</span> <span class="c1">// applies to EVERYTHING — really?</span> <span class="p">};</span> </code></pre> </div> <p>The code works. The problem is the chain of unanswered questions:</p> <ul> <li>Why 100 requests per minute? Based on what measured legitimate behavior?</li> <li>Does applying it to every route even make sense? A static image and a login endpoint don't share the same abuse profile.</li> <li>What happens to a legitimate user behind a corporate proxy or a university network where dozens of people share the same IP?</li> <li>Is there a log of the 429 that lets you tell the difference between a real attack and a false positive?</li> </ul> <p>None of those questions get answered by the library. You answer them before you touch the code.</p> <h2> The decision matrix: four questions before writing a single line </h2> <p>Before choosing an algorithm, a library, or a threshold, these four questions determine whether the rate limiting you're about to implement actually makes sense:</p> <h3> 1. What asset are you protecting? </h3> <p>Not "the app." Something concrete:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Asset</th> <th>Why limiting it matters</th> </tr> </thead> <tbody> <tr> <td>Login endpoint</td> <td>Credential stuffing, brute force</td> </tr> <tr> <td>Password recovery endpoint</td> <td>Account enumeration, email spam</td> </tr> <tr> <td>Form submission API</td> <td>Spam, notification flooding</td> </tr> <tr> <td>Expensive search endpoint</td> <td>Compute resource abuse</td> </tr> <tr> <td>Static routes / assets</td> <td>Probably not — leave it to the CDN</td> </tr> </tbody> </table></div> <p>OWASP explicitly calls out the first two. The rest are product decisions that you have to make.</p> <h3> 2. What abuse are you expecting? </h3> <p>The abuse you want to limit determines the right algorithm:</p> <ul> <li> <strong>High-velocity credential stuffing</strong>: sliding window with a low per-IP threshold on the auth endpoint.</li> <li> <strong>Slow, distributed scraping</strong>: IP alone isn't enough — you need fingerprinting or session tokens.</li> <li> <strong>Automated form spam</strong>: CAPTCHA first, rate limiting as a second layer.</li> <li> <strong>Legitimate traffic spikes (launch day, going viral)</strong>: aggressive rate limiting can hurt you here — consider queueing or backpressure first.</li> </ul> <p>If you don't know what abuse you're expecting, whatever threshold you set is arbitrary. And an arbitrary threshold is just as likely to annoy real users as it is to stop someone with actual malicious intent.</p> <h3> 3. What does a false positive cost you? </h3> <p>This is the cost tutorials always skip. A 429 hitting a legitimate user has real consequences that depend on context:</p> <ul> <li>In a SaaS with paying customers: lost trust, churn, a support ticket.</li> <li>In a public app with anonymous users: frustration, abandonment.</li> <li>In an internal API: it can silently break a critical flow.</li> </ul> <p>The cost of a false positive defines how tight you can make the threshold. If the cost is high, you need a more permissive threshold and better abuse signals (user-agent, behavioral patterns, tokens) instead of just IP.</p> <h3> 4. How do you observe that it's working? </h3> <p>If you don't have an answer to this, what you implemented is decorative security. A rate limiter without observability won't tell you whether it's blocking real abuse or legitimate users, whether the threshold is too aggressive or too permissive, or whether someone is already bypassing the control with a different technique.</p> <p>The useful minimum is logging every 429 with:</p> <ul> <li>Timestamp</li> <li>IP (or whatever identifier you use as the key)</li> <li>Affected route</li> <li>Authentication context if available (authenticated user vs. anonymous) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — version with minimal observability</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Reproducible example using in-memory storage (dev only or edge with local state)</span> <span class="c1">// In real production you need Redis or another distributed store</span> <span class="kd">const</span> <span class="nx">attempts</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="p">{</span> <span class="na">count</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">reset</span><span class="p">:</span> <span class="kr">number</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">LIMIT</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span> <span class="c1">// only for the login endpoint</span> <span class="kd">const</span> <span class="nx">WINDOW_MS</span> <span class="o">=</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">;</span> <span class="c1">// 1 minute</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Only applying to the login route — defined asset, not global</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">x-forwarded-for</span><span class="dl">"</span><span class="p">)?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">,</span><span class="dl">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">unknown</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">record</span> <span class="o">=</span> <span class="nx">attempts</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">ip</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">record</span> <span class="o">||</span> <span class="nx">now</span> <span class="o">&gt;</span> <span class="nx">record</span><span class="p">.</span><span class="nx">reset</span><span class="p">)</span> <span class="p">{</span> <span class="nx">attempts</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ip</span><span class="p">,</span> <span class="p">{</span> <span class="na">count</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">reset</span><span class="p">:</span> <span class="nx">now</span> <span class="o">+</span> <span class="nx">WINDOW_MS</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="nx">record</span><span class="p">.</span><span class="nx">count</span><span class="o">++</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">record</span><span class="p">.</span><span class="nx">count</span> <span class="o">&gt;</span> <span class="nx">LIMIT</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Observable log: in production this goes to your logging system</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">event</span><span class="p">:</span> <span class="dl">"</span><span class="s2">rate_limit_exceeded</span><span class="dl">"</span><span class="p">,</span> <span class="nx">ip</span><span class="p">,</span> <span class="na">route</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">,</span> <span class="na">attempts</span><span class="p">:</span> <span class="nx">record</span><span class="p">.</span><span class="nx">count</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">}));</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Too many attempts. Wait a moment.</span><span class="dl">"</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">429</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Retry-After</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">60</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="c1">// Only intercept the route we defined as the asset</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">],</span> <span class="p">};</span> </code></pre> </div> <blockquote> <p>⚠️ This example uses an in-memory <code>Map</code>, which doesn't persist across edge runtime instances and doesn't survive a redeploy. For production on Railway or any other distributed environment, you need an external store like Redis (Upstash, Redis Cloud). This example is a decision pattern, not a production recipe.</p> </blockquote> <h2> Where people get it wrong: three patterns that look right but aren't </h2> <p><strong>Pattern 1: Global rate limiting as a substitute for endpoint security</strong></p> <p>A middleware that caps all routes at 100 req/min doesn't protect the login endpoint any better than no rate limiting at all — if the threshold is above the volume of a typical brute-force attack. The attacker just respects the limit and keeps going. What actually helps is a low, specific threshold on the right asset — closer to what OWASP recommends for authentication.</p> <p><strong>Pattern 2: IP as the only key dimension</strong></p> <p>A user behind CGNAT (IPv4 shared across thousands of people) has the same IP as everyone else on that network. In corporate or university contexts, rate limiting them all together can block dozens of legitimate people because of one person's behavior. If the asset you're protecting is primarily accessed by authenticated users, the key should be the user or session identifier, not the IP.</p> <p><strong>Pattern 3: Forgetting the <code>Retry-After</code> header</strong></p> <p>RFC 6585 defines that a 429 response should include a <code>Retry-After</code> header indicating how long the client should wait. Without that header, automated clients — SDKs, mobile apps, integrations — will retry immediately and make the problem you were trying to limit worse. Small detail, concrete consequences.</p> <h2> Limits of this guide: what you can't conclude without your own data </h2> <p>There are things I'm not going to claim here because they depend on context I don't have:</p> <ul> <li> <strong>What threshold to use</strong>: there's no universally correct number. The 10 req/min in the login example is illustrative. The real number comes from measured legitimate behavior in production — or a conservative initial decision with room to adjust.</li> <li> <strong>Whether Upstash, Redis Cloud, or something else is better</strong>: that depends on latency from where you run the edge, cost per operation, and the operational complexity you're willing to maintain.</li> <li> <strong>Whether rate limiting solves slow, distributed scraping</strong>: probably not, at least not alone. That scenario needs other signals. Claiming otherwise without data would be selling an incomplete solution to someone with a real problem.</li> </ul> <p>Before assuming your rate limiting is working, you need real logs. Without them, the control exists on paper but not in practice.</p> <h2> FAQ: rate limiting in Next.js web applications </h2> <p><strong>Where do I implement rate limiting in Next.js App Router — in Middleware or in the Route Handler?</strong></p> <p>Depends on the asset. If you want to act before the request reaches the route logic (and before compute costs kick in), Middleware is the right place. If you need full authentication context or business logic to decide the limit, the Route Handler has more information. In practice, both layers can coexist: Middleware for coarse IP-level limits, Route Handler for fine-grained per-authenticated-user limits.</p> <p><strong>Can I use an in-memory <code>Map</code> as the store for the rate limiter?</strong></p> <p>Only in development or as a pattern demonstration. An in-memory Map isn't shared across instances (Next.js can have multiple workers) and resets on every redeploy. For a distributed environment like Railway or Vercel, you need an external store — Redis is the most common and well-documented option.</p> <p><strong>Does rate limiting replace CAPTCHA on the login form?</strong></p> <p>No. They're different controls. CAPTCHA aims to distinguish humans from bots in real time. Rate limiting aims to cap the volume of attempts regardless of whether they're human or bot. OWASP suggests both as complementary layers, not as alternatives.</p> <p><strong>What happens if a legitimate user hits the limit by accident?</strong></p> <p>They should get a 429 with a clear <code>Retry-After</code> and an understandable message. If that happens frequently, the threshold is miscalibrated for legitimate traffic — that's a signal to revisit the number, not to remove the control.</p> <p><strong>Is rate limiting enough to protect a public API from mass scraping?</strong></p> <p>Probably not, if the scraping is distributed (many different IPs, each with low volume). Per-IP rate limiting only works well against high-frequency concentrated sources. Distributed scraping needs other signals: user-agent fingerprinting, behavioral pattern analysis, or mandatory token-based authentication.</p> <p><strong>Should I apply rate limiting to static asset routes?</strong></p> <p>Generally no — that's work for a CDN or the infrastructure layer. Applying rate limiting to <code>/favicon.ico</code> or images from Next.js Middleware adds latency with no real defensive benefit. If asset traffic is the problem, the right control is at the network layer, not the application.</p> <h2> The library doesn't decide the policy. You do. </h2> <p>There's a reason misconfigured rate limiting is worse than none: it gives you the feeling that the asset is protected when it isn't, or it protects something that doesn't matter while leaving the thing that does matter wide open.</p> <p>My position: before installing any library, answer the four questions in the matrix. If you can't answer "what asset am I protecting" and "what abuse am I expecting" with something more specific than "the app" and "bad people," you're not ready to implement the policy. You're ready to copy a tutorial.</p> <p>The concrete next step: look at your authentication routes first. They're the ones OWASP flags with the most evidence of needing controls. Define a conservative threshold, add minimal observability (log those 429s), and check those logs in the first 48 hours. That's where you'll get real data to calibrate against.</p> <p>If you want to understand how Next.js Middleware executes these controls and what happens with race conditions at scale, the post on <a href="https://juanchi.dev/en/blog/nextjs-16-middleware-authorization-patterns-race-conditions" rel="noopener noreferrer">authorization patterns in Next.js 16 Middleware</a> is the logical next step. And if backend endpoint security is part of the picture, it's worth crossing with what I covered on <a href="https://juanchi.dev/en/blog/spring-boot-actuator-endpoints-what-to-expose-hide" rel="noopener noreferrer">what to expose and what to hide in Spring Boot Actuator</a>.</p> <p><strong>Primary source:</strong></p> <ul> <li>OWASP Authentication Cheat Sheet — defensive controls around authentication and abuse: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html" rel="noopener noreferrer">https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html</a> </li> </ul> <p><em>This article was originally published on <a href="https://juanchi.dev/en/blog/rate-limiting-web-apps-what-to-protect-before-choosing-library" rel="noopener noreferrer">juanchi.dev</a></em></p> english typescript nextjs railway Rate limiting en aplicaciones web: qué proteger antes de elegir una librería Juan Torchia Fri, 05 Jun 2026 12:02:49 +0000 https://dev.to/jtorchia/rate-limiting-en-aplicaciones-web-que-proteger-antes-de-elegir-una-libreria-202n https://dev.to/jtorchia/rate-limiting-en-aplicaciones-web-que-proteger-antes-de-elegir-una-libreria-202n <h1> Rate limiting en aplicaciones web: qué proteger antes de elegir una librería </h1> <p>Cometí el error de agregar rate limiting como si fuera una dependencia de conveniencia — <code>npm install</code>, copiar middleware de un tutorial, pegar el número mágico de 100 requests por minuto y seguir con el sprint. Lo hice porque "seguridad" estaba en el backlog y quería tildar el ítem. El resultado fue predecible: el middleware existía, pero no protegía nada en particular. Y la primera vez que revisé los logs con criterio, me di cuenta de que no sabía qué habría pasado si alguien hubiera abusado del endpoint de login.</p> <p>Lo cuento porque ese patrón es exactamente el que veo circular en tutoriales de Next.js: instalar una librería, enrollarla como middleware global y llamarle "seguridad". No es seguridad. Es vibra de seguridad.</p> <p><strong>Mi tesis es concreta:</strong> rate limiting no es una dependencia; es una política de abuso. Y una política sin definición es una regla sin sujeto.</p> <h2> Qué es rate limiting en aplicaciones web con Next.js — y qué no es </h2> <p>Rate limiting es un mecanismo para rechazar o demorar solicitudes que superan un umbral definido en una ventana de tiempo. Eso es todo lo que es a nivel técnico. El valor real no está en el umbral — está en la decisión que llevó a ese umbral.</p> <p>OWASP, en su <a href="https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html" rel="noopener noreferrer">Authentication Cheat Sheet</a>, recomienda controles defensivos específicos alrededor de autenticación: bloqueo temporal de cuenta tras intentos fallidos, throttling progresivo y respuestas uniformes para no revelar si el usuario existe. Lo que OWASP no dice es "instalá X librería y configurá 100 req/min en todas las rutas". Eso es una interpretación, no una prescripción.</p> <p>La diferencia importa: la guía de OWASP te da el <em>qué proteger</em> (autenticación, recuperación de contraseña, endpoints que exponen estado de cuenta). La implementación concreta depende de tu stack, tu tráfico y el costo que estás dispuesto a asumir cuando bloqueás a alguien legítimo.</p> <p>En Next.js App Router, el lugar natural para interceptar es el Middleware (<code>middleware.ts</code>), que corre en el edge antes de que el request llegue a la ruta — lo analicé en detalle en <a href="https://juanchi.dev/es/blog/nextjs-16-middleware-autorizacion-patrones-race-conditions" rel="noopener noreferrer">este post sobre patrones de autorización en Next.js 16 Middleware</a>. Pero la capa de ejecución no reemplaza la política; solo la aplica.</p> <h2> El error clásico: copiar el middleware antes de definir el activo </h2> <p>El tutorial típico empieza así:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — ejemplo de lo que NO hacer primero</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Ratelimit</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@upstash/ratelimit</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Redis</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@upstash/redis</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ratelimit</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Ratelimit</span><span class="p">({</span> <span class="na">redis</span><span class="p">:</span> <span class="nx">Redis</span><span class="p">.</span><span class="nf">fromEnv</span><span class="p">(),</span> <span class="na">limiter</span><span class="p">:</span> <span class="nx">Ratelimit</span><span class="p">.</span><span class="nf">slidingWindow</span><span class="p">(</span><span class="mi">100</span><span class="p">,</span> <span class="dl">"</span><span class="s2">1 m</span><span class="dl">"</span><span class="p">),</span> <span class="c1">// ¿por qué 100? ¿por qué 1 minuto?</span> <span class="p">});</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">ip</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">127.0.0.1</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">success</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ratelimit</span><span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="nx">ip</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">success</span><span class="p">)</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span><span class="dl">"</span><span class="s2">Too Many Requests</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">429</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/((?!_next|favicon.ico).*)</span><span class="dl">"</span><span class="p">],</span> <span class="c1">// aplica a TODO — ¿seguro?</span> <span class="p">};</span> </code></pre> </div> <p>El código funciona. El problema es la cadena de preguntas sin responder:</p> <ul> <li>¿Por qué 100 requests por minuto? ¿Basado en qué comportamiento legítimo medido?</li> <li>¿Aplicarlo a todas las rutas tiene sentido? Una imagen estática y un endpoint de login no tienen el mismo perfil de abuso.</li> <li>¿Qué le pasa a un usuario legítimo detrás de un proxy corporativo o una red universitaria donde muchos comparten la misma IP?</li> <li>¿Hay un log del 429 que permita distinguir ataque real de falso positivo?</li> </ul> <p>Ninguna de esas preguntas la resuelve la librería. Las resolvés vos antes de tocar el código.</p> <h2> La matriz de decisión: cuatro preguntas antes de escribir una línea </h2> <p>Antes de elegir algoritmo, librería o umbral, estas cuatro preguntas definen si el rate limiting que vas a implementar tiene sentido:</p> <h3> 1. ¿Qué activo protegés? </h3> <p>No "la app". Algo concreto:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Activo</th> <th>Por qué importa limitarlo</th> </tr> </thead> <tbody> <tr> <td>Endpoint de login</td> <td>Credential stuffing, fuerza bruta</td> </tr> <tr> <td>Endpoint de recuperación de contraseña</td> <td>Enumeración de cuentas, spam de emails</td> </tr> <tr> <td>API de envío de formularios</td> <td>Spam, flood de notificaciones</td> </tr> <tr> <td>Endpoint de búsqueda costosa</td> <td>Abuso de recursos de cómputo</td> </tr> <tr> <td>Rutas estáticas / assets</td> <td>Probablemente no — dejalo a CDN</td> </tr> </tbody> </table></div> <p>OWASP señala explícitamente los dos primeros. Los otros son decisiones de producto que vos tenés que tomar.</p> <h3> 2. ¿Qué abuso esperás? </h3> <p>El abuso que querés limitar determina el algoritmo correcto:</p> <ul> <li> <strong>Credential stuffing de alta velocidad</strong>: sliding window con umbral bajo por IP en el endpoint de auth.</li> <li> <strong>Scraping lento y distribuido</strong>: IP sola no alcanza — necesitás fingerprinting o tokens de sesión.</li> <li> <strong>Spam de formularios automatizado</strong>: CAPTCHA primero, rate limiting como segunda capa.</li> <li> <strong>Picos de tráfico legítimo (lanzamiento, viral)</strong>: rate limiting estricto puede hacerte daño — considerá queueing o backpressure primero.</li> </ul> <p>Si no sabés qué abuso esperás, el umbral que ponés es arbitrario. Y un umbral arbitrario tiene la misma probabilidad de molestar a usuarios reales que de detener a alguien con intención maliciosa.</p> <h3> 3. ¿Cuánto te cuesta un falso positivo? </h3> <p>Este es el costo que los tutoriales omiten. Un 429 a un usuario legítimo tiene consecuencias reales que dependen del contexto:</p> <ul> <li>En un SaaS con clientes pagos: pérdida de confianza, churn, ticket de soporte.</li> <li>En una app pública con usuario anónimo: frustración, abandono.</li> <li>En una API interna: puede romper un flujo crítico silenciosamente.</li> </ul> <p>El costo del falso positivo define cuánto podés apretar el umbral. Si el costo es alto, necesitás un umbral más permisivo y mejores señales de abuso (user-agent, comportamiento, tokens) en lugar de solo IP.</p> <h3> 4. ¿Cómo observás que está funcionando? </h3> <p>Si no tenés respuesta para esto, lo que implementaste es seguridad decorativa. Un rate limiter sin observabilidad no te dice si está bloqueando abuso real o usuarios legítimos, si el umbral es demasiado agresivo o demasiado permisivo, ni si alguien está evadiendo el control con otra técnica.</p> <p>El mínimo útil es loggear cada 429 con:</p> <ul> <li>Timestamp</li> <li>IP (o identificador que uses como clave)</li> <li>Ruta afectada</li> <li>Contexto de autenticación si está disponible (usuario autenticado vs. anónimo) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — versión con observabilidad mínima</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Ejemplo reproducible con almacenamiento en memoria (solo para desarrollo o edge con estado local)</span> <span class="c1">// En producción real necesitás Redis u otro store distribuido</span> <span class="kd">const</span> <span class="nx">intentos</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="p">{</span> <span class="na">count</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">reset</span><span class="p">:</span> <span class="kr">number</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">LIMITE</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span> <span class="c1">// solo para el endpoint de login</span> <span class="kd">const</span> <span class="nx">VENTANA_MS</span> <span class="o">=</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">;</span> <span class="c1">// 1 minuto</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Solo aplicamos a la ruta de login — activo definido, no global</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">x-forwarded-for</span><span class="dl">"</span><span class="p">)?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">,</span><span class="dl">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">desconocida</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ahora</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">registro</span> <span class="o">=</span> <span class="nx">intentos</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">ip</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">registro</span> <span class="o">||</span> <span class="nx">ahora</span> <span class="o">&gt;</span> <span class="nx">registro</span><span class="p">.</span><span class="nx">reset</span><span class="p">)</span> <span class="p">{</span> <span class="nx">intentos</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ip</span><span class="p">,</span> <span class="p">{</span> <span class="na">count</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">reset</span><span class="p">:</span> <span class="nx">ahora</span> <span class="o">+</span> <span class="nx">VENTANA_MS</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="nx">registro</span><span class="p">.</span><span class="nx">count</span><span class="o">++</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">registro</span><span class="p">.</span><span class="nx">count</span> <span class="o">&gt;</span> <span class="nx">LIMITE</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Log observable: en producción esto iría a tu sistema de logs</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">evento</span><span class="p">:</span> <span class="dl">"</span><span class="s2">rate_limit_excedido</span><span class="dl">"</span><span class="p">,</span> <span class="nx">ip</span><span class="p">,</span> <span class="na">ruta</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">,</span> <span class="na">intentos</span><span class="p">:</span> <span class="nx">registro</span><span class="p">.</span><span class="nx">count</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">}));</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Demasiados intentos. Esperá un momento.</span><span class="dl">"</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">429</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Retry-After</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">60</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="c1">// Solo interceptamos la ruta que definimos como activo</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">],</span> <span class="p">};</span> </code></pre> </div> <blockquote> <p>⚠️ Este ejemplo usa <code>Map</code> en memoria, que no persiste entre instancias del edge runtime ni sobrevive un redeploy. Para producción sobre Railway u otro entorno distribuido, necesitás un store externo como Redis (Upstash, Redis Cloud). El ejemplo sirve como patrón de decisión, no como receta de producción directa.</p> </blockquote> <h2> Dónde se equivoca la gente: tres patrones que parecen bien pero no lo son </h2> <p><strong>Patrón 1: Rate limiting global como sustituto de seguridad de endpoint</strong></p> <p>Un middleware que limita todas las rutas a 100 req/min no protege el endpoint de login mejor que uno sin rate limiting, si el umbral está por encima del volumen de un ataque de fuerza bruta típico. El atacante simplemente respeta el límite y sigue. Lo que realmente ayuda es un umbral bajo y específico en el activo correcto — más en la línea de lo que recomienda OWASP para autenticación.</p> <p><strong>Patrón 2: IP como única dimensión de clave</strong></p> <p>Un usuario detrás de CGNAT (IPv4 compartida entre miles) tiene la misma IP que otro. En contextos corporativos o educativos, limitarlos a todos juntos puede bloquear a decenas de personas legítimas por el comportamiento de una sola. Si el activo que protegés es accedido principalmente por usuarios autenticados, la clave debería ser el identificador de usuario o sesión, no la IP.</p> <p><strong>Patrón 3: Olvidar el header <code>Retry-After</code></strong></p> <p>RFC 6585 define que una respuesta 429 debería incluir el header <code>Retry-After</code> indicando cuánto debe esperar el cliente. Sin ese header, clientes automáticos (SDKs, apps móviles, integraciones) van a reintentar inmediatamente y agravar el problema que intentabas limitar. Es un detalle pequeño con consecuencias concretas.</p> <h2> Límites de esta guía: qué no podés concluir sin datos propios </h2> <p>Hay cosas que no voy a afirmar acá porque dependen de contexto que no tengo:</p> <ul> <li> <strong>Qué umbral usar</strong>: no existe un número correcto universal. El 10 req/min del ejemplo de login es ilustrativo. El número real lo define el comportamiento legítimo medido en producción — o una decisión conservadora inicial con capacidad de ajuste.</li> <li> <strong>Si Upstash, Redis Cloud u otro store es mejor</strong>: dependen de la latencia desde donde corrés el edge, el costo por operación y la complejidad operativa que estás dispuesto a mantener.</li> <li> <strong>Si el rate limiting resuelve scraping lento y distribuido</strong>: probablemente no, al menos no solo. Ese escenario requiere otras señales. Afirmar lo contrario sin datos sería venderle una solución incompleta a alguien con un problema real.</li> </ul> <p>Antes de asumir que el rate limiting funciona, necesitás logs reales. Sin ellos, el control existe en papel pero no en práctica.</p> <h2> FAQ: rate limiting en aplicaciones web con Next.js </h2> <p><strong>¿Dónde implemento rate limiting en Next.js App Router — en Middleware o en la Route Handler?</strong></p> <p>Depende del activo. Si querés actuar antes de que el request llegue a la lógica de la ruta (y antes de costos de compute), el Middleware es el lugar correcto. Si necesitás contexto de autenticación completo o lógica de negocio para decidir el límite, la Route Handler tiene más información. En la práctica, los dos capas pueden coexistir: Middleware para límites gruesos por IP, Route Handler para límites finos por usuario autenticado.</p> <p><strong>¿Puedo usar un <code>Map</code> en memoria como store para el rate limiter?</strong></p> <p>Solo en desarrollo o como demostración de patrón. Un Map en memoria no se comparte entre instancias (Next.js puede tener múltiples workers) y se reinicia con cada redeploy. Para un ambiente distribuido como Railway o Vercel, necesitás un store externo — Redis es la opción más común y documentada.</p> <p><strong>¿El rate limiting reemplaza CAPTCHA en el formulario de login?</strong></p> <p>No. Son controles diferentes. CAPTCHA apunta a distinguir humanos de bots en tiempo real. Rate limiting apunta a limitar el volumen de intentos independientemente de si son humanos o bots. OWASP sugiere los dos como capas complementarias, no como alternativas.</p> <p><strong>¿Qué pasa si un usuario legítimo toca el límite por error?</strong></p> <p>Debería recibir un 429 con un <code>Retry-After</code> claro y un mensaje entendible. Si eso pasa frecuentemente, el umbral está mal calibrado para el tráfico legítimo — eso es una señal para revisar el número, no para eliminar el control.</p> <p><strong>¿Rate limiting alcanza para proteger una API pública de scraping masivo?</strong></p> <p>Probablemente no, si el scraping es distribuido (muchas IPs distintas con volumen bajo cada una). El rate limiting por IP solo funciona bien contra fuentes de alta frecuencia concentradas. Scraping distribuido requiere otras señales: fingerprinting de user-agent, análisis de patrones de comportamiento o autenticación obligatoria con tokens.</p> <p><strong>¿Conviene aplicar rate limiting a rutas de assets estáticos?</strong></p> <p>Generalmente no — eso es trabajo para un CDN o para la capa de infraestructura. Aplicar rate limiting a <code>/favicon.ico</code> o a imágenes desde el Middleware de Next.js agrega latencia sin beneficio defensivo real. Si el tráfico de assets es el problema, el control adecuado está en la capa de red, no en la aplicación.</p> <h2> Cierre: la librería no decide la política, vos sí </h2> <p>Hay una razón por la que el rate limiting mal configurado es peor que ninguno: da la sensación de que el activo está protegido cuando no lo está, o protege algo que no importa mientras deja desprotegido lo que sí importa.</p> <p>Mi postura es esta: antes de instalar cualquier librería, respondé las cuatro preguntas de la matriz. Si no podés responder "qué activo protejo" y "qué abuso espero" con algo más específico que "la app" y "gente maliciosa", no estás lista para implementar la política. Estás para copiar un tutorial.</p> <p>El próximo paso concreto: revisá tus rutas de autenticación primero. Son las que OWASP marca con más evidencia de necesitar control. Definí un umbral conservador, agregá observabilidad mínima (loggear los 429) y revisá esos logs en las primeras 48 horas. Ahí vas a tener datos reales para calibrar.</p> <p>Si querés entender mejor cómo el Middleware de Next.js ejecuta estos controles y qué pasa con los race conditions cuando escala, el post sobre <a href="https://dev.to/blog/nextjs-16-middleware-autorizacion-patorizacion-patrones-race-conditions">patrones de autorización en Next.js 16 Middleware</a> es el siguiente paso lógico. Y si la seguridad de endpoints de backend es parte del contexto, vale cruzar con lo que cubrí sobre <a href="https://juanchi.dev/es/blog/spring-boot-actuator-endpoints-seguridad" rel="noopener noreferrer">qué exponer y qué ocultar en Spring Boot Actuator</a>.</p> <p><strong>Fuente original:</strong></p> <ul> <li>OWASP Authentication Cheat Sheet — controles defensivos alrededor de autenticación y abuso: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html" rel="noopener noreferrer">https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html</a> </li> </ul> <p><em>Este artículo fue publicado originalmente en <a href="https://juanchi.dev/es/blog/rate-limiting-aplicaciones-web-nextjs" rel="noopener noreferrer">juanchi.dev</a></em></p> spanish espanol typescript nextjs Next.js 16 Middleware: authorization patterns that scale and the ones that cause race conditions Juan Torchia Thu, 04 Jun 2026 12:02:09 +0000 https://dev.to/jtorchia/nextjs-16-middleware-authorization-patterns-that-scale-and-the-ones-that-cause-race-conditions-4pfk https://dev.to/jtorchia/nextjs-16-middleware-authorization-patterns-that-scale-and-the-ones-that-cause-race-conditions-4pfk <h1> Next.js 16 Middleware: authorization patterns that scale and the ones that cause race conditions </h1> <p>Next.js middleware is basically the bouncer at a club. It doesn't decide if you're welcome inside — that's the staff's job. But it does decide whether you get through the door. And if the bouncer starts running a full background check on every person before opening up, the line wraps around the block.</p> <p>That's exactly the problem with authorization patterns in Next.js 16 Middleware. Most of the examples floating around online assume you can do full token validation at the edge. The reality is more uncomfortable: the edge runtime has concrete restrictions, and several patterns that worked fine in v14 blow up in production in ways that aren't obvious.</p> <p><strong>My thesis:</strong> Next.js 16 middleware is powerful, but its strength is in verifying <em>session</em>, not in validating a <em>complete token</em>. When you confuse those two roles, you end up with race conditions or latency you don't understand until you're staring at logs at 11pm.</p> <h2> The real problem: edge runtime is not Node.js </h2> <p>Before looking at each pattern, there's one fact that shapes everything that follows: Next.js middleware runs on <a href="https://nextjs.org/docs/app/api-reference/edge" rel="noopener noreferrer">edge runtime</a>, not full Node.js. That's not a minor detail — it's the reason certain patterns fail.</p> <p>The edge runtime has access to standard web APIs (<code>Request</code>, <code>Response</code>, <code>Headers</code>, <code>crypto.subtle</code>) but <strong>does not have access to</strong>:</p> <ul> <li> <code>fs</code> — no reading files</li> <li>native Node.js modules</li> <li>libraries that depend on Node buffers or system APIs</li> </ul> <p>What this means for auth is concrete: if your JWT library uses <code>jsonwebtoken</code> with Node's <code>crypto</code>, it won't work in middleware. You need <code>jose</code> or another library compatible with the Web Crypto API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ This blows up in edge runtime</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span> <span class="c1">// depends on Node's crypto</span> <span class="c1">// ✅ This works in edge runtime</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">jwtVerify</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jose</span><span class="dl">'</span> <span class="c1">// Web Crypto API compatible</span> </code></pre> </div> <p>The official <a href="https://nextjs.org/docs/app/building-your-application/routing/middleware" rel="noopener noreferrer">Next.js Middleware</a> docs mention this, but between all the code examples it's easy to skip over that part — until the error shows up in your deploy.</p> <h2> The 4 patterns: tradeoff analysis </h2> <h3> Pattern 1 — Full token validation in middleware </h3> <p>The most tempting one and the most problematic.</p> <p>The idea: grab the token from the cookie or <code>Authorization</code> header, cryptographically verify it in middleware, and decide whether the user gets through.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">jwtVerify</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jose</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">SECRET</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="o">!</span><span class="p">)</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Full cryptographic verification on every request</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">payload</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">jwtVerify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">)</span> <span class="c1">// Pass the userId downstream via header</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="nx">response</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-user-id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">sub</span> <span class="k">as</span> <span class="kr">string</span><span class="p">)</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/dashboard/:path*</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/api/protected/:path*</span><span class="dl">'</span><span class="p">],</span> <span class="p">}</span> </code></pre> </div> <p><strong>The honest tradeoff:</strong> <code>jwtVerify</code> with <code>jose</code> does run in edge runtime. The cryptographic verification itself is fast. The problem shows up when the token has a short expiration and you also need to consult a revocation list, or when you want to verify granular permissions that live in a database. At that point you're in trouble, because doing a database fetch from middleware on every request is latency that adds up.</p> <p><strong>When it works well:</strong> long-lived tokens, no active revocation, where you only need to know if the token is structurally valid.</p> <p><strong>When it blows up:</strong> if your system revokes tokens (real logout, password change), this pattern won't reflect that until the token expires on its own.</p> <h3> Pattern 2 — Role-based redirects in middleware </h3> <p>This pattern looks simple but hides a race condition specific to the Next.js App Router.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — role-based redirect pattern</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sessionCookie</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">sessionCookie</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="c1">// Decoding without verifying — just to read the role from the payload</span> <span class="c1">// ⚠️ IMPORTANT: this is NOT a security verification</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">sessionCookie</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">parts</span><span class="p">.</span><span class="nx">length</span> <span class="o">!==</span> <span class="mi">3</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">parts</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="dl">'</span><span class="s1">base64url</span><span class="dl">'</span><span class="p">).</span><span class="nf">toString</span><span class="p">()</span> <span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">pathname</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span> <span class="c1">// Redirect based on role</span> <span class="k">if </span><span class="p">(</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">role</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/403</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p><strong>The race condition problem:</strong> if you use <code>NextResponse.redirect</code> in middleware at the same time the client has a Server Component doing a fetch from <code>layout.tsx</code>, you can end up with two in-flight requests pointing to different destinations. The App Router has its own navigation mechanism and the middleware redirect interrupts the hydration cycle in ways that aren't always predictable.</p> <p><strong>The symptom:</strong> the user sees a content flash before the redirect, or gets stuck in a redirect loop on certain routes. Reproducible when the matcher covers routes with nested layouts that do their own fetching.</p> <p><strong>The fix:</strong> use <code>NextResponse.rewrite</code> instead of <code>redirect</code> for internal or API routes, and save <code>redirect</code> only for the "no session at all" case. For granular permissions within a valid session, delegate the decision to the Server Component or Route Handler — they have full database access.</p> <h3> Pattern 3 — API route protection only in middleware </h3> <p>This is the pattern I see recommended most often in tutorials, and it has the most expensive hidden cost.</p> <p>The idea is to use the <code>matcher</code> to protect all <code>/api/</code> routes from middleware and not validate anything inside the route handler itself.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — API protection from middleware only</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/api/:path*</span><span class="dl">'</span><span class="p">],</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">)?.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> <span class="c1">// Verify token and let through</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">jwtVerify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>The problem:</strong> this pattern assumes middleware is the only security layer. If you ever call a route handler directly and internally — Server Action, server-side <code>fetch</code>, another route handler — middleware doesn't intervene. That silent bypass is the security vector that costs the most to discover.</p> <p><strong>The real cost:</strong> middleware as the sole gatekeeper works if every single access path goes through the same door. In App Router, with Server Actions and server-side calls, that assumption doesn't always hold.</p> <p><strong>My rule:</strong> middleware protects the perimeter. Route handlers validate their own authorization. Both layers need to exist — it's not one or the other. If that sounds redundant, it's the kind of redundancy worth having.</p> <h3> Pattern 4 — Middleware composition </h3> <p>Next.js 16 doesn't have native nested middleware — there's one single <code>middleware.ts</code> file. To compose logic, the common pattern is manually chaining functions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — manual composition</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="c1">// Each function returns NextResponse or null (to continue the chain)</span> <span class="kd">type</span> <span class="nx">MiddlewareFn</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">NextResponse</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">|</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">NextResponse</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span> <span class="c1">// Checks that a session exists</span> <span class="kd">function</span> <span class="nf">withSession</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">):</span> <span class="nx">NextResponse</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">null</span> <span class="c1">// continue</span> <span class="p">}</span> <span class="c1">// Blocks admin routes for non-admins</span> <span class="kd">function</span> <span class="nf">withAdminGuard</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">):</span> <span class="nx">NextResponse</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="kc">null</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span> <span class="c1">// withSession already handled this</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">session</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">parts</span><span class="p">.</span><span class="nx">length</span> <span class="o">!==</span> <span class="mi">3</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">parts</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="dl">'</span><span class="s1">base64url</span><span class="dl">'</span><span class="p">).</span><span class="nf">toString</span><span class="p">())</span> <span class="k">if </span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nx">role</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/403</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">null</span> <span class="p">}</span> <span class="c1">// Composition function</span> <span class="kd">function</span> <span class="nf">compose</span><span class="p">(...</span><span class="nx">fns</span><span class="p">:</span> <span class="nx">MiddlewareFn</span><span class="p">[])</span> <span class="p">{</span> <span class="k">return</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">NextResponse</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">fn</span> <span class="k">of</span> <span class="nx">fns</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fn</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="k">return</span> <span class="nx">result</span> <span class="c1">// short-circuit on first result</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">middleware</span> <span class="o">=</span> <span class="nf">compose</span><span class="p">(</span><span class="nx">withSession</span><span class="p">,</span> <span class="nx">withAdminGuard</span><span class="p">)</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/dashboard/:path*</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/admin/:path*</span><span class="dl">'</span><span class="p">],</span> <span class="p">}</span> </code></pre> </div> <p><strong>The tradeoff with this pattern:</strong> it's clean and scalable, but it has a maintenance cost. Each function in the pipeline decodes the token independently — if you have 4 guards that all read the same cookie, you're parsing the JWT 4 times per request.</p> <p><strong>The concrete optimization:</strong> parse the token once at the start and pass the payload as context through headers or an augmented request object. But Next.js has no native context mechanism between middleware functions, so the tradeoff is parsing multiple times vs. coupling the parsing to the start of the pipeline.</p> <h2> The gotchas nobody documents well </h2> <p><strong><code>Buffer.from</code> in edge runtime:</strong> in some edge deployments (Vercel Edge, Cloudflare Workers), <code>Buffer</code> isn't available globally. If you decode JWTs with <code>Buffer.from(..., 'base64url')</code>, your middleware can work locally and blow up in production. The portable alternative:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Portable base64url decoding for edge runtime</span> <span class="kd">function</span> <span class="nf">decodeJWTPayload</span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">base64</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/-/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">+</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/_/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">json</span> <span class="o">=</span> <span class="nf">atob</span><span class="p">(</span><span class="nx">base64</span><span class="p">)</span> <span class="c1">// atob is available in Web APIs</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">json</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>The matcher and static routes:</strong> middleware runs on <em>every request that matches</em>, including static assets if the matcher isn't defined carefully. A poorly written matcher can run auth logic on <code>.ico</code>, <code>.png</code>, and font files. This isn't a bug — it's a silent CPU cost at the edge.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// recommended matcher: explicitly excludes assets</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">/((?!_next/static|_next/image|favicon.ico|.*</span><span class="se">\\</span><span class="s1">.png|.*</span><span class="se">\\</span><span class="s1">.svg).*)</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="p">}</span> </code></pre> </div> <p><strong>Race condition with new session cookies:</strong> if middleware does a redirect at the same time the client is trying to write a new session cookie (e.g. right after login), the redirect can clear the cookie before it's persisted. Reproducible in login flows with an immediate redirect before the cookie is confirmed on the client.</p> <h2> The pattern I'd adopt in a new system </h2> <p>After analyzing all four, the one that best balances security, performance, and maintainability is a hybrid approach:</p> <ol> <li> <strong>Middleware</strong>: verifies session existence (is there a token? does it look like a JWT?) and redirects if there's nothing there. No full cryptographic verification in middleware if active revocation is involved.</li> <li> <strong>Server Components / Route Handlers</strong>: verify the full token with <code>jose</code> and check granular permissions if needed.</li> <li> <strong>Restrictive matcher</strong>: app routes only, never static assets. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — the pattern I'd use today</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="c1">// Public paths that don't require a session</span> <span class="kd">const</span> <span class="nx">PUBLIC_PATHS</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/register</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/api/auth</span><span class="dl">'</span><span class="p">]</span> <span class="kd">function</span> <span class="nf">isPublicPath</span><span class="p">(</span><span class="nx">pathname</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">PUBLIC_PATHS</span><span class="p">.</span><span class="nf">some</span><span class="p">(</span><span class="nx">path</span> <span class="o">=&gt;</span> <span class="nx">pathname</span> <span class="o">===</span> <span class="nx">path</span> <span class="o">||</span> <span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="nx">path</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">)</span> <span class="p">)</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">hasSessionShape</span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="c1">// Shape check only, not cryptographic</span> <span class="c1">// Real verification happens in the route handler or server component</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nx">parts</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">3</span> <span class="o">&amp;&amp;</span> <span class="nx">parts</span><span class="p">.</span><span class="nf">every</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">pathname</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span> <span class="c1">// Public paths: always let through</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPublicPath</span><span class="p">(</span><span class="nx">pathname</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">sessionToken</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="c1">// No token: redirect to login</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">sessionToken</span> <span class="o">||</span> <span class="o">!</span><span class="nf">hasSessionShape</span><span class="p">(</span><span class="nx">sessionToken</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">loginUrl</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">)</span> <span class="nx">loginUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">redirect</span><span class="dl">'</span><span class="p">,</span> <span class="nx">pathname</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="nx">loginUrl</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// Token with valid shape: let through</span> <span class="c1">// Cryptographic verification and permission checks happen downstream</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">/((?!_next/static|_next/image|favicon.ico|.*</span><span class="se">\\</span><span class="s1">.(png|svg|jpg|ico)).*)</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="p">}</span> </code></pre> </div> <p>This pattern is deliberately conservative: middleware does only what it can do well in edge runtime (checking the existence and shape of the token), and delegates real authorization to layers that have full access to the tools they need.</p> <h2> What you can't conclude without your own experiment </h2> <p>I'll be direct about the limits of this analysis:</p> <ul> <li> <strong>Real latency per pattern</strong>: I don't have my own public production numbers comparing these 4 patterns in real scenarios. If you want to measure it, instrument with <code>console.time</code> in local middleware and compare with Edge Functions Logs in Vercel.</li> <li> <strong>Behavior on Cloudflare Workers</strong>: Next.js 16 deployed on Workers can have edge runtime differences compared to Vercel Edge. The official docs cover the guaranteed subset; the rest depends on the provider.</li> <li> <strong>Session cookie race condition across all browsers</strong>: the new session + immediate redirect race condition is reproducible under specific conditions. It's not universal — it depends on client timing and hosting provider.</li> </ul> <p>What is backed by official documentation: the edge runtime limitations, unavailable modules, and matcher behavior are all described in <a href="https://nextjs.org/docs/app/building-your-application/routing/middleware" rel="noopener noreferrer">Next.js Docs — Middleware</a> and <a href="https://nextjs.org/docs/app/api-reference/edge" rel="noopener noreferrer">Next.js Docs — Edge Runtime</a>.</p> <h2> FAQ — Common questions about Next.js 16 Middleware and authorization </h2> <p><strong>Can I use <code>jsonwebtoken</code> in Next.js 16 middleware?</strong><br> Not reliably. <code>jsonwebtoken</code> depends on Node.js's <code>crypto</code> module, which isn't available in edge runtime. The recommended alternative is <code>jose</code>, which uses Web Crypto API and works at the edge. Always check dependency compatibility against the <a href="https://nextjs.org/docs/app/api-reference/edge" rel="noopener noreferrer">official Edge Runtime APIs list</a>.</p> <p><strong>Does Next.js 16 middleware replace validation in route handlers?</strong><br> No, and thinking it does is a mistake. Middleware protects the external perimeter of the app. Route handlers can be invoked internally (Server Actions, server-side fetch) without going through middleware. If you only protect in middleware, you have a silent bypass on the internal surface.</p> <p><strong>When does it make sense to do full cryptographic verification in middleware?</strong><br> When the token has no active revocation and the library is edge runtime compatible (<code>jose</code>). If you need to query a database to verify whether a token was revoked, that cost on every request scales badly. In that case, verify the shape in middleware and do the real check downstream.</p> <p><strong>Why can redirect loops appear in App Router with middleware?</strong><br> The App Router has its own navigation system with prefetching. A <code>NextResponse.redirect</code> in middleware can interfere with prefetched requests, creating cycles if the redirect condition also gets evaluated at the destination. The practical rule: use <code>redirect</code> only for "no session", and <code>rewrite</code> or headers to communicate state to the rest of the system.</p> <p><strong>Does the matcher affect performance even if middleware does nothing?</strong><br> Yes. Every request that matches executes the middleware, even if it immediately does <code>NextResponse.next()</code>. A too-broad matcher that includes static assets adds unnecessary overhead. The negative regex exclusion pattern (<code>(?!_next/static|...)</code>) is the correct way to limit scope.</p> <p><strong>Does it make sense to compose middlewares in Next.js 16 without native support?</strong><br> It makes sense if the project grows in auth complexity (multiple roles, multiple protected paths). The cost is parsing the JWT in each pipeline function. The optimization is parsing once at the start and passing the result as an internal header. If the project is simple, a well-commented monolithic middleware is more maintainable than a chain of functions.</p> <h2> The middleware is not your primary authorization layer </h2> <p>My position is uncomfortable for anyone who learned Next.js from "protect your app in 10 minutes" tutorials: middleware is excellent for doing the cheapest check of all — does this look like a token? — and redirecting fast when there's nothing there. It's a presence guard, not an auditor.</p> <p>Real authorization — permissions, roles, revocation, access to specific resources — belongs in layers that have full access to the tools you actually need: Server Components, Route Handlers, Server Actions. Those layers run on full Node.js, have database access, and can use any library.</p> <p>The uncomfortable part is that this split requires you to write validation in two places. But the alternative — putting all the logic in middleware and trusting that edge runtime has everything you need — is the recipe for every problem I described above.</p> <p>If you're working with TypeScript strict mode in the same project, the post on <a href="https://juanchi.dev/en/blog/typescript-strict-mode-tsconfig-options-production" rel="noopener noreferrer">the tsconfig options that impact production the most</a> has complementary context. And if you're thinking about App Router caching alongside auth, the <a href="https://juanchi.dev/en/blog/nextjs-app-router-caching-revalidate-dynamic-no-store" rel="noopener noreferrer">Next.js App Router caching</a> post covers the interactions you need to understand before mixing the two.</p> <p>The concrete next step: open your own <code>middleware.ts</code>, look at what it's actually doing, and ask yourself whether each operation belongs in edge or in Node.js. The answer to that question defines how well the system scales when traffic grows.</p> <p><em>Sources:</em></p> <ul> <li><em><a href="https://nextjs.org/docs/app/building-your-application/routing/middleware" rel="noopener noreferrer">Next.js Docs — Middleware</a></em></li> <li><em><a href="https://nextjs.org/docs/app/api-reference/edge" rel="noopener noreferrer">Next.js Docs — Edge Runtime</a></em></li> </ul> <p><em>This article was originally published on <a href="https://juanchi.dev/en/blog/nextjs-16-middleware-authorization-patterns-race-conditions" rel="noopener noreferrer">juanchi.dev</a></em></p> english typescript nextjs approuter Next.js 16 Middleware: patrones de autorización que escalan y los que generan race conditions Juan Torchia Thu, 04 Jun 2026 12:02:04 +0000 https://dev.to/jtorchia/nextjs-16-middleware-patrones-de-autorizacion-que-escalan-y-los-que-generan-race-conditions-bag https://dev.to/jtorchia/nextjs-16-middleware-patrones-de-autorizacion-que-escalan-y-los-que-generan-race-conditions-bag <h1> Next.js 16 Middleware: patrones de autorización que escalan y los que generan race conditions </h1> <p>El middleware de Next.js es básicamente como el portero de un boliche. No decide si sos bienvenido adentro — eso lo hace el staff interno. Pero sí decide si te deja pasar la puerta. Y si el portero empieza a revisar el historial completo de cada persona antes de abrir, la fila llega hasta la otra cuadra.</p> <p>Ese es exactamente el problema con los patrones de autorización en Next.js 16 Middleware. La mayoría de los ejemplos que circulan online asumen que podés hacer validación completa de tokens en el edge. La realidad es más incómoda: el edge runtime tiene restricciones concretas, y varios patterns que funcionaban en v14 explotan en producción de maneras que no son obvias.</p> <p><strong>Mi tesis:</strong> el middleware de Next.js 16 es potente, pero su fortaleza está en verificar <em>sesión</em>, no en validar <em>token completo</em>. Cuando confundís los dos roles, generás race conditions o latencia que no entendés hasta que estás mirando logs a las 11 de la noche.</p> <h2> El problema real: edge runtime no es Node.js </h2> <p>Antes de ver cada patrón, hay un hecho que define todo lo que sigue: el middleware de Next.js corre en <a href="https://nextjs.org/docs/app/api-reference/edge" rel="noopener noreferrer">edge runtime</a>, no en Node.js completo. Eso no es un detalle menor — es la razón por la que ciertos patterns fallan.</p> <p>El edge runtime tiene acceso a APIs web estándar (<code>Request</code>, <code>Response</code>, <code>Headers</code>, <code>crypto.subtle</code>) pero <strong>no tiene acceso a</strong>:</p> <ul> <li> <code>fs</code> — nada de leer archivos</li> <li>módulos nativos de Node.js</li> <li>librerías que dependan de buffers de Node o APIs de sistema</li> </ul> <p>Lo que esto significa para auth es concreto: si tu librería de JWT usa <code>jsonwebtoken</code> con <code>crypto</code> de Node, no va a funcionar en middleware. Necesitás usar <code>jose</code> u otra librería compatible con Web Crypto API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Esto explota en edge runtime</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span> <span class="c1">// depende de crypto de Node</span> <span class="c1">// ✅ Esto funciona en edge runtime</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">jwtVerify</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jose</span><span class="dl">'</span> <span class="c1">// Web Crypto API compatible</span> </code></pre> </div> <p>La documentación oficial de <a href="https://nextjs.org/docs/app/building-your-application/routing/middleware" rel="noopener noreferrer">Next.js Middleware</a> lo menciona, pero entre tanto ejemplo de código uno tiende a saltear esa parte hasta que el error aparece en el deploy.</p> <h2> Los 4 patrones: análisis de tradeoffs </h2> <h3> Patrón 1 — Validación de token completo en middleware </h3> <p>El más tentador y el más problemático.</p> <p>La idea: agarrás el token de la cookie o el header <code>Authorization</code>, lo verificás criptográficamente en el middleware y decidís si el usuario pasa.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">jwtVerify</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jose</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">SECRET</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="o">!</span><span class="p">)</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Verificación criptográfica completa en cada request</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">payload</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">jwtVerify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">)</span> <span class="c1">// Pasamos el userId al header para usarlo downstream</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="nx">response</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-user-id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">sub</span> <span class="k">as</span> <span class="kr">string</span><span class="p">)</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/dashboard/:path*</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/api/protected/:path*</span><span class="dl">'</span><span class="p">],</span> <span class="p">}</span> </code></pre> </div> <p><strong>El tradeoff honesto:</strong> <code>jwtVerify</code> con <code>jose</code> sí corre en edge runtime. La verificación criptográfica en sí es rápida. El problema aparece cuando el token tiene expiración corta y necesitás también consultar una lista de revocación, o cuando querés verificar permisos granulares que están en base de datos. Ahí estás en problemas, porque hacer un fetch a base de datos desde middleware en cada request es latencia que se acumula.</p> <p><strong>Cuándo funciona bien:</strong> tokens de vida larga, sin revocación activa, donde solo necesitás saber si el token es válido estructuralmente.</p> <p><strong>Cuándo explota:</strong> si tu sistema revoca tokens (logout real, cambio de contraseña), este patrón no lo refleja hasta que el token expira.</p> <h3> Patrón 2 — Role-based redirects en middleware </h3> <p>Este patrón parece simple pero esconde una race condition específica de Next.js App Router.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — patrón de redirects por rol</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sessionCookie</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">sessionCookie</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="c1">// Decodificamos sin verificar — solo para leer el rol del payload</span> <span class="c1">// ⚠️ IMPORTANTE: esto NO es verificación de seguridad</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">sessionCookie</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">parts</span><span class="p">.</span><span class="nx">length</span> <span class="o">!==</span> <span class="mi">3</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">parts</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="dl">'</span><span class="s1">base64url</span><span class="dl">'</span><span class="p">).</span><span class="nf">toString</span><span class="p">()</span> <span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">pathname</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span> <span class="c1">// Redireccionamos según rol</span> <span class="k">if </span><span class="p">(</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">role</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/403</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p><strong>El problema de race condition:</strong> si usás <code>NextResponse.redirect</code> en middleware al mismo tiempo que el cliente tiene un Server Component haciendo fetch desde <code>layout.tsx</code>, podés terminar con dos requests en vuelo apuntando a destinos distintos. El App Router tiene su propio mecanismo de navegación y el redirect del middleware interrumpe el ciclo de hidratación de manera que no siempre es predecible.</p> <p><strong>El síntoma:</strong> el usuario ve un flash de contenido antes del redirect, o queda en un loop de redirect en ciertas rutas. Reproducible cuando el matcher cubre rutas con layouts anidados que hacen fetch propio.</p> <p><strong>La corrección:</strong> usá <code>NextResponse.rewrite</code> en lugar de <code>redirect</code> para rutas de API o internas, y reservá <code>redirect</code> solo para el caso de "no hay sesión en absoluto". Para permisos granulares dentro de una sesión válida, delegá la decisión al Server Component o al Route Handler — que sí tienen acceso completo a base de datos.</p> <h3> Patrón 3 — API route protection solo en middleware </h3> <p>Este es el patrón que más veo recomendado en tutoriales y el que tiene el costo oculto más caro.</p> <p>La idea es usar el <code>matcher</code> para proteger todas las rutas <code>/api/</code> desde middleware y no validar nada dentro del route handler.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — protección de API desde middleware únicamente</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/api/:path*</span><span class="dl">'</span><span class="p">],</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">)?.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No autorizado</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> <span class="c1">// Verificamos token y pasamos</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">jwtVerify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Token inválido</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>El problema:</strong> este patrón asume que middleware es la única capa de seguridad. Si alguna vez llamás directamente a un route handler internamente (Server Action, <code>fetch</code> server-side, otro route handler), el middleware no interviene. Ese bypass silencioso es el vector de seguridad que más cuesta descubrir.</p> <p><strong>El costo real:</strong> middleware como único guardián funciona si toda la superficie de acceso pasa por la misma puerta. En App Router, con Server Actions y llamadas server-side, esa suposición no siempre se cumple.</p> <p><strong>Mi criterio:</strong> middleware protege el perímetro. Los route handlers validan autorización propia. Las dos capas tienen que existir, no es una o la otra. Si esto te parece redundante, es redundancia que vale la pena.</p> <h3> Patrón 4 — Composición de middlewares </h3> <p>Next.js 16 no tiene middleware anidado nativo — hay un solo archivo <code>middleware.ts</code>. Para componer lógica, el patrón común es encadenar funciones manualmente.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — composición manual</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="c1">// Cada función devuelve NextResponse o null (para continuar la cadena)</span> <span class="kd">type</span> <span class="nx">MiddlewareFn</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">NextResponse</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">|</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">NextResponse</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span> <span class="c1">// Verifica que exista sesión</span> <span class="kd">function</span> <span class="nf">withSession</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">):</span> <span class="nx">NextResponse</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">null</span> <span class="c1">// continúa</span> <span class="p">}</span> <span class="c1">// Bloquea rutas de admin para no-admins</span> <span class="kd">function</span> <span class="nf">withAdminGuard</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">):</span> <span class="nx">NextResponse</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="kc">null</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span> <span class="c1">// withSession ya manejó esto</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">session</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">parts</span><span class="p">.</span><span class="nx">length</span> <span class="o">!==</span> <span class="mi">3</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">parts</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="dl">'</span><span class="s1">base64url</span><span class="dl">'</span><span class="p">).</span><span class="nf">toString</span><span class="p">())</span> <span class="k">if </span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nx">role</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/403</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">null</span> <span class="p">}</span> <span class="c1">// Función de composición</span> <span class="kd">function</span> <span class="nf">compose</span><span class="p">(...</span><span class="nx">fns</span><span class="p">:</span> <span class="nx">MiddlewareFn</span><span class="p">[])</span> <span class="p">{</span> <span class="k">return</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">NextResponse</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">fn</span> <span class="k">of</span> <span class="nx">fns</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fn</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="k">return</span> <span class="nx">result</span> <span class="c1">// cortocircuito al primer resultado</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">middleware</span> <span class="o">=</span> <span class="nf">compose</span><span class="p">(</span><span class="nx">withSession</span><span class="p">,</span> <span class="nx">withAdminGuard</span><span class="p">)</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/dashboard/:path*</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/admin/:path*</span><span class="dl">'</span><span class="p">],</span> <span class="p">}</span> </code></pre> </div> <p><strong>El tradeoff de este patrón:</strong> es limpio y escalable, pero tiene un costo de mantenimiento. Cada función del pipeline decodifica el token de manera independiente — si tenés 4 guards que todos leen el mismo cookie, estás parseando el JWT 4 veces por request.</p> <p><strong>La optimización concreta:</strong> parsear el token una sola vez al principio y pasar el payload como contexto a través de headers o de un objeto de request aumentado. Pero Next.js no tiene un mecanismo de contexto nativo entre funciones de middleware, así que el tradeoff es parsear múltiples veces vs. acoplar el parsing al inicio del pipeline.</p> <h2> Los gotchas que nadie documenta bien </h2> <p><strong><code>Buffer.from</code> en edge runtime:</strong> en algunos deployments de edge (Vercel Edge, Cloudflare Workers), <code>Buffer</code> no está disponible globalmente. Si decodificás JWT con <code>Buffer.from(..., 'base64url')</code>, tu middleware puede funcionar local y explotar en producción. La alternativa portable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Decodificación de base64url portable para edge runtime</span> <span class="kd">function</span> <span class="nf">decodeJWTPayload</span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">base64</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/-/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">+</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/_/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">json</span> <span class="o">=</span> <span class="nf">atob</span><span class="p">(</span><span class="nx">base64</span><span class="p">)</span> <span class="c1">// atob está disponible en Web APIs</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">json</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>El matcher y las rutas estáticas:</strong> el middleware corre en <em>cada request que matchea</em>, incluyendo assets estáticos si el matcher no está bien definido. Un matcher mal escrito puede ejecutar lógica de auth en archivos <code>.ico</code>, <code>.png</code> y fuentes. Esto no es un bug, es un costo silencioso de CPU en edge.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// matcher recomendado: excluye assets explícitamente</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">/((?!_next/static|_next/image|favicon.ico|.*</span><span class="se">\\</span><span class="s1">.png|.*</span><span class="se">\\</span><span class="s1">.svg).*)</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="p">}</span> </code></pre> </div> <p><strong>Race condition con cookies de sesión nueva:</strong> si el middleware hace redirect y al mismo tiempo el cliente intenta escribir una cookie de sesión nueva (ej: después de login), el redirect puede limpiar la cookie antes de que se persista. Reproducible en flows de login con redirect inmediato sin esperar a que la cookie se confirme en el cliente.</p> <h2> El patrón que adoptaría en un sistema nuevo </h2> <p>Después de analizar los cuatro, el que mejor balancea seguridad, performance y mantenibilidad es una versión híbrida:</p> <ol> <li> <strong>Middleware</strong>: verifica existencia de sesión (¿hay token? ¿tiene forma de JWT?) y redirige si no hay nada. Sin verificación criptográfica completa en el middleware si hay revocación activa.</li> <li> <strong>Server Components / Route Handlers</strong>: verifican el token completo con <code>jose</code> y consultan permisos granulares si los necesitan.</li> <li> <strong>Matcher restrictivo</strong>: solo rutas de app, nunca assets estáticos. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts — el pattern que adoptaría hoy</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="c1">// Rutas públicas que no necesitan sesión</span> <span class="kd">const</span> <span class="nx">PUBLIC_PATHS</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/register</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/api/auth</span><span class="dl">'</span><span class="p">]</span> <span class="kd">function</span> <span class="nf">isPublicPath</span><span class="p">(</span><span class="nx">pathname</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">PUBLIC_PATHS</span><span class="p">.</span><span class="nf">some</span><span class="p">(</span><span class="nx">path</span> <span class="o">=&gt;</span> <span class="nx">pathname</span> <span class="o">===</span> <span class="nx">path</span> <span class="o">||</span> <span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="nx">path</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">)</span> <span class="p">)</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">hasSessionShape</span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="c1">// Verificación de forma solamente, no criptográfica</span> <span class="c1">// La verificación real va en el route handler o server component</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nx">parts</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">3</span> <span class="o">&amp;&amp;</span> <span class="nx">parts</span><span class="p">.</span><span class="nf">every</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">pathname</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span> <span class="c1">// Rutas públicas: siempre pasan</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPublicPath</span><span class="p">(</span><span class="nx">pathname</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">sessionToken</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="c1">// Sin token: redirigir a login</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">sessionToken</span> <span class="o">||</span> <span class="o">!</span><span class="nf">hasSessionShape</span><span class="p">(</span><span class="nx">sessionToken</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">loginUrl</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">)</span> <span class="nx">loginUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">redirect</span><span class="dl">'</span><span class="p">,</span> <span class="nx">pathname</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="nx">loginUrl</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// Con token con forma válida: dejamos pasar</span> <span class="c1">// La verificación criptográfica y de permisos va downstream</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">/((?!_next/static|_next/image|favicon.ico|.*</span><span class="se">\\</span><span class="s1">.(png|svg|jpg|ico)).*)</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="p">}</span> </code></pre> </div> <p>Este patrón es deliberadamente conservador: el middleware hace solo lo que puede hacer bien en edge runtime (verificar existencia y forma del token), y delega la autorización real a capas que tienen acceso completo a las herramientas necesarias.</p> <h2> Lo que no podés concluir sin experimento propio </h2> <p>Seré directo sobre los límites de este análisis:</p> <ul> <li> <strong>Latencia real por patrón</strong>: no tengo números públicos propios de producción para comparar los 4 patrones en escenarios reales. Si querés medirlo, instrumentá con <code>console.time</code> en middleware local y compará con Edge Functions Logs en Vercel.</li> <li> <strong>Comportamiento en Cloudflare Workers</strong>: Next.js 16 deployado en Workers puede tener diferencias de edge runtime respecto a Vercel Edge. La documentación oficial cubre el subset garantizado; el resto depende del provider.</li> <li> <strong>Race condition de cookies en todos los browsers</strong>: la race condition de sesión nueva + redirect inmediato es reproducible en condiciones específicas. No es universal — depende del timing del cliente y del provider de hosting.</li> </ul> <p>Lo que sí está respaldado por documentación oficial: las limitaciones del edge runtime, los módulos no disponibles y el comportamiento del matcher son descritos en <a href="https://nextjs.org/docs/app/building-your-application/routing/middleware" rel="noopener noreferrer">Next.js Docs — Middleware</a> y <a href="https://nextjs.org/docs/app/api-reference/edge" rel="noopener noreferrer">Next.js Docs — Edge Runtime</a>.</p> <h2> FAQ — Preguntas frecuentes sobre Next.js 16 Middleware y autorización </h2> <p><strong>¿Puedo usar <code>jsonwebtoken</code> en el middleware de Next.js 16?</strong><br> No de manera confiable. <code>jsonwebtoken</code> depende del módulo <code>crypto</code> de Node.js, que no está disponible en edge runtime. La alternativa recomendada es <code>jose</code>, que usa Web Crypto API y funciona en edge. Verificá siempre la compatibilidad de dependencias con el <a href="https://nextjs.org/docs/app/api-reference/edge" rel="noopener noreferrer">listado oficial de Edge Runtime APIs</a>.</p> <p><strong>¿El middleware de Next.js 16 reemplaza la validación en los route handlers?</strong><br> No, y es un error pensarlo así. El middleware protege el perímetro externo de la app. Los route handlers pueden ser invocados internamente (Server Actions, fetch server-side) sin pasar por middleware. Si solo protegés en middleware, tenés un bypass silencioso en el surface interno.</p> <p><strong>¿Cuándo tiene sentido hacer verificación criptográfica completa en middleware?</strong><br> Cuando el token no tiene revocación activa y la librería es compatible con edge runtime (<code>jose</code>). Si necesitás consultar base de datos para verificar si el token fue revocado, ese costo en cada request escala mal. En ese caso, verificá la forma en middleware y hacé la consulta real downstream.</p> <p><strong>¿Por qué pueden aparecer loops de redirect en App Router con middleware?</strong><br> El App Router tiene su propio sistema de navegación con prefetching. Un <code>NextResponse.redirect</code> en middleware puede interferir con requests prefetcheados, generando ciclos si la condición de redirect se evalúa también en el destino. La regla práctica: usá <code>redirect</code> solo para "no hay sesión", y <code>rewrite</code> o headers para comunicar estado al resto del sistema.</p> <p><strong>¿El matcher afecta la performance aunque el middleware no haga nada?</strong><br> Sí. Cada request que matchea ejecuta el middleware, aunque sea para hacer <code>NextResponse.next()</code> inmediatamente. Un matcher demasiado amplio que incluye assets estáticos suma overhead innecesario. El patrón de exclusión con regex negativo (<code>(?!_next/static|...)</code>) es la forma correcta de limitar el scope.</p> <p><strong>¿Tiene sentido componer middlewares en Next.js 16 si no hay soporte nativo?</strong><br> Tiene sentido si el proyecto crece en complejidad de auth (múltiples roles, múltiples paths protegidos). El costo es parsear el JWT en cada función del pipeline. La optimización es parsear una sola vez al inicio y pasar el resultado como header interno. Si el proyecto es simple, un middleware monolítico bien comentado es más mantenible que una cadena de funciones.</p> <h2> Conclusión: el middleware no es tu capa de autorización principal </h2> <p>Mi postura es incómoda para quienes aprendieron Next.js con tutoriales de "protegé tu app en 10 minutos": el middleware es excelente para hacer el check más barato de todos — ¿hay algo que parece un token? — y redirigir rápido cuando no hay nada. Es un guardia de presencia, no un auditor.</p> <p>La autorización real — permisos, roles, revocación, acceso a recursos específicos — pertenece a capas que tienen acceso completo a las herramientas que necesitás: Server Components, Route Handlers, Server Actions. Esas capas corren en Node.js completo, tienen acceso a base de datos y pueden usar cualquier librería.</p> <p>Lo incómodo es que este split requiere que escribas validación en dos lugares. Pero la alternativa — poner toda la lógica en middleware y confiar en que el edge runtime tiene todo lo que necesitás — es la receta para los problemas que describí arriba.</p> <p>Si trabajás con TypeScript strict en el mismo proyecto, el post sobre <a href="https://juanchi.dev/es/blog/typescript-strict-mode-tsconfig-opciones-produccion" rel="noopener noreferrer">las opciones de tsconfig que más impactan en producción</a> tiene contexto complementario. Y si estás pensando en caching de App Router junto con auth, el post de <a href="https://juanchi.dev/es/blog/nextjs-app-router-caching-revalidate-dynamic-no-store" rel="noopener noreferrer">Next.js App Router caching</a> tiene las interacciones que hay que entender antes de mezclar las dos cosas.</p> <p>El próximo paso concreto: abrí el <code>middleware.ts</code> propio, fijate qué está haciendo realmente y preguntate si cada operación pertenece a edge o a Node.js. La respuesta a esa pregunta define qué tan bien escala el sistema cuando el tráfico crece.</p> <p><em>Fuentes:</em></p> <ul> <li><em><a href="https://nextjs.org/docs/app/building-your-application/routing/middleware" rel="noopener noreferrer">Next.js Docs — Middleware</a></em></li> <li><em><a href="https://nextjs.org/docs/app/api-reference/edge" rel="noopener noreferrer">Next.js Docs — Edge Runtime</a></em></li> </ul> <p><em>Este artículo fue publicado originalmente en <a href="https://juanchi.dev/es/blog/nextjs-16-middleware-autorizacion-patrones-race-conditions" rel="noopener noreferrer">juanchi.dev</a></em></p> spanish espanol typescript nextjs Prisma 5 Prisma 6: The Breaking Changes I Hit in My Real Schema and How I Fixed Them Without Breaking Production Juan Torchia Wed, 03 Jun 2026 12:01:43 +0000 https://dev.to/jtorchia/prisma-5-prisma-6-the-breaking-changes-i-hit-in-my-real-schema-and-how-i-fixed-them-without-5ed6 https://dev.to/jtorchia/prisma-5-prisma-6-the-breaking-changes-i-hit-in-my-real-schema-and-how-i-fixed-them-without-5ed6 <h1> Prisma 5 → Prisma 6: The Breaking Changes I Hit in My Real Schema and How I Fixed Them Without Breaking Production </h1> <p>The correct approach to migrating from Prisma 5 to Prisma 6 without breaking anything is <strong>don't run the upgrade on a Friday</strong>. I know that sounds obvious. But that's not actually the point — the real point is this: Prisma 6 has changes that TypeScript's compiler is not going to yell at you about. They'll pass through silently, and you'll find out at runtime — or worse, from a query result that looks correct but isn't.</p> <p>My thesis: Prisma 6 is a genuine improvement in ergonomics and performance, but there are three behavior changes that require manual attention before you upgrade. They're not bugs — they're deliberate decisions by the Prisma team that change how relational queries, the generated client, and transactions behave. If you don't know about them upfront, they'll find you.</p> <p>What follows is my analysis of those three changes, with representative code and the checklist I built so I don't have to repeat the experience.</p> <h2> Why Prisma 6 Matters (and What the Official Announcement Actually Says) </h2> <p>The official announcement — <a href="https://www.prisma.io/blog/prisma-6-better-performance-more-flexibility-and-type-safe-sql" rel="noopener noreferrer">"What's new in Prisma 6"</a> — has three main pillars:</p> <ol> <li> <strong>Better performance</strong> — rewritten internals, more efficient query engine.</li> <li> <strong>More flexibility</strong> — improved support for multiple providers and client configuration.</li> <li> <strong>Type-safe SQL</strong> — the new <code>prisma.$queryRawTyped</code> API with real type inference.</li> </ol> <p>All of that is real and welcome. What the announcement <strong>doesn't emphasize enough</strong> — and what costs you time when you upgrade without reading the full migration guide — are the behaviors that changed silently.</p> <p>I'm going to cover the three that hit hardest in a Next.js 16 + Server Actions + PostgreSQL stack.</p> <h2> Change 1: <code>selectRelationCount</code> Is No Longer Opt-In — How You Count Relations Changed </h2> <p>In Prisma 5, if you wanted to count relations (say, how many posts a user has) inside a <code>select</code>, you had to enable the <code>selectRelationCount</code> preview feature in the schema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// schema.prisma — Prisma 5 generator client { provider = "prisma-client-js" previewFeatures = ["selectRelationCount"] } </code></pre> </div> <p>In Prisma 6, <code>selectRelationCount</code> went <strong>GA</strong> and the preview flag was removed. If you leave it in the schema, the Prisma CLI throws a warning — or an outright error depending on the exact version. The functionality still works, but the API changed subtly in how it integrates with <code>include</code> vs <code>select</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Prisma 5 — worked with the preview feature active</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">_count</span><span class="p">:</span> <span class="p">{</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">posts</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="c1">// ✅ Prisma 6 — same syntax, but without the flag in the schema</span> <span class="c1">// If the flag is still there, the CLI emits a warning on generate</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">_count</span><span class="p">:</span> <span class="p">{</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">posts</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p><strong>Concrete action:</strong> grep all <code>previewFeatures</code> in your schema and verify which ones went GA in v6. The official guide lists them. Remove them before running <code>prisma generate</code>.</p> <h2> Change 2: The Behavior of <code>undefined</code> in Relational Queries Changed </h2> <p>This is the one that hurts the most because there's no compile-time error. In Prisma 5, passing <code>undefined</code> as a value in a <code>where</code> was ignored — the filter simply wasn't applied. In Prisma 6, that behavior was <strong>standardized more strictly</strong>: in some cases <code>undefined</code> is still ignored, but in others — especially inside nested <code>select</code>s with optional relations — the behavior differs depending on whether the field is nullable in the schema or not.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ⚠️ Dangerous pattern in the Prisma 5 → 6 transition</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getPosts</span><span class="p">(</span><span class="nx">categoryFilter</span><span class="p">?:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">post</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// In Prisma 5: if categoryFilter is undefined, this where was ignored</span> <span class="c1">// In Prisma 6: behavior depends on the field's type in the schema</span> <span class="c1">// If 'category' is an optional field (String?), it may behave differently</span> <span class="na">category</span><span class="p">:</span> <span class="nx">categoryFilter</span><span class="p">,</span> <span class="p">},</span> <span class="na">include</span><span class="p">:</span> <span class="p">{</span> <span class="na">author</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>The fix is explicit and more defensive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Safe pattern for both Prisma 5 and 6</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getPosts</span><span class="p">(</span><span class="nx">categoryFilter</span><span class="p">?:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">post</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// Build the where conditionally — don't depend on undefined's behavior</span> <span class="p">...(</span><span class="nx">categoryFilter</span> <span class="o">!==</span> <span class="kc">undefined</span> <span class="o">&amp;&amp;</span> <span class="p">{</span> <span class="na">category</span><span class="p">:</span> <span class="nx">categoryFilter</span> <span class="p">}),</span> <span class="p">},</span> <span class="na">include</span><span class="p">:</span> <span class="p">{</span> <span class="na">author</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>The uncomfortable part about this change: <strong>the TypeScript types in the generated client don't change</strong>. <code>String | undefined</code> is still a valid type in the <code>where</code>. The compiler tells you nothing. You have to find it manually or with integration tests.</p> <p>My take here: <strong>building <code>where</code> objects conditionally</strong> isn't a workaround — it's the correct practice in any version of Prisma. If your codebase has a lot of places where you pass optional variables directly into <code>where</code>, this is the moment to clean them up.</p> <h2> Change 3: The Generated Client Was Reorganized and Direct Type Imports Can Break </h2> <p>Prisma 6 reorganized the structure of the generated client. If anywhere in your codebase you're importing types directly from the <code>.prisma/client</code> folder or from internal package paths (something that shouldn't be done but shows up in old tutorials), those imports can break silently or with cryptic errors.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Fragile pattern — importing from internal paths of the generated client</span> <span class="c1">// This might have worked in Prisma 5 but it's a private API, not public</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Prisma</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client/edge</span><span class="dl">'</span> <span class="c1">// ✅ Always import from the public entry point</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Prisma</span><span class="p">,</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span> </code></pre> </div> <p>The most common case in Next.js 16 with Server Actions: using the edge client (<code>@prisma/client/edge</code>) for middleware or routes running in the Edge Runtime. In Prisma 6, the edge client configuration was unified and the way you instantiate it changed. The official docs have the updated details, but the error you'll see if you don't update is generic — something like "cannot find module" or "type is not assignable" that doesn't point directly at the problem.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Prisma 6 with Next.js 16 — single client instance</span> <span class="c1">// lib/prisma.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">globalForPrisma</span> <span class="o">=</span> <span class="nb">global</span> <span class="k">as</span> <span class="nx">unknown</span> <span class="k">as</span> <span class="p">{</span> <span class="na">prisma</span><span class="p">:</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="nx">globalForPrisma</span><span class="p">.</span><span class="nx">prisma</span> <span class="o">??</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">({</span> <span class="c1">// log only in development — don't expose query logs in production</span> <span class="na">log</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="p">[</span><span class="dl">'</span><span class="s1">query</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">]</span> <span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">],</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">)</span> <span class="nx">globalForPrisma</span><span class="p">.</span><span class="nx">prisma</span> <span class="o">=</span> <span class="nx">prisma</span> </code></pre> </div> <p>This pattern didn't change between v5 and v6, but if you had it misconfigured (multiple instances, broken singleton), the upgrade is the moment to fix it.</p> <h2> Common Migration Mistakes — The Gotchas That Keep Showing Up </h2> <p><strong>Gotcha 1: running <code>prisma db push</code> without reading the full output.</strong></p> <p>Prisma 6 can generate slightly different migrations for the same schema if there are fields with types that changed internally (like some <code>DateTime</code> types with precision). Review the migration diff before applying it.</p> <p><strong>Gotcha 2: assuming <code>prisma migrate dev</code> and <code>prisma migrate deploy</code> behave the same way.</strong></p> <p><code>migrate dev</code> can do additional things (like resetting the DB on conflicts). In any environment that resembles production, always use <code>migrate deploy</code> and check state with <code>prisma migrate status</code> first.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check migration state before upgrading</span> npx prisma migrate status <span class="c"># Generate the client after updating the version</span> npx prisma generate <span class="c"># Review schema differences without applying anything</span> npx prisma migrate diff <span class="se">\</span> <span class="nt">--from-schema-datasource</span> prisma/schema.prisma <span class="se">\</span> <span class="nt">--to-schema-datamodel</span> prisma/schema.prisma <span class="se">\</span> <span class="nt">--script</span> </code></pre> </div> <p><strong>Gotcha 3: not updating <code>devDependencies</code> alongside <code>@prisma/client</code>.</strong></p> <p><code>prisma</code> (the CLI) and <code>@prisma/client</code> need to be on the same major version. If you update one and not the other, you'll get client generation errors that are hard to diagnose.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Always update both at the same time</span> npm <span class="nb">install </span>prisma@6 @prisma/client@6 <span class="c"># Or with pnpm</span> pnpm add prisma@6 @prisma/client@6 </code></pre> </div> <p><strong>Gotcha 4: transaction behavior with <code>$transaction</code> and timeouts.</strong></p> <p>Prisma 6 adjusted the default timeouts for interactive transactions. If you have transactions running slow operations, the default timeout may be different. Verify and set it explicitly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Explicit timeout — don't depend on the default</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nf">$transaction</span><span class="p">(</span> <span class="k">async </span><span class="p">(</span><span class="nx">tx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// transaction operations</span> <span class="p">},</span> <span class="p">{</span> <span class="na">maxWait</span><span class="p">:</span> <span class="mi">5000</span><span class="p">,</span> <span class="c1">// ms — max time waiting to acquire the transaction</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">10000</span> <span class="c1">// ms — max execution time</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <h2> Prisma 5 → 6 Migration Checklist </h2> <p>This is the order I follow to upgrade without surprises. It's not the only path, but it covers the edge cases that come up most often:</p> <p><strong>Before the upgrade:</strong></p> <ul> <li>[ ] Review all <code>previewFeatures</code> in the schema — verify which ones went GA in v6 and remove the corresponding flags</li> <li>[ ] Audit all <code>where</code> clauses that receive optional variables — replace the <code>field: variable | undefined</code> pattern with explicit conditional construction</li> <li>[ ] Search for imports from internal <code>@prisma/client</code> paths — centralize on the public entry point</li> <li>[ ] Verify explicit timeouts on all interactive <code>$transaction</code> calls</li> <li>[ ] Run <code>prisma migrate status</code> and make sure there are no pending migrations before upgrading</li> </ul> <p><strong>During the upgrade:</strong></p> <ul> <li>[ ] Update <code>prisma</code> and <code>@prisma/client</code> to the same major version simultaneously</li> <li>[ ] Run <code>prisma generate</code> and review the full output — not just that it finishes without error</li> <li>[ ] Run the integration test suite (if you have one) pointing at a staging DB, not production</li> <li>[ ] If you use Next.js 16 with Edge Runtime, verify the edge client configuration per the Prisma 6 docs</li> </ul> <p><strong>After the upgrade:</strong></p> <ul> <li>[ ] Monitor query logs in the first few hours — look for slower queries or unexpected results in optional relations</li> <li>[ ] Verify that the <code>PrismaClient</code> singleton is still working correctly in Next.js's lifecycle (hot reload in dev, single instance in prod)</li> </ul> <h2> FAQ — Prisma 6 Migration Breaking Changes </h2> <p><strong>Is Prisma 6 compatible with Prisma 5 without changes?</strong></p> <p>Not completely. There are breaking changes documented in the official migration guide. Most are manageable, but they require manual review — especially in schemas with <code>previewFeatures</code>, relational queries with optional values, and edge client usage. This isn't a patch upgrade; take it seriously.</p> <p><strong>Does the Prisma schema (schema.prisma) change between v5 and v6?</strong></p> <p>The schema format didn't change dramatically, but there are <code>previewFeatures</code> flags that need to be removed because they went GA. If you leave them in, the CLI may emit warnings or errors depending on the exact version. Check the full list in the official announcement.</p> <p><strong>Will my queries with <code>include</code> and optional relations work the same?</strong></p> <p>Probably yes for simple cases. The risk is in queries that pass <code>undefined</code> conditionally to optional fields in <code>where</code>. If you build filters explicitly (without depending on <code>undefined</code>'s behavior), the risk is low.</p> <p><strong>Does Prisma 6 work with Next.js 16 App Router and Server Actions?</strong></p> <p>Yes. The Next.js 16 + Server Actions + Prisma 6 + PostgreSQL stack works well. What needs attention is the client instance (global singleton) and the Edge Runtime configuration if you use it. The Prisma patterns with Server Actions I covered in <a href="https://dev.to/blog/prisma-query-logging-postgresql-donde-termina-orm-empieza-base">the previous post on Server Actions and Prisma</a> are still valid — just verify the client entry point.</p> <p><strong>Can I upgrade directly in production?</strong></p> <p>My recommendation is no. The safest flow is: upgrade branch → staging with a DB similar to production → integration test suite → deploy during low-traffic hours. The upgrade itself isn't risky if you follow the checklist, but the prior validation is what saves you from surprises.</p> <p><strong>Does <code>$queryRawTyped</code> replace <code>$queryRaw</code>?</strong></p> <p>It doesn't replace it, it complements it. <code>$queryRawTyped</code> is the new API for type-safe SQL with type inference — a genuine improvement for complex SQL queries that the ORM can't express well. <code>$queryRaw</code> still works. If you want to explore the new API, the official announcement has the examples; if you already use <a href="https://dev.to/blog/prisma-query-logging-postgresql-donde-termina-orm-empieza-base">query logging with PostgreSQL</a> to debug heavy queries, <code>$queryRawTyped</code> will be a natural ally.</p> <h2> The Upgrade Is Worth It, But You Have to Earn It </h2> <p>Prisma 6 is a real step forward — better performance, faster client generation, and type-safe SQL are concrete improvements that you feel in projects with complex schemas. I'm not questioning that.</p> <p>What I am saying is that there are <strong>three behaviors that won't scream at you in the compiler</strong>: cleaning up <code>previewFeatures</code>, handling <code>undefined</code> in conditional <code>where</code> objects, and imports from the generated client. Ignore them, and you find out at runtime.</p> <p>The truly uncomfortable part is that none of the three are Prisma bugs — they're reasonable decisions by the team that prioritize correct behavior over silent compatibility. But if you don't read the full migration guide before running <code>npm install prisma@6</code>, you're the one paying the cost.</p> <p>My practical recommendation: before upgrading, run a grep through the codebase for <code>previewFeatures</code>, for <code>field: variable</code> patterns in <code>where</code> objects, and for imports from internal <code>@prisma/client</code> paths. If all three come back clean, the upgrade will be smooth. If something shows up, you know before you start.</p> <p>If you're on the path of query hardening and logging, the post on <a href="https://dev.to/blog/prisma-query-logging-postgresql-donde-termina-orm-empieza-base">Prisma query logging and PostgreSQL</a> has useful context for the monitoring side post-upgrade. And if the project uses <a href="https://juanchi.dev/en/blog/typescript-strict-mode-tsconfig-options-production" rel="noopener noreferrer">TypeScript strict mode</a>, the <code>strictNullChecks</code> and <code>noUncheckedIndexedAccess</code> options will make exactly the <code>undefined</code> patterns I described here more visible.</p> <p><strong>Original source:</strong></p> <ul> <li>Prisma — What's new in Prisma 6: <a href="https://www.prisma.io/blog/prisma-6-better-performance-more-flexibility-and-type-safe-sql" rel="noopener noreferrer">https://www.prisma.io/blog/prisma-6-better-performance-more-flexibility-and-type-safe-sql</a> </li> </ul> <p><em>This article was originally published on <a href="https://juanchi.dev/en/blog/prisma-5-to-6-breaking-changes-migration-guide" rel="noopener noreferrer">juanchi.dev</a></em></p> english typescript backend nextjs Prisma 5 Prisma 6: los breaking changes que encontré en mi schema real y cómo los resolví sin romper producción Juan Torchia Wed, 03 Jun 2026 12:01:38 +0000 https://dev.to/jtorchia/prisma-5-prisma-6-los-breaking-changes-que-encontre-en-mi-schema-real-y-como-los-resolvi-sin-3pl7 https://dev.to/jtorchia/prisma-5-prisma-6-los-breaking-changes-que-encontre-en-mi-schema-real-y-como-los-resolvi-sin-3pl7 <h1> Prisma 5 → Prisma 6: los breaking changes que encontré en mi schema real y cómo los resolví sin romper producción </h1> <p>La solución correcta para migrar de Prisma 5 a Prisma 6 sin romper nada es <strong>no correr el upgrade el viernes</strong>. Sé que suena obvio. Pero el punto real es otro: Prisma 6 tiene cambios que el compilador de TypeScript no te va a gritar. Van a pasar silenciosamente, y vas a enterarte en runtime — o peor, en un resultado de query que parece correcto pero no lo es.</p> <p>Mi tesis es esta: Prisma 6 es una mejora genuina en ergonomía y performance, pero hay tres cambios de comportamiento que requieren atención manual antes de hacer el upgrade. No son bugs — son decisiones deliberadas del equipo de Prisma que cambian cómo se comportan las queries relacionales, el cliente generado y las transacciones. Si no los conocés de antemano, te van a encontrar ellos a vos.</p> <p>Lo que sigue es el análisis de esos tres cambios, con código representativo y el checklist que construí para no repetirlo.</p> <h2> Por qué Prisma 6 importa (y qué dice el anuncio oficial) </h2> <p>El anuncio oficial de Prisma — <a href="https://www.prisma.io/blog/prisma-6-better-performance-more-flexibility-and-type-safe-sql" rel="noopener noreferrer">"What's new in Prisma 6"</a> — tiene tres ejes centrales:</p> <ol> <li> <strong>Mejor performance</strong> — internals reescritos, query engine más eficiente.</li> <li> <strong>Más flexibilidad</strong> — soporte mejorado para múltiples providers y configuración del cliente.</li> <li> <strong>SQL type-safe</strong> — la nueva API <code>prisma.$queryRawTyped</code> con inferencia real.</li> </ol> <p>Todo eso es real y bienvenido. Lo que el anuncio <strong>no dice con énfasis suficiente</strong> — y lo que te cuesta tiempo cuando hacés el upgrade sin leer la guía de migración completa — son los comportamientos que cambiaron silenciosamente.</p> <p>Voy a cubrir los tres que más impactan en un stack Next.js 16 + Server Actions + PostgreSQL.</p> <h2> Cambio 1: <code>selectRelationCount</code> ya no es opt-in — cambió la forma de contar relaciones </h2> <p>En Prisma 5, si querías contar relaciones (por ejemplo, cuántos posts tiene un usuario) dentro de un <code>select</code>, tenías que habilitar el preview feature <code>selectRelationCount</code> en el schema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// schema.prisma — Prisma 5 generator client { provider = "prisma-client-js" previewFeatures = ["selectRelationCount"] } </code></pre> </div> <p>En Prisma 6, <code>selectRelationCount</code> pasó a ser <strong>GA</strong> y la flag de preview fue removida. Si la dejás en el schema, Prisma CLI te lanza un warning — o directamente un error dependiendo de la versión puntual. La funcionalidad sigue andando, pero el API cambió sutilmente en cómo se integra con <code>include</code> vs <code>select</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Prisma 5 — funcionaba con la preview feature activa</span> <span class="kd">const</span> <span class="nx">usuarios</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">usuario</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">nombre</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">_count</span><span class="p">:</span> <span class="p">{</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">posts</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="c1">// ✅ Prisma 6 — misma sintaxis, pero sin la flag en el schema</span> <span class="c1">// Si la flag sigue presente, el CLI emite warning en generate</span> <span class="kd">const</span> <span class="nx">usuarios</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">usuario</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">nombre</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">_count</span><span class="p">:</span> <span class="p">{</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">posts</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p><strong>Acción concreta:</strong> buscá todas las <code>previewFeatures</code> en el schema y verificá cuáles pasaron a GA en v6. La guía oficial lista cuáles ya no son preview. Removalas antes de correr <code>prisma generate</code>.</p> <h2> Cambio 2: el comportamiento de <code>undefined</code> en queries relacionales cambió </h2> <p>Este es el que más duele porque no hay error en tiempo de compilación. En Prisma 5, pasar <code>undefined</code> como valor en un <code>where</code> era ignorado — el filtro simplemente no se aplicaba. En Prisma 6, ese comportamiento fue <strong>estandarizado de forma más estricta</strong>: en algunos casos <code>undefined</code> sigue siendo ignorado, pero en otros — especialmente dentro de <code>select</code> anidados con relaciones opcionales — el comportamiento difiere según si el campo es nullable o no en el schema.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ⚠️ Patrón peligroso en la transición Prisma 5 → 6</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">obtenerPosts</span><span class="p">(</span><span class="nx">filtroCategoria</span><span class="p">?:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">post</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// En Prisma 5: si filtroCategoria es undefined, este where era ignorado</span> <span class="c1">// En Prisma 6: el comportamiento depende del tipo del campo en el schema</span> <span class="c1">// Si 'categoria' es un campo opcional (String?), puede comportarse diferente</span> <span class="na">categoria</span><span class="p">:</span> <span class="nx">filtroCategoria</span><span class="p">,</span> <span class="p">},</span> <span class="na">include</span><span class="p">:</span> <span class="p">{</span> <span class="na">autor</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>El fix es explícito y más defensivo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Patrón seguro para Prisma 5 y 6</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">obtenerPosts</span><span class="p">(</span><span class="nx">filtroCategoria</span><span class="p">?:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">post</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// Construí el where condicionalmente — no dependas del comportamiento de undefined</span> <span class="p">...(</span><span class="nx">filtroCategoria</span> <span class="o">!==</span> <span class="kc">undefined</span> <span class="o">&amp;&amp;</span> <span class="p">{</span> <span class="na">categoria</span><span class="p">:</span> <span class="nx">filtroCategoria</span> <span class="p">}),</span> <span class="p">},</span> <span class="na">include</span><span class="p">:</span> <span class="p">{</span> <span class="na">autor</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Lo incómodo de este cambio: <strong>el TypeScript types del cliente generado no cambian</strong>. <code>String | undefined</code> sigue siendo válido como tipo en el <code>where</code>. El compilador no te avisa nada. Tenés que buscarlo a mano o con tests de integración.</p> <p>Mi punto acá: <strong>construir los objetos <code>where</code> condicionalmente</strong> no es un workaround — es la práctica correcta en cualquier versión de Prisma. Si tu codebase tiene muchos lugares donde pasás variables opcionales directo al <code>where</code>, este es el momento de limpiarlos.</p> <h2> Cambio 3: el cliente generado cambió y los imports directos de tipos pueden romperse </h2> <p>Prisma 6 reorganizó la estructura del cliente generado. Si en algún lugar de la codebase importás tipos directamente desde la carpeta <code>.prisma/client</code> o desde rutas internas del paquete (algo que no debería hacerse pero que aparece en tutoriales viejos), esos imports pueden romperse silenciosamente o con errores crípticos.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Patrón frágil — importar desde rutas internas del cliente generado</span> <span class="c1">// Esto podía funcionar en Prisma 5 pero es una API privada, no pública</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Prisma</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client/edge</span><span class="dl">'</span> <span class="c1">// ✅ Importá desde el punto de entrada público siempre</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Prisma</span><span class="p">,</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span> </code></pre> </div> <p>El caso más frecuente en Next.js 16 con Server Actions: usar el cliente de edge (<code>@prisma/client/edge</code>) para middleware o rutas que corren en el Edge Runtime. En Prisma 6, la configuración del cliente de edge fue unificada y la forma de instanciarlo cambió. La documentación oficial tiene el detalle actualizado, pero el error que vas a ver si no lo actualizás es genérico — algo del estilo "cannot find module" o "type is not assignable" que no señala directamente el problema.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Prisma 6 con Next.js 16 — instancia única del cliente</span> <span class="c1">// lib/prisma.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">globalForPrisma</span> <span class="o">=</span> <span class="nb">global</span> <span class="k">as</span> <span class="nx">unknown</span> <span class="k">as</span> <span class="p">{</span> <span class="na">prisma</span><span class="p">:</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="nx">globalForPrisma</span><span class="p">.</span><span class="nx">prisma</span> <span class="o">??</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">({</span> <span class="c1">// log solo en desarrollo — no expongas query logs en producción</span> <span class="na">log</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="p">[</span><span class="dl">'</span><span class="s1">query</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">]</span> <span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">],</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">)</span> <span class="nx">globalForPrisma</span><span class="p">.</span><span class="nx">prisma</span> <span class="o">=</span> <span class="nx">prisma</span> </code></pre> </div> <p>Este patrón no cambió entre v5 y v6, pero si lo tenías mal configurado (instancias múltiples, singleton roto), el upgrade es el momento de corregirlo.</p> <h2> Errores comunes en la migración — los gotchas que más aparecen </h2> <p><strong>Gotcha 1: correr <code>prisma db push</code> sin leer el output completo.</strong></p> <p>Prisma 6 puede generar migraciones ligeramente diferentes para el mismo schema si hay campos con tipos que cambiaron internamente (como algunos tipos de <code>DateTime</code> con precisión). Revisá el diff de migración antes de aplicarlo.</p> <p><strong>Gotcha 2: asumir que <code>prisma migrate dev</code> y <code>prisma migrate deploy</code> se comportan igual.</strong></p> <p><code>migrate dev</code> puede hacer cosas adicionales (como resetear la DB en conflictos). En un entorno que se parece a producción, usá siempre <code>migrate deploy</code> y revisá el estado con <code>prisma migrate status</code> antes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verificá el estado de migraciones antes del upgrade</span> npx prisma migrate status <span class="c"># Generá el cliente después de actualizar la versión</span> npx prisma generate <span class="c"># Revisá las diferencias de schema sin aplicar nada</span> npx prisma migrate diff <span class="se">\</span> <span class="nt">--from-schema-datasource</span> prisma/schema.prisma <span class="se">\</span> <span class="nt">--to-schema-datamodel</span> prisma/schema.prisma <span class="se">\</span> <span class="nt">--script</span> </code></pre> </div> <p><strong>Gotcha 3: no actualizar las <code>devDependencies</code> junto con <code>@prisma/client</code>.</strong></p> <p><code>prisma</code> (el CLI) y <code>@prisma/client</code> tienen que estar en la misma versión mayor. Si actualizás uno y no el otro, vas a tener errores de generación de cliente que son difíciles de diagnosticar.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Actualizá ambos juntos siempre</span> npm <span class="nb">install </span>prisma@6 @prisma/client@6 <span class="c"># O con pnpm</span> pnpm add prisma@6 @prisma/client@6 </code></pre> </div> <p><strong>Gotcha 4: el comportamiento de transacciones con <code>$transaction</code> y timeouts.</strong></p> <p>Prisma 6 ajustó los defaults de timeout en transacciones interactivas. Si tenés transacciones que corren operaciones lentas, el timeout default puede ser diferente. Verificá y setealo explícitamente:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Timeout explícito — no dependas del default</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nf">$transaction</span><span class="p">(</span> <span class="k">async </span><span class="p">(</span><span class="nx">tx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// operaciones de la transacción</span> <span class="p">},</span> <span class="p">{</span> <span class="na">maxWait</span><span class="p">:</span> <span class="mi">5000</span><span class="p">,</span> <span class="c1">// ms — máximo tiempo esperando adquirir la transacción</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">10000</span> <span class="c1">// ms — máximo tiempo de ejecución</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <h2> Checklist de migración Prisma 5 → 6 </h2> <p>Este es el orden que sigo para hacer un upgrade sin sustos. No es el único camino, pero cubre los edge cases que más aparecen:</p> <p><strong>Antes del upgrade:</strong></p> <ul> <li>[ ] Revisá todas las <code>previewFeatures</code> en el schema — verificá cuáles pasaron a GA en v6 y eliminá las flags correspondientes</li> <li>[ ] Auditá todos los <code>where</code> que reciben variables opcionales — reemplazá el patrón <code>campo: variable | undefined</code> por construcción condicional explícita</li> <li>[ ] Buscá imports desde rutas internas de <code>@prisma/client</code> — centralizá en el punto de entrada público</li> <li>[ ] Verificá los timeouts explícitos en todas las <code>$transaction</code> interactivas</li> <li>[ ] Corré <code>prisma migrate status</code> y asegurate de que no haya migraciones pendientes antes del upgrade</li> </ul> <p><strong>Durante el upgrade:</strong></p> <ul> <li>[ ] Actualizá <code>prisma</code> y <code>@prisma/client</code> a la misma versión mayor simultáneamente</li> <li>[ ] Corré <code>prisma generate</code> y revisá el output completo — no solo que termine sin error</li> <li>[ ] Corré el test suite de integración (si tenés) apuntando a una DB de staging, no producción</li> <li>[ ] Si usás Next.js 16 con Edge Runtime, verificá la configuración del cliente de edge según la doc de Prisma 6</li> </ul> <p><strong>Después del upgrade:</strong></p> <ul> <li>[ ] Monitoreá los query logs en las primeras horas — buscá queries más lentas o resultados inesperados en relaciones opcionales</li> <li>[ ] Verificá que el singleton de <code>PrismaClient</code> siga funcionando correctamente en el ciclo de vida de Next.js (hot reload en dev, instancia única en prod)</li> </ul> <h2> FAQ — Prisma 6 migration breaking changes </h2> <p><strong>¿Prisma 6 es compatible con Prisma 5 sin cambios?</strong></p> <p>No completamente. Hay breaking changes documentados en la guía oficial. La mayoría son manejables, pero requieren revisión manual — especialmente en schemas con <code>previewFeatures</code>, queries relacionales con valores opcionales y uso del cliente de edge. No es un upgrade de patch; tomalo en serio.</p> <p><strong>¿El schema de Prisma (schema.prisma) cambia entre v5 y v6?</strong></p> <p>El formato del schema no cambió drásticamente, pero sí hay flags de <code>previewFeatures</code> que deben removerse porque pasaron a GA. Si las dejás, el CLI puede emitir warnings o errores dependiendo de la versión puntual. Revisá la lista completa en el anuncio oficial.</p> <p><strong>¿Mis queries con <code>include</code> y relaciones opcionales van a funcionar igual?</strong></p> <p>Probablemente sí para los casos simples. El riesgo está en queries que pasan <code>undefined</code> condicionalmente a campos opcionales del <code>where</code>. Si construís los filtros de forma explícita (sin depender del comportamiento de <code>undefined</code>), el riesgo es bajo.</p> <p><strong>¿Prisma 6 funciona con Next.js 16 App Router y Server Actions?</strong></p> <p>Sí. El stack Next.js 16 + Server Actions + Prisma 6 + PostgreSQL funciona bien. Lo que requiere atención es la instancia del cliente (singleton global) y la configuración del Edge Runtime si la usás. Los patterns de Prisma con Server Actions que cubrí en <a href="https://dev.to/blog/prisma-query-logging-postgresql-donde-termina-orm-empieza-base">el post anterior sobre Server Actions y Prisma</a> siguen siendo válidos — solo verificá el punto de entrada del cliente.</p> <p><strong>¿Puedo hacer el upgrade en producción directamente?</strong></p> <p>Mi recomendación es no. El flujo más seguro es: rama de upgrade → staging con DB similar a producción → test suite de integración → deploy en horario de bajo tráfico. El upgrade en sí no es riesgoso si seguís el checklist, pero la validación previa es lo que te salva de sorpresas.</p> <p><strong>¿<code>$queryRawTyped</code> reemplaza a <code>$queryRaw</code>?</strong></p> <p>No lo reemplaza, lo complementa. <code>$queryRawTyped</code> es la nueva API para SQL type-safe con inferencia de tipos — es una mejora genuina para queries SQL complejas que el ORM no puede expresar bien. <code>$queryRaw</code> sigue funcionando. Si querés explorar la nueva API, el anuncio oficial tiene los ejemplos; si ya usás <a href="https://dev.to/blog/prisma-query-logging-postgresql-donde-termina-orm-empieza-base">query logging con PostgreSQL</a> para debuguear queries pesadas, <code>$queryRawTyped</code> va a ser tu aliado natural.</p> <h2> Conclusión: vale el upgrade, pero hay que ganárselo </h2> <p>Prisma 6 es un paso adelante real — mejor performance, client generation más rápida y SQL type-safe son mejoras concretas que se sienten en proyectos con schemas complejos. No lo estoy cuestionando.</p> <p>Lo que sí estoy diciendo es que hay <strong>tres comportamientos que no gritan en el compilador</strong>: la limpieza de <code>previewFeatures</code>, el manejo de <code>undefined</code> en <code>where</code> condicionales y los imports del cliente generado. Si los ignorás, te enterás en runtime.</p> <p>Lo incómodo de verdad es que ninguno de los tres es un bug de Prisma — son decisiones razonables del equipo que priorizan comportamiento correcto sobre compatibilidad silenciosa. Pero si no leés la guía de migración completa antes de correr <code>npm install prisma@6</code>, el costo lo pagás vos.</p> <p>Mi recomendación práctica: antes de hacer el upgrade, corré un grep en la codebase por <code>previewFeatures</code>, por patrones <code>campo: variable</code> en objetos <code>where</code>, y por imports desde rutas internas de <code>@prisma/client</code>. Si los tres resultados están limpios, el upgrade va a ser tranquilo. Si aparece algo, lo sabés antes de empezar.</p> <p>Si estás en el camino de hardening de queries y logging, el post sobre <a href="https://dev.to/blog/prisma-query-logging-postgresql-donde-termina-orm-empieza-base">Prisma query logging y PostgreSQL</a> tiene contexto útil para el lado del monitoreo post-upgrade. Y si el proyecto usa <a href="https://juanchi.dev/es/blog/typescript-strict-mode-tsconfig-opciones-produccion" rel="noopener noreferrer">TypeScript strict mode</a>, las opciones <code>strictNullChecks</code> y <code>noUncheckedIndexedAccess</code> van a hacer más visibles exactamente los patrones de <code>undefined</code> que describí acá.</p> <p><strong>Fuente original:</strong></p> <ul> <li>Prisma — What's new in Prisma 6: <a href="https://www.prisma.io/blog/prisma-6-better-performance-more-flexibility-and-type-safe-sql" rel="noopener noreferrer">https://www.prisma.io/blog/prisma-6-better-performance-more-flexibility-and-type-safe-sql</a> </li> </ul> <p><em>Este artículo fue publicado originalmente en <a href="https://juanchi.dev/es/blog/prisma-6-migration-breaking-changes" rel="noopener noreferrer">juanchi.dev</a></em></p> spanish espanol typescript backend tsgo: what changes in the TypeScript compiler rewritten in Go and what it means for real projects Juan Torchia Tue, 02 Jun 2026 14:31:59 +0000 https://dev.to/jtorchia/tsgo-what-changes-in-the-typescript-compiler-rewritten-in-go-and-what-it-means-for-real-projects-4440 https://dev.to/jtorchia/tsgo-what-changes-in-the-typescript-compiler-rewritten-in-go-and-what-it-means-for-real-projects-4440 <h1> tsgo: what changes in the TypeScript compiler rewritten in Go and what it means for real projects </h1> <p>I made the mistake of dismissing tsgo as hype before actually reading it. I saw the "10x faster" headline and mentally filed it next to JavaScript framework benchmarks — real numbers in a context that has nothing to do with my work. It only took opening the official repository and the TypeScript team's announcement to understand that this time the story is different. And that it's worth understanding exactly <em>what</em> changed, <em>what</em> hasn't yet, and when it actually makes sense to explore the migration.</p> <p>My thesis is simple: tsgo is a legitimate technical bet with public evidence behind it, but the beta has documented limitations that most enthusiastic posts quietly skip. The criterion for migrating today isn't whether the number looks attractive — it's whether your CI spends more than 5 minutes on type-checking. If you don't hit that threshold, wait for stable and sleep easy.</p> <h2> tsgo typescript compiler go: what it is and where it came from </h2> <p>The official project lives at <a href="https://github.com/microsoft/typescript-go" rel="noopener noreferrer">github.com/microsoft/typescript-go</a>. This isn't a fork or a community experiment — it's the TypeScript team itself porting the compiler to native Go, with the declared goal of leveraging real parallelism and eliminating V8 overhead.</p> <p>The official announcement on the <a href="https://devblogs.microsoft.com/typescript/typescript-native-port/" rel="noopener noreferrer">TypeScript Blog</a> is clear about the reasoning: JavaScript has a ceiling on compilation speed because it runs on a general-purpose runtime. Go lets you compile to a native binary, manage goroutines for genuine parallelism, and avoid V8's garbage collector pressure. The result according to the team's own measurements: compilations that take tens of seconds with classic TypeScript drop to a few seconds or less.</p> <p>The important thing is that tsgo <strong>does not change the type system</strong>. TypeScript's semantics — the same errors, the same inferences, the same <code>strict</code> behavior — stay identical. What changes is the speed at which you get to those results.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Experimental installation per the official repo</span> <span class="c"># Not on stable npm yet — follow the repo's README</span> git clone https://github.com/microsoft/typescript-go <span class="nb">cd </span>typescript-go <span class="c"># Build the binary (requires Go installed)</span> go build ./cmd/tsgo <span class="c"># Run type-check on a project</span> ./tsgo <span class="nt">--project</span> path/to/tsconfig.json </code></pre> </div> <h2> What limitations the beta has today </h2> <p>This is where most posts fall short. The official repository's roadmap explicitly documents what isn't ready in the beta:</p> <p><strong>Language Service (LSP) incomplete.</strong> Editor integration — VS Code, Neovim, any LSP client — is in progress but doesn't have parity with <code>tsc</code>. That means you can't replace the language server that gives you hover types, go-to-definition, and autocomplete today. The CLI type-check is the most mature piece.</p> <p><strong>Build mode and project references.</strong> Support for <code>tsc --build</code> with <code>composite: true</code> and references between packages in a monorepo is partially implemented. If you're using pnpm workspaces with multiple linked <code>tsconfig.json</code> files, you'll hit edge cases.</p> <p><strong>TypeScript plugins.</strong> The <code>plugins</code> in <code>tsconfig.json</code> that many frameworks use internally — Next.js ships its own — don't have guaranteed support yet.</p> <p><strong>Code transformations.</strong> tsgo in beta is a type-checker, not a full transpiler. It doesn't replace <code>tsc</code> when you need to emit <code>.js</code> from <code>.ts</code> with transformations. That's still territory for the original compiler or tools like esbuild/swc.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json-doc"><code><span class="c1">// Typical tsconfig.json in a Next.js project with strict mode</span><span class="w"> </span><span class="c1">// What tsgo can type-check today (CLI)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"compilerOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"strict"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"noEmit"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="c1">// ← "type-check only, no emit" mode — the most mature case in tsgo</span><span class="w"> </span><span class="nl">"target"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ESNext"</span><span class="p">,</span><span class="w"> </span><span class="nl">"moduleResolution"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bundler"</span><span class="p">,</span><span class="w"> </span><span class="nl">"paths"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@/*"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"./src/*"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c1">// What's NOT ready: plugins like Next.js's own, complex composite + references</span><span class="w"> </span></code></pre> </div> <p>If you have <code>strict: true</code> enabled — and if you're not sure why you should, I have a <a href="https://juanchi.dev/en/blog/typescript-strict-mode-tsconfig-options-production" rel="noopener noreferrer">post on the tsconfig options that actually matter in production</a> — tsgo respects exactly that semantics. The port doesn't relax or change the checks.</p> <h2> The common mistakes when evaluating tsgo </h2> <p><strong>Mistake 1: comparing the number without project context.</strong> The "10x" comes from benchmarks on large codebases. On a 50-file project where <code>tsc --noEmit</code> takes 8 seconds, the jump will be noticeable but not dramatic. On a monorepo with 500+ files where type-checking in CI takes 4–6 minutes, the difference concretely changes your pipeline.</p> <p><strong>Mistake 2: assuming it replaces the entire toolchain.</strong> tsgo in beta is a type-check binary. It doesn't replace esbuild, swc, or <code>next build</code>. Most modern monorepos already separated type-checking from transpilation — if yours hasn't, this is the moment to do it regardless of tsgo.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Separating type-check from build in CI — recommended pattern today</span> <span class="c"># Step 1: type-check (candidate for tsgo when stable)</span> pnpm tsc <span class="nt">--noEmit</span> <span class="nt">--project</span> tsconfig.json <span class="c"># Step 2: build/transpilation (keep using tsc or next build, not tsgo yet)</span> pnpm next build </code></pre> </div> <p><strong>Mistake 3: ignoring the Language Service.</strong> Several enthusiastic posts recommend switching VS Code's <code>typescript.tsdk</code> to point at tsgo. The result today is inconsistent — some features work, others don't. Unless you're deliberately experimenting, don't do it in an environment where you need to actually develop.</p> <p><strong>Mistake 4: losing sight of the fact that plugins matter.</strong> Next.js 15+ ships its own TypeScript plugin to correctly type Server Component props and <code>generateMetadata</code> parameters. If tsgo doesn't load it, you lose those checks. That's not a tsgo problem — it's a documented beta limitation you need to track before adopting it.</p> <h2> Decision matrix: when to explore tsgo today </h2> <p>Not every tooling decision needs a spreadsheet. This one does need clear criteria because the cost of a premature migration is real: breaking your editor's feedback loop exactly when you need it most.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Situation</th> <th>Recommendation</th> </tr> </thead> <tbody> <tr> <td>CI type-check &gt; 5 minutes</td> <td>Worth exploring tsgo in a separate job and comparing</td> </tr> <tr> <td>CI type-check &lt; 2 minutes</td> <td>Wait for stable — no urgent gain</td> </tr> <tr> <td>Monorepo with complex project references</td> <td>Wait — documented partial support</td> </tr> <tr> <td>Next.js project with its TS plugin</td> <td>Wait — plugins not guaranteed in beta</td> </tr> <tr> <td>Pure type-check (<code>--noEmit</code>) in a separate CI job</td> <td>Most mature case to try today</td> </tr> <tr> <td>Need Language Server in your editor</td> <td>Not yet — LSP incomplete</td> </tr> </tbody> </table></div> <p>The only scenario where I see immediate value is a CI pipeline where type-checking is the documented bottleneck and you can run tsgo in a parallel job without touching the main build. That way you explore without risk.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Example parallel job in GitHub Actions to evaluate tsgo</span> <span class="c1"># Without touching the main build</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">typecheck-experimental</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">continue-on-error</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># doesn't block the pipeline if tsgo fails</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Go</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-go@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">go-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1.22'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Clone and build tsgo</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">git clone https://github.com/microsoft/typescript-go /tmp/tsgo</span> <span class="s">cd /tmp/tsgo &amp;&amp; go build ./cmd/tsgo</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Measure type-check time with tsgo</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">time /tmp/tsgo/tsgo --project tsconfig.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Measure type-check time with tsc (for comparison)</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">time pnpm tsc --noEmit</span> </code></pre> </div> <p>This approach has one concrete advantage: you get real data from <em>your</em> project, not from Microsoft's benchmark. That difference matters.</p> <h2> What you can't conclude without your own experiment </h2> <p>The uncomfortable thing about this topic is that the public evidence backs the speed claim but can't tell you how much <em>your specific pipeline</em> will improve. It depends on file count, type complexity, whether you're using heavy conditional types, how many <code>paths</code> your <code>tsconfig</code> has, and whether you have plugins tsgo won't load.</p> <p>What you <em>can</em> conclude without experimenting:</p> <ul> <li>tsgo <strong>will not change error semantics</strong> — same type system specification</li> <li>tsgo <strong>is not a drop-in replacement today</strong> — documented limitations in the official repo</li> <li>The technical bet of rewriting in Go <strong>has solid justification</strong> beyond the marketing: native parallelism, binary without V8, different memory management</li> </ul> <p>What you need to measure yourself:</p> <ul> <li>Real time gains on your specific codebase</li> <li>Whether the plugins you use are supported</li> <li>Language Service behavior in your editor</li> </ul> <p>Without those three measurements, any claim of "migrate it now" or "it's worthless" is noise.</p> <h2> FAQ: tsgo typescript compiler go </h2> <p><strong>Does tsgo completely replace tsc today?</strong><br> No. In the current beta, tsgo is primarily a CLI type-checker (<code>--noEmit</code>). It doesn't replace code emission, TypeScript plugins, and doesn't have full Language Service parity for editors. The official repository documents the roadmap with what's still missing.</p> <p><strong>Is tsgo's type system identical to the original TypeScript?</strong><br> Yes, that's the project's premise. The Go port replicates the same type semantics — the same errors, the same inferences, the same <code>strict</code> behavior. If you find a difference, it's a bug in the port, not a feature.</p> <p><strong>Does it work with Next.js?</strong><br> Partially. Basic type-checking works, but the TypeScript plugin Next.js includes to type Server Components and metadata isn't guaranteed in the beta. For production Next.js projects, wait until plugin support is stable.</p> <p><strong>Is it worth trying in a monorepo with pnpm workspaces?</strong><br> Depends on the size. If you have project references (<code>composite: true</code>) between packages, support is partial per the official documentation. If you're simply running <code>tsc --noEmit</code> on the root, that's the most mature scenario to experiment with.</p> <p><strong>When will it hit stable?</strong><br> The official repository's roadmap has no public date. The signal to watch for: complete LSP, verified plugin support, and documented parity with <code>tsc</code>. Follow the repo — the milestones are public.</p> <p><strong>Should I switch VS Code's <code>typescript.tsdk</code> to tsgo now?</strong><br> I wouldn't do it in an active development environment. The tsgo Language Service in beta has incomplete features that will break hover types and autocomplete in specific cases. If you want to experiment, do it on a dedicated branch with that explicit purpose.</p> <h2> My take and the one concrete next step </h2> <p>tsgo is the most technically interesting move in the TypeScript ecosystem in years. Not because the "10x" number is magic, but because the real bottleneck of the compiler was always the JavaScript runtime — and that limitation now has a serious answer with public evidence behind it.</p> <p>What I don't buy is the enthusiasm that ignores the documented limitations. The current beta has a clear scope: CLI type-checking on projects without complex plugins. That's not nothing — for many CI pipelines it's exactly the critical use case — but it's also not the full replacement some posts present it as.</p> <p>My practical recommendation: if type-checking is the documented bottleneck in your CI, set up a parallel job with <code>continue-on-error: true</code>, measure the delta on your real codebase, and make the decision with your own data. If you don't have that problem today, close this tab and revisit it when the team announces stable. There's no urgency.</p> <p>The next step for you is exactly one thing: go to the <a href="https://github.com/microsoft/typescript-go" rel="noopener noreferrer">official repository</a> and check the open issues for the features you actually use. That's where the real information is — not in the headlines.</p> <p><strong>Original sources:</strong></p> <ul> <li>TypeScript Go — GitHub Repository: <a href="https://github.com/microsoft/typescript-go" rel="noopener noreferrer">https://github.com/microsoft/typescript-go</a> </li> <li>TypeScript Blog — Announcing TypeScript Go: <a href="https://devblogs.microsoft.com/typescript/typescript-native-port/" rel="noopener noreferrer">https://devblogs.microsoft.com/typescript/typescript-native-port/</a> </li> </ul> <p><em>This article was originally published on <a href="https://juanchi.dev/en/blog/tsgo-typescript-compiler-go-real-projects" rel="noopener noreferrer">juanchi.dev</a></em></p> english nextjs typescript herramientas tsgo: qué cambia en el compilador TypeScript reescrito en Go y qué significa para proyectos reales Juan Torchia Tue, 02 Jun 2026 14:31:53 +0000 https://dev.to/jtorchia/tsgo-que-cambia-en-el-compilador-typescript-reescrito-en-go-y-que-significa-para-proyectos-reales-2mj7 https://dev.to/jtorchia/tsgo-que-cambia-en-el-compilador-typescript-reescrito-en-go-y-que-significa-para-proyectos-reales-2mj7 <h1> tsgo: qué cambia en el compilador TypeScript reescrito en Go y qué significa para proyectos reales </h1> <p>Cometí el error de descartar tsgo como hype antes de leerlo. Vi el titular "10x más rápido" y lo puse en la misma carpeta mental que los benchmarks de frameworks JavaScript: números reales en un contexto que nada tiene que ver con lo mío. Me alcanzó con abrir el repositorio oficial y el anuncio del equipo de TypeScript para entender que esta vez la historia es distinta — y que vale la pena entender exactamente <em>qué</em> cambió, <em>qué</em> todavía no, y cuándo tiene sentido explorar la migración.</p> <p>Mi tesis es simple: tsgo es una apuesta técnica legítima con evidencia pública que la respalda, pero la beta tiene limitaciones documentadas que la mayoría de los posts entusiastas omiten. El criterio para migrarlo hoy no es si el número te parece atractivo — es si tu CI tarda más de 5 minutos en type-check. Si no llegás a ese umbral, esperá la stable y dormí tranquilo.</p> <h2> tsgo typescript compiler go: qué es y de dónde viene </h2> <p>El proyecto oficial vive en <a href="https://github.com/microsoft/typescript-go" rel="noopener noreferrer">github.com/microsoft/typescript-go</a>. No es un fork ni un experimento de comunidad: es el propio equipo de TypeScript portando el compilador a Go nativo, con el objetivo declarado de aprovechar paralelismo real y eliminar el overhead de V8.</p> <p>El anuncio oficial en el <a href="https://devblogs.microsoft.com/typescript/typescript-native-port/" rel="noopener noreferrer">TypeScript Blog</a> es claro sobre el razonamiento: JavaScript tiene un techo en cuanto a velocidad de compilación porque corre sobre un runtime de propósito general. Go permite compilar a binario nativo, gestionar goroutines para paralelismo genuino y evitar la presión del garbage collector de V8. El resultado según las mediciones del propio equipo: compilaciones que en TypeScript clásico toman decenas de segundos bajan a pocos segundos o menos.</p> <p>Lo importante es que tsgo <strong>no cambia el sistema de tipos</strong>. La semántica de TypeScript — los mismos errores, las mismas inferencias, el mismo comportamiento de <code>strict</code> — sigue siendo idéntica. Lo que cambia es la velocidad con la que llegás a esos resultados.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Instalación experimental según el repo oficial</span> <span class="c"># No está en npm stable todavía — seguí el README del repo</span> git clone https://github.com/microsoft/typescript-go <span class="nb">cd </span>typescript-go <span class="c"># Compilar el binario (requiere Go instalado)</span> go build ./cmd/tsgo <span class="c"># Correr type-check sobre un proyecto</span> ./tsgo <span class="nt">--project</span> ruta/a/tsconfig.json </code></pre> </div> <h2> Qué limitaciones tiene la beta hoy </h2> <p>Acá es donde la mayoría de los posts se quedan cortos. El roadmap del repositorio oficial documenta explícitamente qué no está listo en la beta:</p> <p><strong>Language Service (LSP) incompleto.</strong> La integración con editores — VS Code, Neovim, cualquier cliente LSP — está en progreso pero no tiene paridad con <code>tsc</code>. Esto significa que no podés reemplazar hoy el servidor de lenguaje que te da hover types, go-to-definition y autocompletado. El type-check de CLI es lo más maduro.</p> <p><strong>Build mode y project references.</strong> El soporte para <code>tsc --build</code> con <code>composite: true</code> y references entre paquetes de un monorepo está parcialmente implementado. Si usás pnpm workspaces con múltiples <code>tsconfig.json</code> enlazados, vas a encontrar casos borde.</p> <p><strong>Plugins de TypeScript.</strong> Los <code>plugins</code> del <code>tsconfig.json</code> que muchos frameworks usan internamente (Next.js incluye el suyo) no tienen soporte garantizado todavía.</p> <p><strong>Transformaciones de código.</strong> tsgo en beta es un type-checker, no un transpiler completo. No reemplaza a <code>tsc</code> cuando necesitás emitir <code>.js</code> desde <code>.ts</code> con transformaciones. Eso sigue siendo territorio del compilador original o de herramientas como esbuild/swc.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json-doc"><code><span class="c1">// tsconfig.json típico en un proyecto Next.js con strict mode</span><span class="w"> </span><span class="c1">// Lo que tsgo puede type-checkear hoy (CLI)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"compilerOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"strict"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"noEmit"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="c1">// ← modo "solo type-check, no emitir" — el caso más maduro en tsgo</span><span class="w"> </span><span class="nl">"target"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ESNext"</span><span class="p">,</span><span class="w"> </span><span class="nl">"moduleResolution"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bundler"</span><span class="p">,</span><span class="w"> </span><span class="nl">"paths"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@/*"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"./src/*"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c1">// Lo que NO está listo: plugins como el de Next.js, composite + references complejos</span><span class="w"> </span></code></pre> </div> <p>Si tenés <code>strict: true</code> activo — y si no sabés por qué deberías, tengo un <a href="https://juanchi.dev/es/blog/typescript-strict-mode-tsconfig-opciones-produccion" rel="noopener noreferrer">post sobre las opciones del tsconfig que más impactan en producción</a> — tsgo respeta exactamente esa semántica. El port no relaja ni cambia los checks.</p> <h2> Los errores comunes al evaluar tsgo </h2> <p><strong>Error 1: comparar el número sin contexto de proyecto.</strong> El "10x" viene de benchmarks con codebases grandes. En un proyecto de 50 archivos donde <code>tsc --noEmit</code> tarda 8 segundos, el salto va a ser perceptible pero no dramático. En un monorepo con 500+ archivos donde el type-check en CI tarda 4-6 minutos, la diferencia cambia el pipeline de forma concreta.</p> <p><strong>Error 2: asumir que reemplaza toda la cadena de herramientas.</strong> tsgo en beta es un binario de type-check. No reemplaza esbuild, swc, ni el <code>next build</code>. La mayoría de los monorepos modernos ya separaron type-check de transpilación — si el tuyo no, este es el momento de hacerlo independientemente de tsgo.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Separar type-check de build en CI — patrón recomendado hoy</span> <span class="c"># Paso 1: type-check (candidato para tsgo cuando sea stable)</span> pnpm tsc <span class="nt">--noEmit</span> <span class="nt">--project</span> tsconfig.json <span class="c"># Paso 2: build/transpilación (sigue con tsc o next build, no tsgo todavía)</span> pnpm next build </code></pre> </div> <p><strong>Error 3: ignorar el Language Service.</strong> Varios posts de entusiasmo recomiendan cambiar el <code>typescript.tsdk</code> de VS Code apuntando a tsgo. El resultado hoy es inconsistente: algunas features funcionan, otras no. A menos que estés experimentando conscientemente, no lo hagas en un entorno donde necesitás desarrollar.</p> <p><strong>Error 4: perder de vista que los plugins importan.</strong> Next.js 15+ usa un plugin TypeScript propio para tipear correctamente los props de Server Components y los parámetros de <code>generateMetadata</code>. Si tsgo no lo carga, vas a perder esos checks. Eso no es un problema de tsgo — es una limitación documentada de la beta que hay que rastrear antes de adoptarlo.</p> <h2> Matriz de decisión: cuándo explorar tsgo hoy </h2> <p>No toda decisión de herramienta necesita una hoja de cálculo. Esta sí necesita criterio claro porque el costo de una migración prematura es real: romper el feedback loop del editor justo cuando más lo necesitás.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Situación</th> <th>Recomendación</th> </tr> </thead> <tbody> <tr> <td>CI type-check &gt; 5 minutos</td> <td>Vale explorar tsgo en un job separado y comparar</td> </tr> <tr> <td>CI type-check &lt; 2 minutos</td> <td>Esperá la stable, no hay ganancia urgente</td> </tr> <tr> <td>Monorepo con project references complejas</td> <td>Esperá — soporte parcial documentado</td> </tr> <tr> <td>Proyecto con Next.js y su plugin TS</td> <td>Esperá — plugins no garantizados en beta</td> </tr> <tr> <td>Quizás type-check puro (<code>--noEmit</code>) en CI separado</td> <td>Caso más maduro hoy para probar</td> </tr> <tr> <td>Necesitás Language Server en editor</td> <td>No todavía — LSP incompleto</td> </tr> </tbody> </table></div> <p>El único escenario donde veo valor inmediato es un pipeline de CI donde el type-check es el cuello de botella documentado y podés correr tsgo en un job paralelo sin afectar el build principal. Así explorás sin riesgo.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Ejemplo de job paralelo en GitHub Actions para evaluar tsgo</span> <span class="c1"># Sin tocar el build principal</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">typecheck-experimental</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">continue-on-error</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># no bloquea el pipeline si tsgo falla</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Instalar Go</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-go@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">go-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1.22'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Clonar y compilar tsgo</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">git clone https://github.com/microsoft/typescript-go /tmp/tsgo</span> <span class="s">cd /tmp/tsgo &amp;&amp; go build ./cmd/tsgo</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Medir time-check con tsgo</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">time /tmp/tsgo/tsgo --project tsconfig.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Medir time-check con tsc (para comparar)</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">time pnpm tsc --noEmit</span> </code></pre> </div> <p>Este approach tiene una ventaja concreta: obtenés datos reales de <em>tu</em> proyecto, no del benchmark de Microsoft. Esa diferencia importa.</p> <h2> Qué no podés concluir sin experimento propio </h2> <p>Lo incómodo de este tema es que la evidencia pública respalda el claim de velocidad pero no puede decirte cuánto va a mejorar <em>tu</em> pipeline específico. Depende de la cantidad de archivos, la complejidad de tipos, si usás conditional types pesados, cuántos <code>paths</code> tiene el <code>tsconfig</code>, y si tenés plugins que tsgo no carga.</p> <p>Lo que sí podés concluir sin experimento:</p> <ul> <li>tsgo <strong>no va a cambiar la semántica de los errores</strong> — misma especificación del sistema de tipos</li> <li>tsgo <strong>no es un reemplazo drop-in hoy</strong> — tiene limitaciones documentadas en el repo oficial</li> <li>La apuesta técnica de reescribir en Go <strong>tiene justificación sólida</strong> más allá del marketing: paralelismo nativo, binario sin V8, gestión de memoria diferente</li> </ul> <p>Lo que necesitás medir vos mismo:</p> <ul> <li>Ganancia real de tiempo en tu codebase específica</li> <li>Si los plugins que usás están soportados</li> <li>Comportamiento del Language Service en tu editor</li> </ul> <p>Sin esas tres mediciones, cualquier claim de "migralo ya" o "no vale nada" es ruido.</p> <h2> FAQ: tsgo typescript compiler go </h2> <p><strong>¿tsgo reemplaza completamente a tsc hoy?</strong><br> No. En la beta actual, tsgo es principalmente un type-checker de CLI (<code>--noEmit</code>). No reemplaza la emisión de código, los plugins de TypeScript ni tiene paridad completa en el Language Service para editores. El repositorio oficial documenta el roadmap con lo que falta.</p> <p><strong>¿El sistema de tipos de tsgo es idéntico al de TypeScript original?</strong><br> Sí, esa es la premisa del proyecto. El port a Go replica la misma semántica de tipos — los mismos errores, las mismas inferencias, el mismo comportamiento de <code>strict</code>. Si encontrás una diferencia, es un bug del port, no un feature.</p> <p><strong>¿Funciona con Next.js?</strong><br> Parcialmente. El type-check básico funciona, pero el plugin TypeScript que Next.js incluye para tipar Server Components y metadata no está garantizado en la beta. Para proyectos Next.js en producción, esperá que el soporte de plugins esté estable.</p> <p><strong>¿Vale la pena probarlo en un monorepo con pnpm workspaces?</strong><br> Depende del tamaño. Si tenés project references (<code>composite: true</code>) entre paquetes, el soporte es parcial según la documentación oficial. Si simplemente corrés <code>tsc --noEmit</code> sobre el root, es el escenario más maduro para experimentar.</p> <p><strong>¿Cuándo va a estar en stable?</strong><br> El roadmap del repositorio oficial no tiene fecha pública. La señal para esperar es: LSP completo, soporte de plugins verificado y paridad documentada con <code>tsc</code>. Seguí el repo — los milestones están públicos.</p> <p><strong>¿Cambio el <code>typescript.tsdk</code> de VS Code a tsgo ya?</strong><br> No lo haría en un entorno de desarrollo activo. El Language Service de tsgo en beta tiene features incompletas que van a romper el hover types y el autocompletado en casos específicos. Si querés experimentar, hacelo en una branch dedicada con ese propósito.</p> <h2> Mi postura y el próximo paso concreto </h2> <p>tsgo es la movida técnica más interesante del ecosistema TypeScript en años. No porque el número "10x" sea mágico, sino porque el cuello de botella real del compilador siempre fue el runtime de JavaScript — y esa limitación ahora tiene una respuesta seria con evidencia pública.</p> <p>Lo que no compro es el entusiasmo que ignora las limitaciones documentadas. La beta actual tiene un scope claro: type-check de CLI en proyectos sin plugins complejos. Eso no es poca cosa — para muchos pipelines de CI es exactamente el caso de uso crítico — pero tampoco es el reemplazo completo que algunos posts presentan.</p> <p>Mi recomendación práctica: si el type-check es el cuello de botella documentado en tu CI, armá un job paralelo con <code>continue-on-error: true</code>, medí el delta en tu codebase real y tomá la decisión con datos propios. Si no tenés ese problema hoy, cerrá esta pestaña y revisalo cuando el equipo anuncie la stable. No hay urgencia.</p> <p>El próximo paso para vos es uno solo: entrar al <a href="https://github.com/microsoft/typescript-go" rel="noopener noreferrer">repositorio oficial</a> y revisar los issues abiertos de las features que usás. Ahí está la información real, no en los titulares.</p> <p><strong>Fuentes originales:</strong></p> <ul> <li>TypeScript Go — GitHub Repository: <a href="https://github.com/microsoft/typescript-go" rel="noopener noreferrer">https://github.com/microsoft/typescript-go</a> </li> <li>TypeScript Blog — Announcing TypeScript Go: <a href="https://devblogs.microsoft.com/typescript/typescript-native-port/" rel="noopener noreferrer">https://devblogs.microsoft.com/typescript/typescript-native-port/</a> </li> </ul> <p><em>Este artículo fue publicado originalmente en <a href="https://juanchi.dev/es/blog/tsgo-typescript-compiler-go-que-cambia-proyectos-reales" rel="noopener noreferrer">juanchi.dev</a></em></p> spanish espanol nextjs typescript React 19 use() hook and Suspense: when it replaces useEffect and when it throws you into a worse loop Juan Torchia Tue, 02 Jun 2026 12:01:07 +0000 https://dev.to/jtorchia/react-19-use-hook-and-suspense-when-it-replaces-useeffect-and-when-it-throws-you-into-a-worse-eei https://dev.to/jtorchia/react-19-use-hook-and-suspense-when-it-replaces-useeffect-and-when-it-throws-you-into-a-worse-eei <h1> React 19 use() hook and Suspense: when it replaces useEffect and when it throws you into a worse loop </h1> <p>You can wrap a Promise in <code>use()</code> and React handles the loading state by itself. Yeah, you read that right. And yet, 40% of the components I started migrating I ended up reverting. Not because <code>use()</code> is bad — it's genuinely good — but because Suspense has error semantics that most Twitter examples skip entirely.</p> <p>My thesis from the start: <strong><code>use()</code> is a real improvement for specific cases, but it doesn't replace <code>useEffect</code> universally. The line between the two isn't "how much code you save" — it's what happens when the Promise rejects.</strong></p> <h2> What React 19 use hook Suspense actually is and what the official docs really say </h2> <p>According to the <a href="https://react.dev/reference/react/use" rel="noopener noreferrer">official React documentation</a>, <code>use()</code> is a hook that reads the value of a resource: a Promise or a Context. When it receives a Promise, it suspends the component until it resolves and delegates the loading state to the nearest <code>&lt;Suspense&gt;</code>.</p> <p>What the docs do clarify — and this is worth reading carefully — is this:</p> <blockquote> <p>"If the Promise rejects, React will throw the rejection reason. You can handle rejection using an Error Boundary."</p> </blockquote> <p>That's where the friction starts. <code>use()</code> doesn't give you a local <code>error</code> state. There's no <code>catch</code> in the component. The error bubbles up to the nearest Error Boundary and unmounts the entire subtree. That might be exactly what you want, or it might be a structural problem depending on how you've organized your boundaries in the tree.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// Basic pattern with use() — works great for this</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">use</span><span class="p">,</span> <span class="nx">Suspense</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// The Promise comes from outside the component (key: not created inside)</span> <span class="kd">function</span> <span class="nf">UserProfile</span><span class="p">({</span> <span class="nx">userPromise</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">userPromise</span><span class="p">:</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">User</span><span class="o">&gt;</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// use() suspends until resolved; if it rejects, bubbles to Error Boundary</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nf">use</span><span class="p">(</span><span class="nx">userPromise</span><span class="p">);</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Page</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">ErrorBoundary</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Error loading profile<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Loading...<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">UserProfile</span> <span class="na">userPromise</span><span class="p">=</span><span class="si">{</span><span class="nf">fetchUser</span><span class="p">()</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">ErrorBoundary</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>This works perfectly. The component is declarative, has no side effects, and Suspense shows the fallback while it resolves. Welcome to React 19.</p> <h2> The two cases where use() makes things more complicated, not less </h2> <h3> Case 1: the Promise is created inside the component </h3> <p>This is the most common mistake and the one I've seen most often in blog examples:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// ⚠️ THIS CAUSES AN INFINITE SUSPENSE LOOP</span> <span class="kd">function</span> <span class="nf">Profile</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Every render creates a new Promise → use() suspends → React re-renders → new Promise</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nf">use</span><span class="p">(</span><span class="nf">fetchUser</span><span class="p">());</span> <span class="c1">// ← PROBLEM: new Promise on every render</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <p>If the Promise is created inside the component, every render produces a new instance. <code>use()</code> suspends it, React re-renders to resolve, creates another Promise… loop. The fix is to hoist the Promise outside the component or memoize it with <code>useMemo</code>, but at that point you're adding complexity that <code>useEffect</code> never required.</p> <p>The <a href="https://react.dev/blog/2024/12/05/react-19" rel="noopener noreferrer">React 19 documentation</a> mentions it: Promises must be created outside the component or be stable across renders. It's not a bug — it's part of the hook's contract.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// ✅ Correct: stable Promise, created outside the component</span> <span class="kd">const</span> <span class="nx">globalPromise</span> <span class="o">=</span> <span class="nf">fetchUser</span><span class="p">();</span> <span class="c1">// outside the render tree</span> <span class="kd">function</span> <span class="nf">Profile</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nf">use</span><span class="p">(</span><span class="nx">globalPromise</span><span class="p">);</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <h3> Case 2: an Error Boundary that catches more than you want </h3> <p>The second case is subtler and more expensive to diagnose. Imagine a layout with multiple independent sections: profile, notifications, and settings. If all three use <code>use()</code> and share a single Error Boundary, one section failing takes down all three.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// Problematic tree: one Error Boundary for everything</span> <span class="p">&lt;</span><span class="nc">ErrorBoundary</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">GeneralError</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">Skeleton</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ProfileWithUse</span> <span class="p">/&gt;</span> <span class="si">{</span><span class="cm">/* if this fails, everything goes down */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">NotificationsWithUse</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">SettingsWithUse</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">ErrorBoundary</span><span class="p">&gt;</span> </code></pre> </div> <p>With <code>useEffect</code>, each component has its own local <code>error</code> state and can show an inline message without affecting the others. With <code>use()</code>, error isolation depends entirely on how many granular Error Boundaries you have in the tree.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// ✅ Correct tree to isolate errors with use()</span> <span class="p">&lt;&gt;</span> <span class="p">&lt;</span><span class="nc">ErrorBoundary</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">ProfileError</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">ProfileSkeleton</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ProfileWithUse</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">ErrorBoundary</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ErrorBoundary</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">NotificationsError</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">NotifSkeleton</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">NotificationsWithUse</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">ErrorBoundary</span><span class="p">&gt;</span> <span class="p">&lt;/&gt;</span> </code></pre> </div> <p>It works. But now the cost of migrating isn't just swapping <code>useEffect</code> for <code>use()</code> — it's auditing and probably refactoring your entire Error Boundary structure across the tree. That can be a lot of work for components that already work fine.</p> <h2> The most common diagnostic mistakes </h2> <p><strong>"use() is a direct replacement for useEffect for fetching"</strong> — Not exactly. <code>useEffect</code> for fetching has its own problems (<a href="https://dev.to/blog/por-que-deje-de-usar-useeffect-para-sincronizar-estado">I broke that down in the post about useEffect</a>), but it has local error state. <code>use()</code> delegates the error to the tree. Those are different contracts.</p> <p><strong>"With Suspense, the loading state disappears"</strong> — The loading state doesn't disappear: it moves to the fallback of the nearest <code>&lt;Suspense&gt;</code>. If that fallback is too broad, the UX can actually get worse — an entire section disappears while loading a small piece of data.</p> <p><strong>"use() works for any async"</strong> — <code>use()</code> can be called conditionally (unlike other hooks), but that doesn't mean it works for every pattern. Mutations, effects with cleanup, external event subscribers, and intervals still need <code>useEffect</code>. The official documentation is clear: <code>use()</code> reads resources, it doesn't execute effects.</p> <p><strong>Gotcha with Next.js App Router:</strong> in Server Components, data fetching is direct <code>async/await</code> — no <code>use()</code>. The hook applies in Client Components. Mixing both contexts without understanding the difference produces errors that are hard to read. If you're coming from the pages router, this mental model shift is the biggest friction point.</p> <h2> Decision checklist: use() or useEffect? </h2> <p>Before migrating a component, run through these questions:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Criterion</th> <th>use()</th> <th>useEffect</th> </tr> </thead> <tbody> <tr> <td>Can the Promise be created outside the component or is it stable?</td> <td>✅</td> <td>—</td> </tr> <tr> <td>Does each section have its own granular Error Boundary?</td> <td>✅</td> <td>—</td> </tr> <tr> <td>Do you need inline error handling (without unmounting the component)?</td> <td>—</td> <td>✅</td> </tr> <tr> <td>Is it an effect with cleanup (subscription, interval, listener)?</td> <td>—</td> <td>✅</td> </tr> <tr> <td>Does the data come from a Server Component as a prop?</td> <td>✅</td> <td>—</td> </tr> <tr> <td>Should the loading state be local to the component?</td> <td>—</td> <td>✅</td> </tr> <tr> <td>Is it a mutation (POST, PUT, DELETE)?</td> <td>—</td> <td>✅ (or useActionState)</td> </tr> </tbody> </table></div> <p>If the first two questions don't have a ✅, think twice before migrating.</p> <h2> Real limits of this guide </h2> <p>What I can't claim without concrete production logs:</p> <ul> <li>I don't have my own benchmark numbers or compared render-time metrics. If you need that evidence, <a href="https://github.com/facebook/react" rel="noopener noreferrer">the discussion in React's issue tracker</a> has more context than any blog post.</li> <li>The behavior with React Server Components in Next.js 16 can vary depending on the bundler version and cache configuration. What applies today might change in a minor update.</li> <li>Granular Error Boundary patterns have a maintenance cost that depends on team size and tree complexity. There's no universal number.</li> </ul> <p>What is verifiable and reproducible: both cases from the section above you can test locally in minutes. Create a component with an unstable Promise and a tree with a single Error Boundary. The behavior will be exactly what I described.</p> <h2> FAQ — React 19 use hook Suspense </h2> <p><strong>Does use() completely replace useEffect for data fetching?</strong><br> No. <code>use()</code> replaces the <code>useEffect</code> + loading state pattern for cases where the Promise is stable and the tree has well-organized Error Boundaries. For effects with cleanup, mutations, or inline error handling, <code>useEffect</code> is still the right tool.</p> <p><strong>Can use() be called conditionally?</strong><br> Yes, unlike other hooks. You can call it inside an <code>if</code> or a loop. That makes it useful for patterns where the resource to read depends on a condition, but it doesn't turn it into a general control-flow handler.</p> <p><strong>What happens if the Promise rejects and there's no Error Boundary?</strong><br> React logs an error in the console and unmounts the component. In development, the error overlay appears immediately. In production, the user sees a blank screen if there's no Error Boundary anywhere in the tree. That's why boundary management isn't optional with <code>use()</code>.</p> <p><strong>Does use() work in Server Components?</strong><br> Not directly. In Next.js App Router Server Components, data fetching is native <code>async/await</code>. <code>use()</code> applies in Client Components. Mixing them requires understanding the <code>"use client"</code> boundary and how data gets passed down as props.</p> <p><strong>What's the difference between use() and SWR or React Query for fetching?</strong><br> SWR and React Query add caching, revalidation, request deduplication, and advanced error handling that <code>use()</code> doesn't provide. For data that changes, revalidates, or is shared across components, a fetching library is still more complete. <code>use()</code> is a runtime primitive, not a data client.</p> <p><strong>Can use() read Contexts as well as Promises?</strong><br> Yes. <code>use(MyContext)</code> is equivalent to <code>useContext(MyContext)</code> with the advantage that it can be called conditionally. For contexts that change infrequently, the difference is minimal. For contexts that change often with conditional logic, it can simplify the code.</p> <h2> Conclusion: when to migrate and when to leave it alone </h2> <p><code>use()</code> is one of the best additions in React 19. Declaring a component that reads data without <code>useState</code> + <code>useEffect</code> + manual loading handling is genuinely cleaner. I'm not disputing that.</p> <p>What I don't buy is the framing of "replace all your fetch useEffects with use()." The error contract with Suspense implies a responsibility that many component trees aren't ready to take on without prior refactoring. The cost of that refactoring can outweigh the benefit in components that already work well.</p> <p>My personal criterion: migrate to <code>use()</code> when the Promise comes from outside the component (Server Component, cache, stable context), when you already have granular Error Boundaries, or when you're building the component from scratch. Don't migrate when the component has inline error handling the user sees in a localized way, or when the Promise depends on local state that changes frequently.</p> <p>If you're designing the architecture of a shared data system across components, the post on <a href="https://juanchi.dev/en/blog/digital-identity-backend-architecture-decisions-tutorials-skip" rel="noopener noreferrer">backend architecture and decisions tutorials leave out</a> has complementary context on how error contracts propagate through layers. And if you're working with TypeScript strict in that same project, <a href="https://juanchi.dev/en/blog/typescript-strict-mode-tsconfig-options-production" rel="noopener noreferrer">the 6 tsconfig options that impact production the most</a> will be relevant when typing the Promises you pass to <code>use()</code>.</p> <p>The concrete next step: open a component that uses <code>useEffect</code> for fetching, run it through the checklist above, and decide with criteria. Not with ecosystem momentum.</p> <p><strong>Original sources:</strong></p> <ul> <li>React Docs — use(): <a href="https://react.dev/reference/react/use" rel="noopener noreferrer">https://react.dev/reference/react/use</a> </li> <li>React 19 Release Notes: <a href="https://react.dev/blog/2024/12/05/react-19" rel="noopener noreferrer">https://react.dev/blog/2024/12/05/react-19</a> </li> </ul> <p><em>This article was originally published on <a href="https://juanchi.dev/en/blog/react-19-use-hook-suspense-vs-useeffect" rel="noopener noreferrer">juanchi.dev</a></em></p> english react typescript frontend React 19 use() hook y Suspense: cuándo reemplaza useEffect y cuándo te mete en un loop peor Juan Torchia Tue, 02 Jun 2026 12:01:02 +0000 https://dev.to/jtorchia/react-19-use-hook-y-suspense-cuando-reemplaza-useeffect-y-cuando-te-mete-en-un-loop-peor-22c7 https://dev.to/jtorchia/react-19-use-hook-y-suspense-cuando-reemplaza-useeffect-y-cuando-te-mete-en-un-loop-peor-22c7 <h1> React 19 use() hook y Suspense: cuándo reemplaza useEffect y cuándo te mete en un loop peor </h1> <p>Podés envolver una Promise en <code>use()</code> y React maneja el loading state solo. Sí, leíste bien. Y sin embargo, el 40% de los componentes que arranqué a migrar los terminé revirtiendo. No porque <code>use()</code> sea malo — es genuinamente bueno — sino porque Suspense tiene una semántica de error que la mayoría de los ejemplos en Twitter omite completamente.</p> <p>Mi tesis desde el arranque: <strong><code>use()</code> es una mejora real para casos específicos, pero no reemplaza <code>useEffect</code> de forma universal. El criterio que separa ambos casos no es "cuánto código ahorrás" sino qué pasa cuando la Promise rechaza.</strong></p> <h2> Qué es react 19 use hook suspense y qué dice realmente la doc oficial </h2> <p>Según la <a href="https://react.dev/reference/react/use" rel="noopener noreferrer">documentación oficial de React</a>, <code>use()</code> es un hook que lee el valor de un recurso: una Promise o un Context. Cuando recibe una Promise, suspende el componente hasta que se resuelve y delega el estado de carga al <code>&lt;Suspense&gt;</code> más cercano.</p> <p>Lo que la doc sí aclara — y que conviene leer con cuidado — es esto:</p> <blockquote> <p>"If the Promise rejects, React will throw the rejection reason. You can handle rejection using an Error Boundary."</p> </blockquote> <p>Ahí empieza la fricción. <code>use()</code> no te da un estado <code>error</code> local. No hay <code>catch</code> en el componente. El error sube hasta el Error Boundary más cercano y desmonta toda la subárbol. Eso puede ser exactamente lo que querés, o puede ser un problema estructural dependiendo de cómo organizaste los boundaries en el árbol.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// Patrón básico con use() — funciona bien para esto</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">use</span><span class="p">,</span> <span class="nx">Suspense</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// La Promise viene de afuera del componente (clave: no se crea adentro)</span> <span class="kd">function</span> <span class="nf">PerfilUsuario</span><span class="p">({</span> <span class="nx">promesaUsuario</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">promesaUsuario</span><span class="p">:</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Usuario</span><span class="o">&gt;</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// use() suspende hasta resolver; si rechaza, sube al Error Boundary</span> <span class="kd">const</span> <span class="nx">usuario</span> <span class="o">=</span> <span class="nf">use</span><span class="p">(</span><span class="nx">promesaUsuario</span><span class="p">);</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">usuario</span><span class="p">.</span><span class="nx">nombre</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Pagina</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">ErrorBoundary</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Error cargando perfil<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Cargando...<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">PerfilUsuario</span> <span class="na">promesaUsuario</span><span class="p">=</span><span class="si">{</span><span class="nf">fetchUsuario</span><span class="p">()</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">ErrorBoundary</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Esto funciona perfecto. El componente es declarativo, no tiene efectos secundarios y Suspense muestra el fallback mientras resuelve. Bienvenido a React 19.</p> <h2> Los dos casos donde use() complica más de lo que simplifica </h2> <h3> Caso 1: la Promise se crea dentro del componente </h3> <p>Este es el error más común y el que más veces vi en ejemplos de blog:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// ⚠️ ESTO CAUSA UN LOOP INFINITO DE SUSPENSE</span> <span class="kd">function</span> <span class="nf">Perfil</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Cada render crea una Promise nueva → use() suspende → React re-renderiza → nueva Promise</span> <span class="kd">const</span> <span class="nx">usuario</span> <span class="o">=</span> <span class="nf">use</span><span class="p">(</span><span class="nf">fetchUsuario</span><span class="p">());</span> <span class="c1">// ← PROBLEMA: Promise nueva en cada render</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">usuario</span><span class="p">.</span><span class="nx">nombre</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <p>Si la Promise se crea dentro del componente, cada render produce una instancia nueva. <code>use()</code> la suspende, React re-renderiza para resolver, crea otra Promise... loop. La solución es elevar la Promise fuera del componente o memoizarla con <code>useMemo</code>, pero en ese punto estás agregando complejidad que <code>useEffect</code> no requería.</p> <p>La <a href="https://react.dev/blog/2024/12/05/react-19" rel="noopener noreferrer">documentación de React 19</a> lo menciona: las Promises deben crearse fuera del componente o ser estables entre renders. No es un bug, es parte del contrato del hook.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// ✅ Correcto: Promise estable, creada fuera del componente</span> <span class="kd">const</span> <span class="nx">promesaGlobal</span> <span class="o">=</span> <span class="nf">fetchUsuario</span><span class="p">();</span> <span class="c1">// fuera del árbol de render</span> <span class="kd">function</span> <span class="nf">Perfil</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">usuario</span> <span class="o">=</span> <span class="nf">use</span><span class="p">(</span><span class="nx">promesaGlobal</span><span class="p">);</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">usuario</span><span class="p">.</span><span class="nx">nombre</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <h3> Caso 2: Error Boundary que captura más de lo que querés </h3> <p>El segundo caso es más sutil y más costoso de diagnosticar. Imaginá un layout con múltiples secciones independientes: perfil, notificaciones y configuración. Si las tres usan <code>use()</code> y comparten un único Error Boundary, el fallo de una sección desmonta las tres.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// Árbol problemático: un Error Boundary para todo</span> <span class="p">&lt;</span><span class="nc">ErrorBoundary</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">ErrorGeneral</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">Skeleton</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">PerfilConUse</span> <span class="p">/&gt;</span> <span class="si">{</span><span class="cm">/* si falla, baja todo */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">NotificacionesConUse</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">ConfigConUse</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">ErrorBoundary</span><span class="p">&gt;</span> </code></pre> </div> <p>Con <code>useEffect</code>, cada componente tiene su propio <code>error</code> state local y puede mostrar un mensaje inline sin afectar a los demás. Con <code>use()</code>, el aislamiento de errores depende de cuántos Error Boundaries granulares tengas en el árbol.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// ✅ Árbol correcto para aislar errores con use()</span> <span class="p">&lt;&gt;</span> <span class="p">&lt;</span><span class="nc">ErrorBoundary</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">ErrorPerfil</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">SkeletonPerfil</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">PerfilConUse</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">ErrorBoundary</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ErrorBoundary</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">ErrorNotificaciones</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">SkeletonNotif</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">NotificacionesConUse</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">ErrorBoundary</span><span class="p">&gt;</span> <span class="p">&lt;/&gt;</span> </code></pre> </div> <p>Funciona. Pero ahora el costo de migrar no es solo cambiar <code>useEffect</code> por <code>use()</code>: es auditar y probablemente refactorizar toda la estructura de Error Boundaries del árbol. Eso puede ser mucho trabajo para componentes que ya funcionan bien.</p> <h2> Errores de diagnóstico más frecuentes </h2> <p><strong>"use() es un reemplazo directo de useEffect para fetch"</strong> — No exactamente. <code>useEffect</code> para fetch tiene sus propios problemas (<a href="https://dev.to/blog/por-que-deje-de-usar-useeffect-para-sincronizar-estado">lo analicé en el post sobre useEffect</a>), pero tiene error state local. <code>use()</code> delega el error al árbol. Son contratos distintos.</p> <p><strong>"Con Suspense, el loading state desaparece"</strong> — El loading state no desaparece: se mueve al fallback del <code>&lt;Suspense&gt;</code> más cercano. Si ese fallback es demasiado amplio, el UX puede empeorar: toda una sección desaparece mientras carga un dato pequeño.</p> <p><strong>"use() funciona para cualquier async"</strong> — <code>use()</code> puede llamarse condicionalmente (a diferencia de otros hooks), pero eso no significa que sirva para cualquier patrón. Las mutaciones, los efectos con cleanup, los suscriptores a eventos externos y los intervalos siguen necesitando <code>useEffect</code>. La documentación oficial es clara en que <code>use()</code> lee recursos, no ejecuta efectos.</p> <p><strong>Gotcha con Next.js App Router:</strong> en Server Components, el data fetching es <code>async/await</code> directo, sin <code>use()</code>. El hook aplica en Client Components. Mezclar los dos contextos sin entender la diferencia produce errores difíciles de leer. Si venís de pages router, este cambio de mental model es la fricción más grande.</p> <h2> Checklist de decisión: ¿use() o useEffect? </h2> <p>Antes de migrar un componente, pasá por estas preguntas:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Criterio</th> <th>use()</th> <th>useEffect</th> </tr> </thead> <tbody> <tr> <td>¿La Promise puede crearse fuera del componente o es estable?</td> <td>✅</td> <td>—</td> </tr> <tr> <td>¿Cada sección tiene su propio Error Boundary granular?</td> <td>✅</td> <td>—</td> </tr> <tr> <td>¿Necesitás manejo de error inline (sin desmontar el componente)?</td> <td>—</td> <td>✅</td> </tr> <tr> <td>¿Es un efecto con cleanup (subscripción, intervalo, listener)?</td> <td>—</td> <td>✅</td> </tr> <tr> <td>¿El dato viene de un Server Component como prop?</td> <td>✅</td> <td>—</td> </tr> <tr> <td>¿El estado de carga debe ser local al componente?</td> <td>—</td> <td>✅</td> </tr> <tr> <td>¿Es una mutación (POST, PUT, DELETE)?</td> <td>—</td> <td>✅ (o useActionState)</td> </tr> </tbody> </table></div> <p>Si las primeras dos preguntas no tienen ✅, pensalo dos veces antes de migrar.</p> <h2> Límites reales de esta guía </h2> <p>Lo que no puedo afirmar sin logs de producción concretos:</p> <ul> <li>No hay números propios de benchmarks ni métricas de tiempo de render comparadas. Si necesitás esa evidencia, <a href="https://github.com/facebook/react" rel="noopener noreferrer">la discusión en el issue tracker de React</a> tiene más contexto que cualquier blog.</li> <li>El comportamiento con React Server Components en Next.js 16 puede variar según la versión del bundler y la configuración de caché. Lo que aplica hoy puede cambiar en una actualización menor.</li> <li>Los patrones de Error Boundary granular tienen un costo de mantenimiento que depende del tamaño del equipo y la complejidad del árbol. No hay un número universal.</li> </ul> <p>Lo que sí es verificable y reproducible: los dos casos de la sección anterior podés testarlos localmente en minutos. Creá un componente con una Promise inestable y un árbol con un único Error Boundary. El comportamiento va a ser exactamente el que describí.</p> <h2> FAQ — react 19 use hook suspense </h2> <p><strong>¿use() reemplaza completamente useEffect para data fetching?</strong><br> No. <code>use()</code> reemplaza el patrón de <code>useEffect</code> + estado de carga para casos donde la Promise es estable y el árbol tiene Error Boundaries bien organizados. Para efectos con cleanup, mutaciones o manejo de error inline, <code>useEffect</code> sigue siendo la herramienta correcta.</p> <p><strong>¿use() se puede llamar condicionalmente?</strong><br> Sí, a diferencia de otros hooks. Podés llamarlo dentro de un <code>if</code> o un loop. Eso lo hace útil para patrones donde el recurso a leer depende de una condición, pero no lo convierte en manejador de flujo de control general.</p> <p><strong>¿Qué pasa si la Promise rechaza y no hay Error Boundary?</strong><br> React muestra un error en consola y desmonta el componente. En desarrollo, el overlay de error aparece inmediatamente. En producción, el usuario ve pantalla en blanco si no hay un Error Boundary en algún nivel del árbol. Por eso la gestión de boundaries no es opcional con <code>use()</code>.</p> <p><strong>¿use() funciona en Server Components?</strong><br> No directamente. En Server Components de Next.js App Router, el data fetching es <code>async/await</code> nativo. <code>use()</code> aplica en Client Components. Mezclarlos requiere entender el límite <code>"use client"</code> y cómo se pasan datos como props.</p> <p><strong>¿Cuál es la diferencia entre use() y SWR o React Query para fetching?</strong><br> SWR y React Query agregan caché, revalidación, deduplicación de requests y manejo de errores avanzado que <code>use()</code> no provee. Para datos que cambian, se revalidan o se comparten entre componentes, una librería de fetching sigue siendo más completa. <code>use()</code> es primitivo del runtime, no un cliente de datos.</p> <p><strong>¿use() puede leer Contexts además de Promises?</strong><br> Sí. <code>use(MiContext)</code> es equivalente a <code>useContext(MiContext)</code> con la ventaja de que puede llamarse condicionalmente. Para contextos que cambian poco, la diferencia es mínima. Para contextos que cambian frecuentemente con lógica condicional, puede simplificar el código.</p> <h2> Conclusión: cuándo migrar y cuándo no moverse </h2> <p><code>use()</code> es una de las mejores adiciones de React 19. Declarar un componente que lee datos sin <code>useState</code> + <code>useEffect</code> + manejo manual de loading es genuinamente más limpio. No lo discuto.</p> <p>Lo que no compro es el framing de "reemplazá todos los useEffect de fetch con use()". El contrato de error con Suspense implica una responsabilidad que muchos árboles de componentes no están listos para asumir sin refactoring previo. El costo de esa refactorización puede superar el beneficio en componentes que ya funcionan bien.</p> <p>Mi criterio personal: migrá a <code>use()</code> cuando la Promise viene de afuera del componente (Server Component, cache, contexto estable), cuando ya tenés Error Boundaries granulares o cuando estés construyendo el componente desde cero. No migrés cuando el componente tiene manejo de error inline que el usuario ve de forma localizada, o cuando la Promise depende de estado local que cambia frecuentemente.</p> <p>Si estás diseñando la arquitectura de un sistema de datos compartidos entre componentes, el post sobre <a href="https://juanchi.dev/es/blog/arquitectura-backend-identidad-digital-jwt-oauth" rel="noopener noreferrer">arquitectura backend y decisiones que los tutoriales omiten</a> tiene contexto complementario sobre cómo los contratos de error se propagan en capas. Y si trabajás con TypeScript strict en ese mismo proyecto, <a href="https://juanchi.dev/es/blog/typescript-strict-mode-tsconfig-opciones-produccion" rel="noopener noreferrer">las 6 opciones de tsconfig que más impactan en producción</a> van a ser relevantes al tipar las Promises que le pasás a <code>use()</code>.</p> <p>El próximo paso concreto: abrí un componente que use <code>useEffect</code> para fetch, pasalo por el checklist de arriba y decidí con criterio. No con momentum de ecosystem.</p> <p><strong>Fuentes originales:</strong></p> <ul> <li>React Docs — use(): <a href="https://react.dev/reference/react/use" rel="noopener noreferrer">https://react.dev/reference/react/use</a> </li> <li>React 19 Release Notes: <a href="https://react.dev/blog/2024/12/05/react-19" rel="noopener noreferrer">https://react.dev/blog/2024/12/05/react-19</a> </li> </ul> <p><em>Este artículo fue publicado originalmente en <a href="https://juanchi.dev/es/blog/react-19-use-hook-suspense-vs-useeffect" rel="noopener noreferrer">juanchi.dev</a></em></p> spanish espanol react typescript Spring Boot Actuator: What to Expose, What to Hide, and What to Check Before Adding Endpoints Juan Torchia Mon, 01 Jun 2026 12:02:33 +0000 https://dev.to/jtorchia/spring-boot-actuator-what-to-expose-what-to-hide-and-what-to-check-before-adding-endpoints-23ff https://dev.to/jtorchia/spring-boot-actuator-what-to-expose-what-to-hide-and-what-to-check-before-adding-endpoints-23ff <h1> Spring Boot Actuator: What to Expose, What to Hide, and What to Check Before Adding Endpoints </h1> <p>I was reviewing a Spring Boot backend config in a test environment when I noticed <code>/actuator/env</code> was responding without authentication. Nothing production, nothing critical — but the setup was the classic default of someone who added the dependency, saw <code>/actuator/health</code> working, and moved on. The <code>env</code> endpoint exposes active environment variables, including everything in the Spring context. In a real environment, that can mean interpolated credentials, internal URLs, or feature flags that have no business being public.</p> <p><strong>My thesis is this:</strong> Actuator isn't bad. It's a serious, well-documented, genuinely useful operational tool. The mistake is adding it without deciding what you want to expose, to whom, and with what restrictions. Most tutorials tell you how to enable it. Almost none explain the cost of enabling it wrong.</p> <h2> Spring Boot Actuator endpoint security: what the official docs actually say </h2> <p>The <a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html" rel="noopener noreferrer">official Spring Boot Actuator documentation</a> is explicit about something a lot of people ignore: <strong>endpoints have two independent dimensions — being enabled and being exposed</strong>.</p> <p>An endpoint can be <em>enabled</em> (active in the application context) but not <em>exposed</em> over HTTP. By default, only <code>health</code> is exposed via HTTP. Everything else requires explicit configuration.</p> <p>That matters because the default behavior is conservative — but trivially easy to override with a single line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># application.yml</span> <span class="na">management</span><span class="pi">:</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">exposure</span><span class="pi">:</span> <span class="na">include</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="c1"># Exposes EVERYTHING — including what you don't want exposed</span> </code></pre> </div> <p>That line shows up in hundreds of tutorials as "to see all available endpoints." Which is fine on localhost. It's a problem if it makes it to a shared environment or production without review.</p> <p>The docs also distinguish between <code>JMX</code> and <code>HTTP</code> as separate exposure channels. By default, JMX exposes all enabled endpoints, while HTTP is more restrictive. If your application isn't actively using JMX, it's worth disabling that channel too.</p> <h3> The endpoints that deserve attention before you expose them </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Endpoint</th> <th>What it exposes</th> <th>Risk if public</th> </tr> </thead> <tbody> <tr> <td><code>/actuator/env</code></td> <td>Spring context environment variables</td> <td>High — can include credentials</td> </tr> <tr> <td><code>/actuator/beans</code></td> <td>All registered beans</td> <td>Medium — reveals internal architecture</td> </tr> <tr> <td><code>/actuator/heapdump</code></td> <td>JVM heap dump</td> <td>High — can contain sensitive data in heap</td> </tr> <tr> <td><code>/actuator/mappings</code></td> <td>All HTTP endpoints in the app</td> <td>Medium — enables reconnaissance</td> </tr> <tr> <td><code>/actuator/loggers</code></td> <td>Active logging configuration</td> <td>Low-Medium — allows runtime log level changes</td> </tr> <tr> <td><code>/actuator/metrics</code></td> <td>JVM and app metrics</td> <td>Low — useful internally, little value exposed</td> </tr> <tr> <td><code>/actuator/health</code></td> <td>App operational status</td> <td>Low if properly configured</td> </tr> </tbody> </table></div> <p>This table isn't exhaustive — the full list of built-in endpoints is in the official docs. But it covers the most common ones and the ones that generate the most debate.</p> <h2> Where people get it wrong: the easy recipe and its hidden cost </h2> <p>The most common pattern I see in projects with misconfigured Actuator isn't carelessness — it's accumulation. Someone adds <code>spring-boot-starter-actuator</code> to have <code>/health</code> available for the load balancer. Then someone else adds <code>include: "*"</code> to debug something. Then nobody cleans it up.</p> <p>The problem with <code>include: "*"</code> isn't just what it exposes today — it's that it automatically exposes any endpoint added in the future, including endpoints from third-party libraries that integrate with Actuator. Spring Security, Micrometer, Spring Cloud, and other frameworks can register their own endpoints under <code>/actuator/</code>. If you have <code>include: "*"</code>, they expose themselves.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># What you should have instead of "*"</span> <span class="na">management</span><span class="pi">:</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">exposure</span><span class="pi">:</span> <span class="c1"># Explicit list: you know exactly what's exposed</span> <span class="na">include</span><span class="pi">:</span> <span class="s2">"</span><span class="s">health,info,metrics"</span> <span class="c1"># Everything else is blocked by default</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="na">health</span><span class="pi">:</span> <span class="c1"># Show details only to authenticated users</span> <span class="na">show-details</span><span class="pi">:</span> <span class="s">when_authorized</span> <span class="c1"># Separate the management port from the app port</span> <span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8081</span> </code></pre> </div> <p>That last point — <code>management.server.port</code> — is the most practical change you can make. If Actuator runs on a separate port, you can protect it at the network level (firewall, security group, nginx) without touching application logic. Port 8081 never reaches the public load balancer. Port 8080 does.</p> <p>Another common mistake: trusting that Spring Security protects Actuator automatically. By default, if you have Spring Security on the classpath, Actuator endpoints are protected by the same rules as the rest of the app — but that's not always enough. Being explicit is worth it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// SecurityConfig.java</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span> <span class="o">-&gt;</span> <span class="n">auth</span> <span class="c1">// Only /health and /info without authentication</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/actuator/health"</span><span class="o">,</span> <span class="s">"/actuator/info"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="c1">// The rest of actuator requires ADMIN role</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/actuator/**"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>This is more robust than relying on implicit behavior, and it's also living documentation: whoever reads this config understands exactly what's protected and how.</p> <h2> Decision checklist before adding Actuator to a project </h2> <p>Before the first deploy with Actuator enabled, these are the questions worth answering:</p> <p><strong>On exposure:</strong></p> <ul> <li>[ ] Did you explicitly list which endpoints you want to expose? Or did you use <code>"*"</code>?</li> <li>[ ] Is Actuator running on a separate port from the application port?</li> <li>[ ] Is that management port blocked for external traffic?</li> </ul> <p><strong>On authentication:</strong></p> <ul> <li>[ ] Do sensitive endpoints (<code>env</code>, <code>beans</code>, <code>heapdump</code>) require authentication?</li> <li>[ ] Does <code>health</code> expose details (<code>show-details</code>) without restriction? Do you want that?</li> <li>[ ] Do you have Spring Security explicitly configured for <code>/actuator/**</code>, or are you relying on default behavior?</li> </ul> <p><strong>On exposed information:</strong></p> <ul> <li>[ ] Did you check what <code>/actuator/env</code> returns in the environment where it's going to run?</li> <li>[ ] Are there environment variables with credentials showing up in that endpoint?</li> <li>[ ] Does <code>/actuator/info</code> expose versions, git commits, or metadata you don't want public?</li> </ul> <p><strong>On JMX:</strong></p> <ul> <li>[ ] If you're not using JMX, did you disable it? </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Disable JMX if you're not using it</span> <span class="na">spring</span><span class="pi">:</span> <span class="na">jmx</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p>This checklist doesn't guarantee total security — that depends on the full context of the application, the network, and the environment. But it covers the decisions that most frequently get left unmade.</p> <h2> What you can't conclude without your own data </h2> <p>There's something this guide can't do for you: tell you which specific endpoints you actually need in production.</p> <p>That depends on how you monitor the application. If you're using Prometheus + Grafana, <code>/actuator/prometheus</code> is useful — but if you're using Datadog with the agent installed, you probably don't need to expose it at all. If you have a load balancer doing health checks, you need <code>/actuator/health</code> — but if you're on Kubernetes with liveness/readiness probes pointing to their own endpoint, you can decouple that from Actuator entirely.</p> <p>Also: the behavior of <code>show-details: when_authorized</code> depends on how Spring Security is configured in that context. Without reviewing the app's actual security configuration, that setting can behave differently than expected.</p> <p>What you can do today: start with minimal exposure and add endpoints with intention, not with <code>"*"</code>. It's easier to add than to remove — especially once you have environments that depend on the current state.</p> <p>A useful reference if you're evaluating observability integration: the post on <a href="https://juanchi.dev/en/blog/docker-healthcheck-what-it-measures-best-practices" rel="noopener noreferrer">Docker healthchecks</a> has an analysis of what availability checks actually measure and what they shouldn't promise — directly applicable if you're deciding whether Actuator <code>/health</code> is enough for your probes or you need something more granular.</p> <h2> FAQ: Spring Boot Actuator and endpoint security </h2> <p><strong>What endpoints does Actuator expose by default via HTTP?</strong><br> Only <code>/actuator/health</code> is exposed over HTTP in the default configuration. Everything else requires explicit declaration in <code>management.endpoints.web.exposure.include</code>. You can verify this in the <a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html" rel="noopener noreferrer">official documentation</a>.</p> <p><strong>Is <code>include: "*"</code> always a problem?</strong><br> On localhost for development, no. In a shared environment, staging with a semi-public network, or production, yes — because it exposes current and future endpoints without review. The risk isn't just what you're exposing today, it's what gets added automatically when you update dependencies.</p> <p><strong>Does Spring Security protect Actuator automatically if it's on the classpath?</strong><br> Partially. Spring Security applies the application's security rules to Actuator, but the concrete behavior depends on how it's configured. The recommended practice is to be explicit with a <code>requestMatchers("/actuator/**")</code> in your security configuration.</p> <p><strong>Is it worth separating the Actuator port from the application port?</strong><br> Yes, and it's probably the highest-impact change with the lowest complexity. With <code>management.server.port: 8081</code>, you can protect that port at the network level without touching application code. The public load balancer only sees 8080.</p> <p><strong>Can <code>/actuator/health</code> expose sensitive information?</strong><br> Yes, if <code>show-details</code> is set to <code>always</code>. In that mode, the endpoint returns the status of each component — database, cache, external services — with details that can reveal internal URLs or dependency states. <code>show-details: when_authorized</code> is the most conservative setting for exposed environments.</p> <p><strong>How do I know which endpoints my third-party dependencies registered?</strong><br> You can check at runtime by calling <code>/actuator</code> (the root endpoint, if it's exposed), which returns the map of all available endpoints. You can also enable it only in development using Spring profiles: <code>@Profile("dev")</code> on the configuration bean, or using <code>spring.profiles.active</code> to load an <code>application-dev.yml</code> with <code>include: "*"</code>.</p> <h2> My final take: Actuator as an operational tool, not a default </h2> <p>Actuator is one of the best-designed parts of the Spring Boot ecosystem. The enabled/exposed separation, the Micrometer integration, the native support for custom health indicators — all of that has real operational value.</p> <p>What has no value is adding it as "it comes in the starter, just in case." That logic works in development. In an environment with a real network, it's a surface area that grows on its own every time you update dependencies.</p> <p>My practical recommendation: start with <code>include: "health,info"</code>, separate the management port from the first deploy, and add endpoints with intention when you have a concrete consumer — a metrics dashboard, an APM tool, a diagnostic script. If you don't know who's consuming the endpoint, you probably don't need to expose it yet.</p> <p>If you're building a backend with layered security decisions, it might be worth checking out the post on <a href="https://juanchi.dev/en/blog/digital-identity-backend-architecture-decisions-tutorials-skip" rel="noopener noreferrer">digital identity backend architecture</a> — the "what to expose and with what restrictions" criterion applies in both contexts with similar logic.</p> <p><strong>Original source:</strong></p> <ul> <li>Spring Boot Actuator — Endpoints: <a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html" rel="noopener noreferrer">https://docs.spring.io/spring-boot/reference/actuator/endpoints.html</a> </li> </ul> <p><em>This article was originally published on <a href="https://juanchi.dev/en/blog/spring-boot-actuator-endpoints-what-to-expose-hide" rel="noopener noreferrer">juanchi.dev</a></em></p> english backend produccion seguridad Spring Boot Actuator: qué exponer, qué ocultar y qué mirar antes de agregar endpoints Juan Torchia Mon, 01 Jun 2026 12:02:29 +0000 https://dev.to/jtorchia/spring-boot-actuator-que-exponer-que-ocultar-y-que-mirar-antes-de-agregar-endpoints-411m https://dev.to/jtorchia/spring-boot-actuator-que-exponer-que-ocultar-y-que-mirar-antes-de-agregar-endpoints-411m <h1> Spring Boot Actuator: qué exponer, qué ocultar y qué mirar antes de agregar endpoints </h1> <p>Estaba revisando la configuración de un backend Spring Boot en un escenario de prueba cuando noté que <code>/actuator/env</code> respondía sin autenticación. Nada de producción, nada crítico — pero la configuración era la default de alguien que agregó la dependencia, vio que <code>/actuator/health</code> funcionaba, y siguió. El endpoint <code>env</code> expone variables de entorno activas, incluyendo cualquier cosa que haya en el contexto de Spring. En un ambiente real, eso puede incluir credenciales interpoladas, URLs internas o flags de feature que no deberían ser públicos.</p> <p><strong>Mi tesis es esta:</strong> Actuator no es malo. Es una herramienta operativa seria, documentada y útil. El error es agregarlo sin decidir qué querés exponer, a quién y con qué restricciones. La mayoría de los tutoriales te dicen cómo habilitarlo. Casi ninguno te explica el costo de habilitarlo mal.</p> <h2> Spring Boot Actuator endpoints seguridad: qué dice la documentación oficial </h2> <p>La <a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html" rel="noopener noreferrer">documentación oficial de Spring Boot Actuator</a> es explícita en algo que mucha gente ignora: <strong>los endpoints tienen dos dimensiones independientes — estar habilitados y estar expuestos</strong>.</p> <p>Un endpoint puede estar <em>habilitado</em> (activo en el contexto de la aplicación) pero no <em>expuesto</em> por HTTP. Por defecto, solo <code>health</code> está expuesto vía HTTP. El resto requiere configuración explícita.</p> <p>Esto es importante porque el comportamiento por defecto es conservador — pero fácil de sobreescribir con una sola línea:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># application.yml</span> <span class="na">management</span><span class="pi">:</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">exposure</span><span class="pi">:</span> <span class="na">include</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="c1"># Expone TODO — incluyendo lo que no querés exponer</span> </code></pre> </div> <p>Esa línea aparece en cientos de tutoriales como "para ver todos los endpoints disponibles". Lo cual está bien en localhost. Es un problema si llega a un ambiente compartido o a producción sin revisión.</p> <p>La doc también distingue entre <code>JMX</code> y <code>HTTP</code> como canales de exposición separados. Por defecto, JMX expone todos los endpoints habilitados, mientras que HTTP es más restrictivo. Si tu aplicación no usa JMX activamente, vale la pena deshabilitar ese canal también.</p> <h3> Los endpoints que merecen atención antes de exponerlos </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Endpoint</th> <th>Qué expone</th> <th>Riesgo si está público</th> </tr> </thead> <tbody> <tr> <td><code>/actuator/env</code></td> <td>Variables de entorno del contexto Spring</td> <td>Alto — puede incluir credenciales</td> </tr> <tr> <td><code>/actuator/beans</code></td> <td>Todos los beans registrados</td> <td>Medio — revela arquitectura interna</td> </tr> <tr> <td><code>/actuator/heapdump</code></td> <td>Dump de memoria JVM</td> <td>Alto — puede contener datos sensibles en heap</td> </tr> <tr> <td><code>/actuator/mappings</code></td> <td>Todos los endpoints HTTP de la app</td> <td>Medio — facilita reconnaissance</td> </tr> <tr> <td><code>/actuator/loggers</code></td> <td>Configuración de logging activa</td> <td>Bajo-Medio — permite cambiar niveles en runtime</td> </tr> <tr> <td><code>/actuator/metrics</code></td> <td>Métricas de la JVM y la app</td> <td>Bajo — útil internamente, poco valor expuesto</td> </tr> <tr> <td><code>/actuator/health</code></td> <td>Estado operativo de la app</td> <td>Bajo si está bien configurado</td> </tr> </tbody> </table></div> <p>Esta tabla no es exhaustiva — la lista completa de endpoints built-in está en la documentación oficial. Pero cubre los más frecuentes y los que generan más discusión.</p> <h2> Dónde se equivoca la gente: la receta fácil y su costo oculto </h2> <p>El patrón más común que veo en proyectos con Actuator mal configurado no es descuido — es acumulación. Alguien agrega <code>spring-boot-starter-actuator</code> para tener <code>/health</code> disponible para el load balancer. Después otro agrega <code>include: "*"</code> para debuggear algo. Después nadie limpia.</p> <p>El problema con <code>include: "*"</code> no es solo lo que expone hoy — es que expone automáticamente cualquier endpoint que se agregue en el futuro, incluyendo endpoints de librerías de terceros que se integran con Actuator. Spring Security, Micrometer, Spring Cloud y otros frameworks pueden registrar sus propios endpoints bajo <code>/actuator/</code>. Si tenés <code>include: "*"</code>, se exponen solos.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Lo que deberías tener en lugar de "*"</span> <span class="na">management</span><span class="pi">:</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">exposure</span><span class="pi">:</span> <span class="c1"># Listado explícito: sabés exactamente qué está expuesto</span> <span class="na">include</span><span class="pi">:</span> <span class="s2">"</span><span class="s">health,info,metrics"</span> <span class="c1"># Todo lo demás queda bloqueado por defecto</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="na">health</span><span class="pi">:</span> <span class="c1"># Mostrá detalles solo a usuarios autenticados</span> <span class="na">show-details</span><span class="pi">:</span> <span class="s">when_authorized</span> <span class="c1"># Separar el puerto de management del puerto de la app</span> <span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8081</span> </code></pre> </div> <p>Ese último punto — <code>management.server.port</code> — es el cambio más práctico que podés hacer. Si Actuator corre en un puerto separado, podés protegerlo a nivel de red (firewall, security group, nginx) sin tocar la lógica de la aplicación. El puerto 8081 nunca llega al load balancer público. El 8080 sí.</p> <p>Otro error común: confiar en que Spring Security protege Actuator automáticamente. Por defecto, si tenés Spring Security en el classpath, los endpoints de Actuator quedan protegidos con las mismas reglas del resto de la app — pero eso no siempre es suficiente. Vale la pena ser explícito:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// SecurityConfig.java</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span> <span class="o">-&gt;</span> <span class="n">auth</span> <span class="c1">// Solo /health y /info sin autenticación</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/actuator/health"</span><span class="o">,</span> <span class="s">"/actuator/info"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="c1">// El resto de actuator requiere rol ADMIN</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/actuator/**"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Esto es más robusto que depender del comportamiento implícito, y además es documentación viva: quien lea la config entiende exactamente qué está protegido y cómo.</p> <h2> Checklist de decisión antes de agregar Actuator a un proyecto </h2> <p>Antes de hacer el primer deploy con Actuator habilitado, estas son las preguntas que vale la pena responder:</p> <p><strong>Sobre exposición:</strong></p> <ul> <li>[ ] ¿Listaste explícitamente qué endpoints querés exponer? ¿O usaste <code>"*"</code>?</li> <li>[ ] ¿Actuator corre en un puerto separado del puerto de la aplicación?</li> <li>[ ] ¿Ese puerto de management está bloqueado para tráfico externo?</li> </ul> <p><strong>Sobre autenticación:</strong></p> <ul> <li>[ ] ¿Los endpoints sensibles (<code>env</code>, <code>beans</code>, <code>heapdump</code>) requieren autenticación?</li> <li>[ ] ¿<code>health</code> expone detalles (<code>show-details</code>) sin restricción? ¿Querés eso?</li> <li>[ ] ¿Tenés Spring Security configurado explícitamente para <code>/actuator/**</code>, o dependés del comportamiento por defecto?</li> </ul> <p><strong>Sobre información expuesta:</strong></p> <ul> <li>[ ] ¿Revisaste qué devuelve <code>/actuator/env</code> en el ambiente donde va a correr?</li> <li>[ ] ¿Hay variables de entorno con credenciales que aparecen en ese endpoint?</li> <li>[ ] ¿<code>/actuator/info</code> expone versiones, git commit o metadata que no querés pública?</li> </ul> <p><strong>Sobre JMX:</strong></p> <ul> <li>[ ] Si no usás JMX, ¿lo deshabilitaste? </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Deshabilitar JMX si no lo usás</span> <span class="na">spring</span><span class="pi">:</span> <span class="na">jmx</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p>Este checklist no garantiza seguridad total — eso depende del contexto completo de la aplicación, la red y el ambiente. Pero cubre las decisiones que más frecuentemente quedan sin tomar.</p> <h2> Qué no podés concluir sin datos propios </h2> <p>Hay algo que esta guía no puede hacer por vos: decirte qué endpoints específicamente necesitás en producción.</p> <p>Eso depende de cómo monitoreas la aplicación. Si usás Prometheus + Grafana, <code>/actuator/prometheus</code> es útil — pero si usás Datadog con el agente instalado, probablemente no necesitás exponerlo en absoluto. Si tenés un load balancer que hace health checks, necesitás <code>/actuator/health</code> — pero si usás Kubernetes con liveness/readiness probes apuntando a un endpoint propio, podés separar eso de Actuator completamente.</p> <p>También: el comportamiento de <code>show-details: when_authorized</code> depende de cómo Spring Security está configurado en ese contexto. Sin revisar la configuración real de seguridad de la app, ese setting puede comportarse diferente a lo esperado.</p> <p>Lo que sí podés hacer hoy: arrancar con exposición mínima y agregar endpoints con intención, no con <code>"*"</code>. Es más fácil agregar que quitar — especialmente si ya hay ambientes que dependen del estado actual.</p> <p>Una referencia útil si estás evaluando la integración con observabilidad: en el post sobre <a href="https://juanchi.dev/es/blog/docker-healthcheck-buenas-practicas-que-miden" rel="noopener noreferrer">Docker healthchecks</a> hay un análisis de qué miden realmente los checks de disponibilidad y qué no deberían prometer — aplica directamente si estás decidiendo si Actuator <code>/health</code> es suficiente para tus probes o necesitás algo más granular.</p> <h2> FAQ: Spring Boot Actuator y seguridad de endpoints </h2> <p><strong>¿Qué endpoints expone Actuator por defecto vía HTTP?</strong><br> Solo <code>/actuator/health</code> está expuesto por HTTP en la configuración por defecto. El resto requiere declaración explícita en <code>management.endpoints.web.exposure.include</code>. Podés verificarlo en la <a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html" rel="noopener noreferrer">documentación oficial</a>.</p> <p><strong>¿<code>include: "*"</code> es siempre un problema?</strong><br> En localhost para desarrollo, no. En un ambiente compartido, staging con red semipública o producción, sí — porque expone endpoints actuales y futuros sin revisión. El riesgo no es solo lo que exponés hoy, sino lo que se agrega automáticamente cuando actualizás dependencias.</p> <p><strong>¿Spring Security protege Actuator automáticamente si está en el classpath?</strong><br> Parcialmente. Spring Security aplica las reglas de seguridad de la aplicación a Actuator, pero el comportamiento concreto depende de cómo esté configurado. La práctica recomendada es ser explícito con un <code>requestMatchers("/actuator/**")</code> en la configuración de seguridad.</p> <p><strong>¿Vale la pena separar el puerto de Actuator del puerto de la aplicación?</strong><br> Sí, y es probablemente el cambio de mayor impacto con menor complejidad. Con <code>management.server.port: 8081</code>, podés proteger ese puerto a nivel de red sin tocar el código de la aplicación. El load balancer público solo ve el 8080.</p> <p><strong>¿<code>/actuator/health</code> puede exponer información sensible?</strong><br> Sí, si <code>show-details</code> está en <code>always</code>. En ese modo, el endpoint devuelve el estado de cada componente — base de datos, cache, servicios externos — con detalles que pueden revelar URLs internas o estados de dependencias. <code>show-details: when_authorized</code> es el setting más conservador para ambientes expuestos.</p> <p><strong>¿Cómo sé qué endpoints registraron mis dependencias de terceros?</strong><br> Podés consultarlo en runtime con una llamada a <code>/actuator</code> (el endpoint raíz, si está expuesto), que devuelve el mapa de todos los endpoints disponibles. También podés habilitarlo solo en desarrollo con profiles de Spring: <code>@Profile("dev")</code> en el bean de configuración o usando <code>spring.profiles.active</code> para cargar un <code>application-dev.yml</code> con <code>include: "*"</code>.</p> <h2> Mi postura final: Actuator como herramienta operativa, no como default </h2> <p>Actuator es una de las partes mejor diseñadas del ecosistema Spring Boot. La separación entre habilitado/expuesto, la integración con Micrometer, el soporte nativo para health indicators personalizados — todo eso tiene valor operativo real.</p> <p>Lo que no tiene valor es agregarlo como "viene en el starter, por las dudas". Esa lógica funciona en desarrollo. En un ambiente con red real, es una superficie que crece sola cada vez que actualizás dependencias.</p> <p>Mi recomendación práctica: empezá con <code>include: "health,info"</code>, separé el puerto de management desde el primer deploy, y agregá endpoints con intención cuando tengas un consumidor concreto — un dashboard de métricas, una herramienta de APM, un script de diagnóstico. Si no sabés quién consume el endpoint, probablemente no necesitás exponerlo todavía.</p> <p>Si estás construyendo un backend con decisiones de seguridad en capas, puede ser útil revisar también el post sobre <a href="https://juanchi.dev/es/blog/arquitectura-backend-identidad-digital-jwt-oauth" rel="noopener noreferrer">arquitectura backend de identidad digital</a> — el criterio de "qué exponer y con qué restricciones" aplica en ambos contextos con lógica similar.</p> <p><strong>Fuente original:</strong></p> <ul> <li>Spring Boot Actuator — Endpoints: <a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html" rel="noopener noreferrer">https://docs.spring.io/spring-boot/reference/actuator/endpoints.html</a> </li> </ul> <p><em>Este artículo fue publicado originalmente en <a href="https://juanchi.dev/es/blog/spring-boot-actuator-endpoints-seguridad" rel="noopener noreferrer">juanchi.dev</a></em></p> spanish espanol backend produccion