Over the last few weeks at the office, I've been working on a JSON API project that is hosted using Microsoft Azure Mobile Services. The decision to use this platform wasn't mine, but at least it hasn't been as bad as I originally though it would be. So far, I've had to make a few small concessions to the way I would normally do things. I expected as much given the way Microsoft has attempted to hide many under-the-hood elements of a Node.js project. With that said, it wasn't until today that this framework made me do something "hackish" in order to accomplish my task.
This MSDN blog post leads a developer to believe that the referenced "extensions.startup" script guarantees "complete control over your application", with the power to implement "custom routes, middleware or even use socket.io to do realtime communication". The part that caught my eye here was middleware. Since none of the built-in authentication providers offered by Azure Mobile Services fit the project's needs, I was going to implement one using express-jwt. It looked great on paper, but turned out to be impossible.
The main problem with any code defined in the "extensions.startup" script is that it doesn't actually get executed until after rest of the project's middleware and URL router (which you have no access to since you never get to implement your own server.js/app.js file). This makes it impossible to register middleware intended to intercept all incoming requests in the normal way: