Authentication before routing.
It makes little sense otherwise. The outcome of routing isn't to tell whether a route exists but to delegate to route handler. If you have a an authentication Middleware, it stands to reason to trigger it early (with the added benefit of not giving away route existence - mostly because there's really no upside to this, there is nothing to gain by triggering authentication late).
So unless you have a strong need to delegate authentication to specific handlers, it should go first.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Authentication before routing.
It makes little sense otherwise. The outcome of routing isn't to tell whether a route exists but to delegate to route handler. If you have a an authentication Middleware, it stands to reason to trigger it early (with the added benefit of not giving away route existence - mostly because there's really no upside to this, there is nothing to gain by triggering authentication late).
So unless you have a strong need to delegate authentication to specific handlers, it should go first.