When following TDD you shouldn't be writing any application code without writing a test first. This applies to middleware on routes too, however writing a specific test for every route is time consuming.
I decided to write a single test file that knew which endpoints on my API can and cannot be accessed with valid auth credentials.
Here I'm using Passport's Client Credentials to protect endpoints, but you should be able to tweak this file for any auth method.
This file only consists of 3 tests: