So I placed this code to /src/routes/_layout.svelte:

  import AuthMiddleware from "../methods/authMiddleware.js";
  import { goto, stores } from '@sapper/app';
  const { page } = stores();

  if (typeof window !== "undefined" && typeof document !== "undefined") {
    page.subscribe(({ path, params, query }) => {
      const from = window.location.pathname;
      const redirect = (href) => { goto(href); }

      AuthMiddleware.beforeChange(from, path, redirect, params, query);
    })
  }

And this is authMiddleware.js file:

export default class AuthMiddleware {

  static beforeChange(from, to, redirect, params, query) {

    if (!AuthMiddleware._isUserAuthenticated()) {
      redirect("/login");
    }
  }

  // ~

  static _isUserAuthenticated() {
    return true; // TODO: Implement
  }
}

more information on route hooks can be found here

• https://github.com/sveltejs/sapper/issues/30
• https://sapper.svelte.dev/docs/#Stores

You can also use authenticationMiddleware.js inside server.js file

Here is authenticationMiddleware.js file

import { get, post } from "./../lib/api";
async function authenticationMiddleware(req, res, next) {
    let user = null
    const cookies = require('cookie-universal')(req, res);
    if (cookies.get('token')) {
        try {
            user = await get("users/me", null, cookies.get('token'));
        } catch (e) {
            console.log('err at users', e.toString());
        }
        req.user = user
        req.token = cookies.get('token')
    } else {
        req.user = {}
        req.token = null
        cookies.set('token', null)
    }
    next();
}
export { authenticationMiddleware }

e.g. https://github.com/itswadesh/sapper-ecommerce/blob/master/src/server.js