Authorization

The createContext-function is called for each incoming request so here you can add contextual information about the calling user from the request object.

Create context from request headers

server/context.ts

  1. import * as trpc from '@trpc/server';
  2. import { inferAsyncReturnType } from '@trpc/server';
  3. import { decodeAndVerifyJwtToken } from './somewhere/in/your/app/utils';
  5. export async function createContext({
  6.   req,
  7.   res,
  8. }: trpcNext.CreateNextContextOptions) {
  9.   // Create your context based on the request object
  10.   // Will be available as `ctx` in all your resolvers
  12.   // This is just an example of something you'd might want to do in your ctx fn
  13.   async function getUserFromHeader() {
  14.     if (req.headers.authorization) {
  15.       const user = await decodeAndVerifyJwtToken(req.headers.authorization.split(' ')[1])
  16.       return user;
  17.     }
  18.     return null;
  19.   }
  20.   const user = await getUserFromHeader();
  22.   return {
  23.     user,
  24.   };
  25. }
  26. type Context = inferAsyncReturnType<typeof createContext>;
  29. // [..] Define API handler and app router

Option 1: Authorize using resolver

server/routers/_app.ts

  1. import * as trpc from '@trpc/server';
  2. import { TRPCError } from '@trpc/server';
  3. import { createRouter } from '../createRouter';
  5. export const appRouter = createRouter()
  6.   // open for anyone
  7.   .query('hello', {
  8.     input: z.string().nullish(),
  9.     resolve: ({ input, ctx }) => {
  10.       return `hello ${input ?? ctx.user?.name ?? 'world'}`;
  11.     },
  12.   })
  13.   // checked in resolver
  14.   .query('secret', {
  15.     resolve: ({ ctx }) => {
  16.       if (!ctx.user) {
  17.         throw new TRPCError({ code: 'UNAUTHORIZED' });
  18.       }
  19.       return {
  20.         secret: 'sauce',
  21.       };
  22.     },
  23.   });

Option 2: Authorize using middleware

server/routers/_app.ts

  1. import * as trpc from '@trpc/server';
  2. import { TRPCError } from '@trpc/server';
  3. import { createRouter } from '../createRouter';
  5. export const appRouter = createRouter()
  6.   // this is accessible for everyone
  7.   .query('hello', {
  8.     input: z.string().nullish(),
  9.     resolve: ({ input, ctx }) => {
  10.       return `hello ${input ?? ctx.user?.name ?? 'world'}`;
  11.     },
  12.   })
  13.   .merge(
  14.     'admin.',
  15.     createRouter()
  16.       // this protects all procedures defined next in this router
  17.       .middleware(async ({ ctx, next }) => {
  18.         if (!ctx.user?.isAdmin) {
  19.           throw new TRPCError({ code: 'UNAUTHORIZED' });
  20.         }
  21.         return next()
  22.       })
  23.       .query('secret', {
  24.         resolve: ({ ctx }) => {
  25.           return {
  26.             secret: 'sauce',
  27.           }
  28.         },
  29.     }),
  30.   );

This middleware can be re-used for multiple sub-routers by creating a protected router helper.