2025-08-04 17:45:44 +02:00
|
|
|
/**
|
|
|
|
|
* YOU PROBABLY DON'T NEED TO EDIT THIS FILE, UNLESS:
|
|
|
|
|
* 1. You want to modify request context (see Part 1).
|
|
|
|
|
* 2. You want to create a new middleware or type of procedure (see Part 3).
|
|
|
|
|
*
|
|
|
|
|
* TL;DR - This is where all the tRPC server stuff is created and plugged in. The pieces you will
|
|
|
|
|
* need to use are documented accordingly near the end.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
import { initTRPC, TRPCError } from "@trpc/server";
|
|
|
|
|
import type { CreateNextContextOptions } from "@trpc/server/adapters/next";
|
|
|
|
|
|
|
|
|
|
import superjson from "superjson";
|
2025-08-07 14:50:40 +02:00
|
|
|
import z, { ZodError } from "zod/v4";
|
2025-08-04 17:45:44 +02:00
|
|
|
|
|
|
|
|
import type { NextApiRequest, NextApiResponse } from "next";
|
|
|
|
|
import { env } from "~/env.mjs";
|
|
|
|
|
import { zUserId } from "~/server/utils/zod_types";
|
|
|
|
|
import { ACCESS_TOKEN_COOKIE_NAME, verifyToken } from "~/server/auth/jwt";
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* 1. CONTEXT
|
|
|
|
|
*
|
|
|
|
|
* This section defines the "contexts" that are available in the backend API.
|
|
|
|
|
*
|
|
|
|
|
* These allow you to access things when processing a request, like the database, the session, etc.
|
|
|
|
|
*/
|
|
|
|
|
export const sessionSchema = z.object({
|
|
|
|
|
id: zUserId,
|
|
|
|
|
username: z.string(),
|
2025-08-07 14:50:40 +02:00
|
|
|
email: z.email(),
|
2025-08-04 17:45:44 +02:00
|
|
|
isAdmin: z.boolean(),
|
|
|
|
|
isBlocked: z.boolean(),
|
|
|
|
|
nome: z.string(),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
export type Session = z.infer<typeof sessionSchema>;
|
|
|
|
|
|
|
|
|
|
interface CreateInnerContextOptions extends Partial<CreateNextContextOptions> {
|
|
|
|
|
session: Session | null;
|
|
|
|
|
res?: NextApiResponse;
|
|
|
|
|
req?: NextApiRequest;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function createInnerTRPCContext(opts: CreateInnerContextOptions) {
|
|
|
|
|
return {
|
|
|
|
|
...opts,
|
|
|
|
|
session: opts.session,
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export const createTRPCContext = async ({
|
|
|
|
|
req,
|
|
|
|
|
res,
|
|
|
|
|
}: Partial<CreateNextContextOptions>) => {
|
|
|
|
|
if (!req || !res) {
|
|
|
|
|
throw new Error(
|
|
|
|
|
"You are missing `req` or `res` in your call to createTRPCContext.",
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const accessToken = req.cookies[ACCESS_TOKEN_COOKIE_NAME];
|
|
|
|
|
// Get the session from the server using the getServerSession wrapper function
|
|
|
|
|
|
|
|
|
|
const session = accessToken ? await verifyToken(accessToken) : null;
|
|
|
|
|
const contextInner = createInnerTRPCContext({ session });
|
|
|
|
|
return {
|
|
|
|
|
...contextInner,
|
|
|
|
|
res,
|
|
|
|
|
req,
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
export type Context = Awaited<ReturnType<typeof createInnerTRPCContext>>;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* 2. INITIALIZATION
|
|
|
|
|
*
|
|
|
|
|
* This is where the tRPC API is initialized, connecting the context and transformer. We also parse
|
|
|
|
|
* ZodErrors so that you get typesafety on the frontend if your procedure fails due to validation
|
|
|
|
|
* errors on the backend.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
export const t = initTRPC.context<Context>().create({
|
|
|
|
|
transformer: superjson,
|
|
|
|
|
errorFormatter({ shape, error }) {
|
|
|
|
|
return {
|
|
|
|
|
...shape,
|
|
|
|
|
data: {
|
|
|
|
|
...shape.data,
|
|
|
|
|
zodError:
|
2025-08-07 14:50:40 +02:00
|
|
|
error.cause instanceof ZodError ? z.treeifyError(error.cause) : null,
|
2025-08-04 17:45:44 +02:00
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
},
|
|
|
|
|
sse: {
|
|
|
|
|
//maxDurationMs: 5 * 60 * 1_000, // 5 minutes
|
|
|
|
|
ping: {
|
|
|
|
|
enabled: true,
|
|
|
|
|
intervalMs: 3_000,
|
|
|
|
|
},
|
|
|
|
|
client: {
|
|
|
|
|
reconnectAfterInactivityMs: 5_000,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* 3. ROUTER & PROCEDURE (THE IMPORTANT BIT)
|
|
|
|
|
*
|
|
|
|
|
* These are the pieces you use to build your tRPC API. You should import these a lot in the
|
|
|
|
|
* "/src/server/api/routers" directory.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* This is how you create new routers and sub-routers in your tRPC API.
|
|
|
|
|
*
|
|
|
|
|
* @see https://trpc.io/docs/router
|
|
|
|
|
*/
|
|
|
|
|
export const createTRPCRouter = t.router;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Public (unauthenticated) procedure
|
|
|
|
|
*
|
|
|
|
|
* This is the base piece you use to build new queries and mutations on your tRPC API. It does not
|
|
|
|
|
* guarantee that a user querying is authorized, but you can still access user session data if they
|
|
|
|
|
* are logged in.
|
|
|
|
|
*/
|
|
|
|
|
export const publicProcedure = t.procedure;
|
|
|
|
|
|
|
|
|
|
/** Reusable middleware that enforces users are logged in before running the procedure. */
|
|
|
|
|
const enforceUserIsAuthed = t.middleware(({ ctx, next, path }) => {
|
|
|
|
|
if (!ctx.session) {
|
|
|
|
|
throw new TRPCError({
|
|
|
|
|
code: "UNAUTHORIZED",
|
|
|
|
|
message: `User is not logged, error in path: ${path}`,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
return next({
|
|
|
|
|
ctx: {
|
|
|
|
|
// infers the `session` as non-nullable
|
|
|
|
|
session: { ...ctx.session },
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Protected (authenticated) procedure
|
|
|
|
|
*
|
|
|
|
|
* If you want a query or mutation to ONLY be accessible to logged in users, use this. It verifies
|
|
|
|
|
* the session is valid and guarantees `ctx.session.user` is not null.
|
|
|
|
|
*
|
|
|
|
|
* @see https://trpc.io/docs/procedures
|
|
|
|
|
*/
|
|
|
|
|
export const protectedProcedure = t.procedure.use(enforceUserIsAuthed);
|
|
|
|
|
|
|
|
|
|
/** Reusable middleware that enforces users are logged in before running the procedure. */
|
|
|
|
|
const enforceUserIsAdmin = t.middleware(({ ctx, next, path }) => {
|
|
|
|
|
if (!ctx.session || !ctx.session.isAdmin) {
|
|
|
|
|
throw new TRPCError({
|
|
|
|
|
code: "UNAUTHORIZED",
|
|
|
|
|
message: `User is not Admin, error in path: ${path}`,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
return next({
|
|
|
|
|
ctx: {
|
|
|
|
|
// infers the `session` as non-nullable
|
|
|
|
|
session: { ...ctx.session },
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Protected (authenticated) procedure
|
|
|
|
|
*
|
|
|
|
|
* If you want a query or mutation to ONLY be accessible to logged in users, use this. It verifies
|
|
|
|
|
* the session is valid and guarantees `ctx.session.user` is not null.
|
|
|
|
|
*
|
|
|
|
|
* @see https://trpc.io/docs/procedures
|
|
|
|
|
*/
|
|
|
|
|
export const adminProcedure = t.procedure.use(enforceUserIsAdmin);
|
|
|
|
|
|
|
|
|
|
export const apiProcedure = publicProcedure.use((opts) => {
|
|
|
|
|
if (!opts.ctx.req || !opts.ctx.res) {
|
|
|
|
|
throw new Error("You are missing `req` or `res` in your call.");
|
|
|
|
|
}
|
|
|
|
|
return opts.next({
|
|
|
|
|
ctx: {
|
|
|
|
|
// We overwrite the context with the truthy `req` & `res`, which will also overwrite the types used in your procedure.
|
|
|
|
|
req: opts.ctx.req,
|
|
|
|
|
res: opts.ctx.res,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const enforceProtectedApi = t.middleware(async ({ ctx, next, path }) => {
|
|
|
|
|
if (!ctx.req || !ctx.res) {
|
|
|
|
|
throw new TRPCError({
|
|
|
|
|
code: "UNAUTHORIZED",
|
|
|
|
|
message: `User is not Admin, error in path: ${path}`,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const basicAuth = ctx.req.headers.authorization;
|
|
|
|
|
if (!basicAuth) {
|
|
|
|
|
throw new TRPCError({
|
|
|
|
|
code: "UNAUTHORIZED",
|
|
|
|
|
message: `User is not Admin, error in path: ${path}`,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const authValue = basicAuth.split(" ")[1];
|
|
|
|
|
|
|
|
|
|
if (!authValue) {
|
|
|
|
|
throw new TRPCError({
|
|
|
|
|
code: "UNAUTHORIZED",
|
|
|
|
|
message: `User is not Admin, error in path: ${path}`,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const [user, pwd] = atob(authValue).split(":");
|
|
|
|
|
|
|
|
|
|
if (user !== env.EXP_API_USER || pwd !== env.EXP_API_PASS) {
|
|
|
|
|
throw new TRPCError({
|
|
|
|
|
code: "UNAUTHORIZED",
|
|
|
|
|
message: `User is not Admin, error in path: ${path}`,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return next({
|
|
|
|
|
ctx: {
|
|
|
|
|
// infers the `session` as non-nullable
|
|
|
|
|
req: ctx.req,
|
|
|
|
|
res: ctx.res,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
export const protectedApiProcedure = publicProcedure.use(enforceProtectedApi);
|