Authorization
The createContext
-function is called for each incoming request so here you can add contextual information about the calling user from the request object.
Create context from request headers​
server/context.tsts
import * as trpc from '@trpc/server';import { inferAsyncReturnType } from '@trpc/server';import * as trpcNext from '@trpc/server/adapters/next';import { decodeAndVerifyJwtToken } from './somewhere/in/your/app/utils';export async function createContext({req,res,}: trpcNext.CreateNextContextOptions) {// Create your context based on the request object// Will be available as `ctx` in all your resolvers// This is just an example of something you'd might want to do in your ctx fnasync function getUserFromHeader() {if (req.headers.authorization) {const user = await decodeAndVerifyJwtToken(req.headers.authorization.split(' ')[1])return user;}return null;}const user = await getUserFromHeader();return {user,};}type Context = inferAsyncReturnType<typeof createContext>;// [..] Define API handler and app router
server/context.tsts
import * as trpc from '@trpc/server';import { inferAsyncReturnType } from '@trpc/server';import * as trpcNext from '@trpc/server/adapters/next';import { decodeAndVerifyJwtToken } from './somewhere/in/your/app/utils';export async function createContext({req,res,}: trpcNext.CreateNextContextOptions) {// Create your context based on the request object// Will be available as `ctx` in all your resolvers// This is just an example of something you'd might want to do in your ctx fnasync function getUserFromHeader() {if (req.headers.authorization) {const user = await decodeAndVerifyJwtToken(req.headers.authorization.split(' ')[1])return user;}return null;}const user = await getUserFromHeader();return {user,};}type Context = inferAsyncReturnType<typeof createContext>;// [..] Define API handler and app router
Option 1: Authorize using resolver​
server/routers/_app.tsts
import * as trpc from '@trpc/server';import { TRPCError } from '@trpc/server';import { createRouter } from '../createRouter';export const appRouter = createRouter()// open for anyone.query('hello', {input: z.string().nullish(),resolve: ({ input, ctx }) => {return `hello ${input ?? ctx.user?.name ?? 'world'}`;},})// checked in resolver.query('secret', {resolve: ({ ctx }) => {if (!ctx.user) {throw new TRPCError({ code: 'UNAUTHORIZED' });}return {secret: 'sauce',};},});
server/routers/_app.tsts
import * as trpc from '@trpc/server';import { TRPCError } from '@trpc/server';import { createRouter } from '../createRouter';export const appRouter = createRouter()// open for anyone.query('hello', {input: z.string().nullish(),resolve: ({ input, ctx }) => {return `hello ${input ?? ctx.user?.name ?? 'world'}`;},})// checked in resolver.query('secret', {resolve: ({ ctx }) => {if (!ctx.user) {throw new TRPCError({ code: 'UNAUTHORIZED' });}return {secret: 'sauce',};},});
Option 2: Authorize using middleware​
server/routers/_app.tsts
import * as trpc from '@trpc/server';import { TRPCError } from '@trpc/server';import { createRouter } from '../createRouter';export const appRouter = createRouter()// this is accessible for everyone.query('hello', {input: z.string().nullish(),resolve: ({ input, ctx }) => {return `hello ${input ?? ctx.user?.name ?? 'world'}`;},}).merge('admin.',createRouter()// this protects all procedures defined next in this router.middleware(async ({ ctx, next }) => {if (!ctx.user?.isAdmin) {throw new TRPCError({ code: 'UNAUTHORIZED' });}return next()}).query('secret', {resolve: ({ ctx }) => {return {secret: 'sauce',}},}),);
server/routers/_app.tsts
import * as trpc from '@trpc/server';import { TRPCError } from '@trpc/server';import { createRouter } from '../createRouter';export const appRouter = createRouter()// this is accessible for everyone.query('hello', {input: z.string().nullish(),resolve: ({ input, ctx }) => {return `hello ${input ?? ctx.user?.name ?? 'world'}`;},}).merge('admin.',createRouter()// this protects all procedures defined next in this router.middleware(async ({ ctx, next }) => {if (!ctx.user?.isAdmin) {throw new TRPCError({ code: 'UNAUTHORIZED' });}return next()}).query('secret', {resolve: ({ ctx }) => {return {secret: 'sauce',}},}),);
This middleware can be re-used for multiple sub-routers by creating a protected router helper.