tRPC•7mo ago

Can I extend the procedure builder?

Authorization in my app is somewhat complicated; I have various resources, and I often have to validate the current user's relation to that resource before allowing them access.

Currently I'm doing this:

  myProcedure: protectedProcedure
    .input(myQuerySchema)
    .query(authorize(myQuery, authorizationConfig)),

  myProcedure: protectedProcedure
    .input(myQuerySchema)
    .query(authorize(myQuery, authorizationConfig)),

  myProcedure: protectedProcedure
    .input(myQuerySchema)
    .query(authorize(myQuery, authorizationConfig)),

  myProcedure: protectedProcedure
    .input(myQuerySchema)
    .query(authorize(myQuery, authorizationConfig)),

```
authorize
```
authorize
```
authorize
```
authorize
is a custom function that wraps a mutation in an authorization check, which is defined by the config.
The types of the query and config are related, because the authorization check uses the procedure's input.

What I really want to do is this:

  myProcedure: protectedProcedure
    .input(myQuerySchema)
    .authorize(authorizationConfig)
    .query(myQuery)

  myProcedure: protectedProcedure
    .input(myQuerySchema)
    .authorize(authorizationConfig)
    .query(myQuery)

  myProcedure: protectedProcedure
    .input(myQuerySchema)
    .authorize(authorizationConfig)
    .query(myQuery)

  myProcedure: protectedProcedure
    .input(myQuerySchema)
    .authorize(authorizationConfig)
    .query(myQuery)

Any advice? I've looked at using

.meta()

.meta()

.meta()

.meta(), but middleware doesn't know about the input types does it?

Solution

Yeah it's possible to do what you want:

Jump to solution

BeBoRE•5/29/25, 3:21 PM

You can also make protectedProcedure a function and have it return a procedure so it would look like this:

{
  myProcedure: protectedProcedure(authorizationConfig)
    .input(myQuerySchema)
    .query(myQuery)
}

{
  myProcedure: protectedProcedure(authorizationConfig)
    .input(myQuerySchema)
    .query(myQuery)
}

Nick•5/29/25, 10:14 PM

This is all pretty normal stuff. The ingredients are indeed a middleware, context, and meta

Middlewares can access inputs but there isn't much reason to since auth details should be in headers/cookies. Importantly they can gate access to procedures by throwing unauthorised errors (etc)

createContext()/Context is the best way to extract some bits from headers in a type-safe way, and middlewares can access this state type safely

Meta is great to allow procedures to be configured, like assigning an entitlement key to a procedure which the middleware can then check against the user, again in a type safe way

trachesOP•5/30/25, 3:33 PM

Thanks! I don't see how I can do authorization without input here. Like, say users have posts and they can edit their own posts but not other users' posts. We also have other records they can work with, but determining ownership is more complicated than checking 'userId' on the affected record, and is unique for a few different cases. (For an example let's say users can be members of groups and can only post to groups they're a member of). How can I make the types work? when I try to use the input of protectedProcedure the

input

input

is typeof unsetMarkertypeof unsetMarker.

Here's the type signature for my

authorize

authorize

function:

trachesOP•5/30/25, 3:36 PM

Nick•5/31/25, 10:51 AM

Got it

Solution

Nick•5/31/25, 10:51 AM

Yeah it's possible to do what you want:

Nick•5/31/25, 10:51 AM

you can define a base procedure with authorization for "thing" baked in and then use that for various procedures with extra input data. Inputs and Ctx can both be extended and merged over multiple layers

trachesOP•6/2/25, 11:02 AM

Ahhh cool, I didn't think of defining middleware after defining the input. Awesome, thanks a ton!

y_nk•8/1/25, 11:35 AM

@traches

this achieves what you want

const p = t.procedure

export const protectedProcedure = {
  ...p,

  authorize(this: typeof p, authorizationConfig: any) {
    return this.use(
      // this is a middleware
      async function authorizeMiddleware({ ctx, next }) {
        
        return next({ ...ctx })
      }
    )
  }
}

const p = t.procedure

export const protectedProcedure = {
  ...p,

  authorize(this: typeof p, authorizationConfig: any) {
    return this.use(
      // this is a middleware
      async function authorizeMiddleware({ ctx, next }) {
        
        return next({ ...ctx })
      }
    )
  }
}