tianji/src/server/trpc/trpc.ts

import { initTRPC, inferAsyncReturnType, TRPCError } from '@trpc/server';
import _ from 'lodash';
import { z } from 'zod';
import { jwtVerify } from '../middleware/auth';
import { getWorkspaceUser } from '../model/workspace';
import { ROLES, SYSTEM_ROLES } from '../utils/const';
import type { IncomingMessage } from 'http';
import { OpenApiMeta } from 'trpc-openapi';

export function createContext({ req }: { req: IncomingMessage }) {
  const authorization = req.headers['authorization'] ?? '';
  const token = authorization.replace('Bearer ', '');

  return { token };
}

type Context = inferAsyncReturnType<typeof createContext>;
const t = initTRPC.context<Context>().meta<OpenApiMeta>().create();

export const middleware = t.middleware;
export const router = t.router;
export const publicProcedure = t.procedure;

const isUser = middleware(async (opts) => {
  const token = opts.ctx.token;

  if (!token) {
    throw new TRPCError({ code: 'UNAUTHORIZED', message: 'NoToken' });
  }

  try {
    const user = jwtVerify(token);

    return opts.next({
      ctx: {
        user,
      },
    });
  } catch (err) {
    throw new TRPCError({ code: 'UNAUTHORIZED', message: 'TokenInvalid' });
  }
});

export const protectProedure = t.procedure.use(isUser);

const isSystemAdmin = isUser.unstable_pipe(async (opts) => {
  const { ctx, input } = opts;

  if (ctx.user.role !== SYSTEM_ROLES.admin) {
    throw new TRPCError({ code: 'FORBIDDEN' });
  }

  return opts.next();
});

export const systemAdminProcedure = t.procedure.use(isSystemAdmin);
export const workspaceProcedure = protectProedure
  .input(
    z.object({
      workspaceId: z.string().cuid2(),
    })
  )
  .use(createWorkspacePermissionMiddleware());
export const workspaceOwnerProcedure = protectProedure
  .input(
    z.object({
      workspaceId: z.string().cuid2(),
    })
  )
  .use(createWorkspacePermissionMiddleware([ROLES.owner]));

/**
 * Create a trpc middleware which help user check workspace permission
 */
function createWorkspacePermissionMiddleware(roles: ROLES[] = []) {
  return isUser.unstable_pipe(async (opts) => {
    const { ctx, input } = opts;

    const workspaceId = _.get(input, 'workspaceId', '');
    if (!workspaceId) {
      throw new TRPCError({
        code: 'INTERNAL_SERVER_ERROR',
        message: 'Payload required workspaceId',
      });
    }

    const userId = ctx.user.id;

    if (!userId) {
      throw new TRPCError({
        code: 'INTERNAL_SERVER_ERROR',
        message: 'ctx miss userId',
      });
    }

    const info = await getWorkspaceUser(workspaceId, userId);
    if (!info) {
      throw new TRPCError({
        code: 'FORBIDDEN',
        message: 'Is not workspace user',
      });
    }

    if (Array.isArray(roles) && roles.length > 0) {
      if (!roles.includes(info.role as ROLES)) {
        throw new TRPCError({
          code: 'FORBIDDEN',
          message: `Workspace roles not has this permission, need ${roles}`,
        });
      }
    }

    return opts.next();
  });
}
feat: add trpc framework 2023-09-27 09:56:32 +00:00			`import { initTRPC, inferAsyncReturnType, TRPCError } from '@trpc/server';`
feat: notification upsert api 2023-09-27 12:27:46 +00:00			`import _ from 'lodash';`
			`import { z } from 'zod';`
feat: add trpc framework 2023-09-27 09:56:32 +00:00			`import { jwtVerify } from '../middleware/auth';`
			`import { getWorkspaceUser } from '../model/workspace';`
			`import { ROLES, SYSTEM_ROLES } from '../utils/const';`
refactor: update trpc entry style 2023-10-03 07:56:09 +00:00			`import type { IncomingMessage } from 'http';`
feat: add trpc openapi and swagger ui 2023-10-21 16:26:13 +00:00			`import { OpenApiMeta } from 'trpc-openapi';`
feat: add trpc framework 2023-09-27 09:56:32 +00:00
refactor: update trpc entry style 2023-10-03 07:56:09 +00:00			`export function createContext({ req }: { req: IncomingMessage }) {`
feat: add trpc framework 2023-09-27 09:56:32 +00:00			`const authorization = req.headers['authorization'] ?? '';`
			`const token = authorization.replace('Bearer ', '');`

refactor: update trpc entry style 2023-10-03 07:56:09 +00:00			`return { token };`
feat: add trpc framework 2023-09-27 09:56:32 +00:00			`}`

			`type Context = inferAsyncReturnType<typeof createContext>;`
feat: add trpc openapi and swagger ui 2023-10-21 16:26:13 +00:00			`const t = initTRPC.context<Context>().meta<OpenApiMeta>().create();`
feat: add trpc framework 2023-09-27 09:56:32 +00:00
			`export const middleware = t.middleware;`
			`export const router = t.router;`
			`export const publicProcedure = t.procedure;`

refactor: update trpc entry style 2023-10-03 07:56:09 +00:00			`const isUser = middleware(async (opts) => {`
			`const token = opts.ctx.token;`

			`if (!token) {`
			`throw new TRPCError({ code: 'UNAUTHORIZED', message: 'NoToken' });`
			`}`

			`try {`
			`const user = jwtVerify(token);`

			`return opts.next({`
			`ctx: {`
			`user,`
			`},`
			`});`
			`} catch (err) {`
			`throw new TRPCError({ code: 'UNAUTHORIZED', message: 'TokenInvalid' });`
			`}`
			`});`

			`export const protectProedure = t.procedure.use(isUser);`

			`const isSystemAdmin = isUser.unstable_pipe(async (opts) => {`
feat: add trpc framework 2023-09-27 09:56:32 +00:00			`const { ctx, input } = opts;`
refactor: update trpc entry style 2023-10-03 07:56:09 +00:00
feat: add trpc framework 2023-09-27 09:56:32 +00:00			`if (ctx.user.role !== SYSTEM_ROLES.admin) {`
			`throw new TRPCError({ code: 'FORBIDDEN' });`
			`}`

			`return opts.next();`
			`});`

			`export const systemAdminProcedure = t.procedure.use(isSystemAdmin);`
refactor: update trpc entry style 2023-10-03 07:56:09 +00:00			`export const workspaceProcedure = protectProedure`
feat: notification upsert api 2023-09-27 12:27:46 +00:00			`.input(`
			`z.object({`
refactor: db id type replace uuid with cuid 2023-10-05 16:06:44 +00:00			`workspaceId: z.string().cuid2(),`
feat: notification upsert api 2023-09-27 12:27:46 +00:00			`})`
			`)`
			`.use(createWorkspacePermissionMiddleware());`
refactor: update trpc entry style 2023-10-03 07:56:09 +00:00			`export const workspaceOwnerProcedure = protectProedure`
feat: notification upsert api 2023-09-27 12:27:46 +00:00			`.input(`
			`z.object({`
refactor: db id type replace uuid with cuid 2023-10-05 16:06:44 +00:00			`workspaceId: z.string().cuid2(),`
feat: notification upsert api 2023-09-27 12:27:46 +00:00			`})`
			`)`
			`.use(createWorkspacePermissionMiddleware([ROLES.owner]));`
feat: add trpc framework 2023-09-27 09:56:32 +00:00
			`/**`
			`* Create a trpc middleware which help user check workspace permission`
			`*/`
			`function createWorkspacePermissionMiddleware(roles: ROLES[] = []) {`
refactor: update trpc entry style 2023-10-03 07:56:09 +00:00			`return isUser.unstable_pipe(async (opts) => {`
feat: add trpc framework 2023-09-27 09:56:32 +00:00			`const { ctx, input } = opts;`

			`const workspaceId = _.get(input, 'workspaceId', '');`
			`if (!workspaceId) {`
			`throw new TRPCError({`
			`code: 'INTERNAL_SERVER_ERROR',`
			`message: 'Payload required workspaceId',`
			`});`
			`}`

			`const userId = ctx.user.id;`

			`if (!userId) {`
			`throw new TRPCError({`
			`code: 'INTERNAL_SERVER_ERROR',`
			`message: 'ctx miss userId',`
			`});`
			`}`

			`const info = await getWorkspaceUser(workspaceId, userId);`
			`if (!info) {`
			`throw new TRPCError({`
			`code: 'FORBIDDEN',`
			`message: 'Is not workspace user',`
			`});`
			`}`

			`if (Array.isArray(roles) && roles.length > 0) {`
			`if (!roles.includes(info.role as ROLES)) {`
			`throw new TRPCError({`
			`code: 'FORBIDDEN',`
			message: `Workspace roles not has this permission, need ${roles}`,
			`});`
			`}`
			`}`

			`return opts.next();`
			`});`
			`}`