tianji/src/server/trpc/trpc.ts

import { initTRPC, inferAsyncReturnType, TRPCError } from '@trpc/server';
import { z } from 'zod';
import { jwtVerify } from '../middleware/auth.js';
import { getWorkspaceUser } from '../model/workspace.js';
import { ROLES, SYSTEM_ROLES } from '@tianji/shared';
import type { Request } from 'express';
import { OpenApiMeta } from 'trpc-openapi';
import { getSession } from '@auth/express';
import { authConfig } from '../model/auth.js';
import { get } from 'lodash-es';

export async function createContext({ req }: { req: Request }) {
  const authorization = req.headers['authorization'] ?? '';
  const token = authorization.replace('Bearer ', '');

  return { token, req };
}

type Context = inferAsyncReturnType<typeof createContext>;
const t = initTRPC.context<Context>().meta<OpenApiMeta>().create();

export type OpenApiMetaInfo = NonNullable<OpenApiMeta['openapi']>;

export const middleware = t.middleware;
export const router = t.router;
export const publicProcedure = t.procedure;

const isUser = middleware(async (opts) => {
  // auth with token
  const token = opts.ctx.token;

  if (token) {
    try {
      const user = jwtVerify(token);

      return opts.next({
        ctx: {
          user,
        },
      });
    } catch (err) {
      throw new TRPCError({ code: 'UNAUTHORIZED', message: 'TokenInvalid' });
    }
  }

  // auth with session
  const req = opts.ctx.req;
  const session = await getSession(req, authConfig);

  if (session) {
    return opts.next({
      ctx: {
        user: {
          id: session.user?.id,
          username: session.user?.name,
          role: SYSTEM_ROLES.user,
        },
      },
    });
  }

  throw new TRPCError({ code: 'UNAUTHORIZED', message: 'No Token or Session' });
});

export const protectProedure = t.procedure.use(isUser);

const isSystemAdmin = isUser.unstable_pipe(async (opts) => {
  const { ctx, input } = opts;

  if (ctx.user.role !== SYSTEM_ROLES.admin) {
    throw new TRPCError({ code: 'FORBIDDEN' });
  }

  return opts.next();
});

export const systemAdminProcedure = t.procedure.use(isSystemAdmin);
export const workspaceProcedure = protectProedure
  .input(
    z.object({
      workspaceId: z.string().cuid2(),
    })
  )
  .use(createWorkspacePermissionMiddleware());
export const workspaceOwnerProcedure = protectProedure
  .input(
    z.object({
      workspaceId: z.string().cuid2(),
    })
  )
  .use(createWorkspacePermissionMiddleware([ROLES.owner]));

/**
 * Create a trpc middleware which help user check workspace permission
 */
function createWorkspacePermissionMiddleware(roles: ROLES[] = []) {
  return isUser.unstable_pipe(async (opts) => {
    const { ctx, input } = opts;

    const workspaceId = get(input, 'workspaceId', '');
    if (!workspaceId) {
      throw new TRPCError({
        code: 'INTERNAL_SERVER_ERROR',
        message: 'Payload required workspaceId',
      });
    }

    const userId = ctx.user.id;

    if (!userId) {
      throw new TRPCError({
        code: 'INTERNAL_SERVER_ERROR',
        message: 'ctx miss userId',
      });
    }

    const info = await getWorkspaceUser(workspaceId, userId);
    if (!info) {
      throw new TRPCError({
        code: 'FORBIDDEN',
        message: 'Is not workspace user',
      });
    }

    if (Array.isArray(roles) && roles.length > 0) {
      if (!roles.includes(info.role as ROLES)) {
        throw new TRPCError({
          code: 'FORBIDDEN',
          message: `Workspace roles not has this permission, need ${roles}`,
        });
      }
    }

    return opts.next();
  });
}
feat: add trpc framework 2023-09-27 17:56:32 +08:00			`import { initTRPC, inferAsyncReturnType, TRPCError } from '@trpc/server';`
feat: notification upsert api 2023-09-27 20:27:46 +08:00			`import { z } from 'zod';`
refactor: change all import with .js suffix, which will help nodejs(esm) to import code clear. 2024-07-28 20:32:41 +08:00			`import { jwtVerify } from '../middleware/auth.js';`
			`import { getWorkspaceUser } from '../model/workspace.js';`
refactor: add shared packacage 2024-01-24 13:26:42 +00:00			`import { ROLES, SYSTEM_ROLES } from '@tianji/shared';`
feat: add support for legacy traditional login methods 2024-07-31 00:40:04 +08:00			`import type { Request } from 'express';`
feat: add trpc openapi and swagger ui 2023-10-22 00:26:13 +08:00			`import { OpenApiMeta } from 'trpc-openapi';`
feat: add support for legacy traditional login methods 2024-07-31 00:40:04 +08:00			`import { getSession } from '@auth/express';`
			`import { authConfig } from '../model/auth.js';`
refactor: remove lodash 2024-08-16 00:22:24 +08:00			`import { get } from 'lodash-es';`
feat: add trpc framework 2023-09-27 17:56:32 +08:00
feat: add support for legacy traditional login methods 2024-07-31 00:40:04 +08:00			`export async function createContext({ req }: { req: Request }) {`
feat: add trpc framework 2023-09-27 17:56:32 +08:00			`const authorization = req.headers['authorization'] ?? '';`
			`const token = authorization.replace('Bearer ', '');`

feat: add survey backend endpoint 2024-04-28 14:55:29 +08:00			`return { token, req };`
feat: add trpc framework 2023-09-27 17:56:32 +08:00			`}`

			`type Context = inferAsyncReturnType<typeof createContext>;`
feat: add trpc openapi and swagger ui 2023-10-22 00:26:13 +08:00			`const t = initTRPC.context<Context>().meta<OpenApiMeta>().create();`
feat: add trpc framework 2023-09-27 17:56:32 +08:00
docs: add openapi for global and website 2023-10-23 01:44:08 +08:00			`export type OpenApiMetaInfo = NonNullable<OpenApiMeta['openapi']>;`

feat: add trpc framework 2023-09-27 17:56:32 +08:00			`export const middleware = t.middleware;`
			`export const router = t.router;`
			`export const publicProcedure = t.procedure;`

refactor: update trpc entry style 2023-10-03 15:56:09 +08:00			`const isUser = middleware(async (opts) => {`
feat: add support for legacy traditional login methods 2024-07-31 00:40:04 +08:00			`// auth with token`
refactor: update trpc entry style 2023-10-03 15:56:09 +08:00			`const token = opts.ctx.token;`

feat: add support for legacy traditional login methods 2024-07-31 00:40:04 +08:00			`if (token) {`
			`try {`
			`const user = jwtVerify(token);`

			`return opts.next({`
			`ctx: {`
			`user,`
			`},`
			`});`
			`} catch (err) {`
			`throw new TRPCError({ code: 'UNAUTHORIZED', message: 'TokenInvalid' });`
			`}`
refactor: update trpc entry style 2023-10-03 15:56:09 +08:00			`}`

feat: add support for legacy traditional login methods 2024-07-31 00:40:04 +08:00			`// auth with session`
			`const req = opts.ctx.req;`
			`const session = await getSession(req, authConfig);`
refactor: update trpc entry style 2023-10-03 15:56:09 +08:00
feat: add support for legacy traditional login methods 2024-07-31 00:40:04 +08:00			`if (session) {`
refactor: update trpc entry style 2023-10-03 15:56:09 +08:00			`return opts.next({`
			`ctx: {`
feat: add support for legacy traditional login methods 2024-07-31 00:40:04 +08:00			`user: {`
			`id: session.user?.id,`
			`username: session.user?.name,`
			`role: SYSTEM_ROLES.user,`
			`},`
refactor: update trpc entry style 2023-10-03 15:56:09 +08:00			`},`
			`});`
			`}`
feat: add support for legacy traditional login methods 2024-07-31 00:40:04 +08:00
			`throw new TRPCError({ code: 'UNAUTHORIZED', message: 'No Token or Session' });`
refactor: update trpc entry style 2023-10-03 15:56:09 +08:00			`});`

			`export const protectProedure = t.procedure.use(isUser);`

			`const isSystemAdmin = isUser.unstable_pipe(async (opts) => {`
feat: add trpc framework 2023-09-27 17:56:32 +08:00			`const { ctx, input } = opts;`
refactor: update trpc entry style 2023-10-03 15:56:09 +08:00
feat: add trpc framework 2023-09-27 17:56:32 +08:00			`if (ctx.user.role !== SYSTEM_ROLES.admin) {`
			`throw new TRPCError({ code: 'FORBIDDEN' });`
			`}`

			`return opts.next();`
			`});`

			`export const systemAdminProcedure = t.procedure.use(isSystemAdmin);`
refactor: update trpc entry style 2023-10-03 15:56:09 +08:00			`export const workspaceProcedure = protectProedure`
feat: notification upsert api 2023-09-27 20:27:46 +08:00			`.input(`
			`z.object({`
refactor: db id type replace uuid with cuid 2023-10-06 00:06:44 +08:00			`workspaceId: z.string().cuid2(),`
feat: notification upsert api 2023-09-27 20:27:46 +08:00			`})`
			`)`
			`.use(createWorkspacePermissionMiddleware());`
refactor: update trpc entry style 2023-10-03 15:56:09 +08:00			`export const workspaceOwnerProcedure = protectProedure`
feat: notification upsert api 2023-09-27 20:27:46 +08:00			`.input(`
			`z.object({`
refactor: db id type replace uuid with cuid 2023-10-06 00:06:44 +08:00			`workspaceId: z.string().cuid2(),`
feat: notification upsert api 2023-09-27 20:27:46 +08:00			`})`
			`)`
			`.use(createWorkspacePermissionMiddleware([ROLES.owner]));`
feat: add trpc framework 2023-09-27 17:56:32 +08:00
			`/**`
			`* Create a trpc middleware which help user check workspace permission`
			`*/`
			`function createWorkspacePermissionMiddleware(roles: ROLES[] = []) {`
refactor: update trpc entry style 2023-10-03 15:56:09 +08:00			`return isUser.unstable_pipe(async (opts) => {`
feat: add trpc framework 2023-09-27 17:56:32 +08:00			`const { ctx, input } = opts;`

refactor: remove lodash 2024-08-16 00:22:24 +08:00			`const workspaceId = get(input, 'workspaceId', '');`
feat: add trpc framework 2023-09-27 17:56:32 +08:00			`if (!workspaceId) {`
			`throw new TRPCError({`
			`code: 'INTERNAL_SERVER_ERROR',`
			`message: 'Payload required workspaceId',`
			`});`
			`}`

			`const userId = ctx.user.id;`

			`if (!userId) {`
			`throw new TRPCError({`
			`code: 'INTERNAL_SERVER_ERROR',`
			`message: 'ctx miss userId',`
			`});`
			`}`

			`const info = await getWorkspaceUser(workspaceId, userId);`
			`if (!info) {`
			`throw new TRPCError({`
			`code: 'FORBIDDEN',`
			`message: 'Is not workspace user',`
			`});`
			`}`

			`if (Array.isArray(roles) && roles.length > 0) {`
			`if (!roles.includes(info.role as ROLES)) {`
			`throw new TRPCError({`
			`code: 'FORBIDDEN',`
			message: `Workspace roles not has this permission, need ${roles}`,
			`});`
			`}`
			`}`

			`return opts.next();`
			`});`
			`}`