Is tRPC in create-t3-app unsafe/public?
Im trying to use tRPC on the serverside to make a call to delete an user for example, will that call be publicly available to someone with more tRPC knowledge?
Like, does
server/api/routers/post.ts make hello available through some public api? (see the default initial create-t3-app with tRPC and nextjs)2 Replies
yeah if I pass an user ID I can delete stuff but you need to protect the endpoints
There is this in my trpc.ts
/** Reusable middleware that enforces users are logged in before running the procedure. */
const enforceUserIsAuthed = t.middleware(({ ctx, next }) => {
if (!ctx.session || !ctx.session.user) {
throw new TRPCError({ code: 'UNAUTHORIZED' });
}
return next({
ctx: {
// infers the session as non-nullable
session: { ...ctx.session, user: ctx.session.user },
},
});
});
/**
* Protected (authenticated) procedure
*
* If you want a query or mutation to ONLY be accessible to logged in users, use this. It verifies
* the session is valid and guarantees ctx.session.user is not null.
*
* @see https://trpc.io/docs/procedures
*/
export const protectedProcedure = t.procedure.use(enforceUserIsAuthed);
Use it to protect your endpoints. You can check for roles from the context in the tRPC procedure and write a sort of 'audit log' by logging for example authorId: ctx.session?.user.id?.toString() in your foo.router.ts files.
I think in your case it would make sense to have the delete user call be only available for admin role users or if the current session's user id is the same as the user id of the user being deleted.