From harness-claude
Adds tRPC middleware for auth checks, logging, rate limiting, and context enrichment on procedures. Builds typed procedure builders like protectedProcedure and adminProcedure.
npx claudepluginhub intense-visions/harness-engineering --plugin harness-claudeThis skill uses the workspace's default tool permissions.
> Add cross-cutting logic (auth checks, logging, rate limiting) to procedures via t.middleware
Builds end-to-end type-safe tRPC APIs with routers, procedures, middleware, subscriptions, and Next.js/React integration for TypeScript full-stack apps.
Injects database clients, user sessions, and request data into tRPC procedures via createTRPCContext for typed access in handlers and middleware. For Next.js tRPC servers.
Guides tRPC end-to-end typesafe API development with router architecture, procedure design, Zod input validation, middleware chaining via unstable_pipe, TRPCError handling, and Vertical Slice pattern.
Share bugs, ideas, or general feedback.
Add cross-cutting logic (auth checks, logging, rate limiting) to procedures via t.middleware
protectedProcedure, adminProcedure)t.middleware(async ({ ctx, next }) => { ... }) — call next({ ctx: { ...ctx, ...enriched } }) to pass enriched context to the handler..use(middleware) — the middleware runs before the input validation and handler..use() and exporting the result: export const protectedProcedure = t.procedure.use(isAuthed).new TRPCError({ code: 'UNAUTHORIZED' }) in middleware to reject the request — the error propagates to the client's onError handler.ctx..pipe() to compose multiple middleware — each receives the context enriched by the previous middleware.next() at the end of middleware — forgetting this causes the procedure to never respond.// server/trpc.ts — middleware and procedure builders
import { initTRPC, TRPCError } from '@trpc/server';
import type { TRPCContext } from './context';
const t = initTRPC.context<TRPCContext>().create();
// Auth middleware — enriches ctx with session and user
const isAuthed = t.middleware(async ({ ctx, next }) => {
if (!ctx.session?.user) {
throw new TRPCError({ code: 'UNAUTHORIZED', message: 'Not signed in' });
}
return next({
ctx: {
...ctx,
// TypeScript now knows session and user are non-null in subsequent handlers
session: ctx.session,
user: ctx.session.user,
},
});
});
// Admin middleware — must be used after isAuthed (pipes)
const isAdmin = t.middleware(async ({ ctx, next }) => {
// ctx.user is typed as defined by isAuthed — no null check needed
if (ctx.user.role !== 'admin') {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Admin access required' });
}
return next({ ctx });
});
// Timing middleware — logs procedure duration
const timingMiddleware = t.middleware(async ({ path, next }) => {
const start = Date.now();
const result = await next();
console.log(`[tRPC] ${path} took ${Date.now() - start}ms`);
return result;
});
export const publicProcedure = t.procedure.use(timingMiddleware);
export const protectedProcedure = publicProcedure.use(isAuthed);
export const adminProcedure = protectedProcedure.use(isAdmin);
tRPC middleware is a functional chain: each middleware receives the current ctx and calls next() to pass control to the next middleware or the handler. The ctx passed to next() becomes the ctx available in subsequent middleware and the handler.
Context type narrowing: When middleware adds properties to ctx (e.g., user: NonNullable<Ctx['session']['user']>), TypeScript updates the ctx type for everything downstream. This is why protectedProcedure's handler can access ctx.user without null checks — the middleware has already asserted non-null.
Middleware composition: protectedProcedure.use(isAdmin) creates adminProcedure. Middleware applied earlier in the chain runs first. timingMiddleware.use(isAuthed).use(isAdmin) runs timing, then auth, then admin check, then the handler.
next() return value: Middleware can inspect the handler's return value by const result = await next() and then examine or transform result.ok / result.data. This pattern is useful for response logging and transforming output globally.
Procedure reuse pattern: Instead of applying middleware individually to each procedure, create named procedure builders (publicProcedure, protectedProcedure, adminProcedure) and use them as the base for all procedures in a domain. This guarantees consistent middleware application.
Input access in middleware: Middleware does not have access to the validated input by default. If middleware needs input values (e.g., for rate limiting by resource ID), use experimental_caller or restructure to check after input validation by placing middleware after .input().
https://trpc.io/docs/server/middlewares