Use appRouter paths as whitelist for API

[zirkelc]

Hey,

I have lots of illegitimate requests to my public API which try to access paths commonly associated with certain vulnerable software. Most of the request are blocked by a web application firewall, but some still make it through and cause harm-less but unnecessary errors.

As my API only hosts tRPC, I simply want to block all request to paths not covered by a router and sub-router. Is there function to get a list of paths for a given router object? If not, the current way to achieve this is probably accessing the _def property on the router like Object.keys(router._def.queries)?

[zirkelc]

Turns out an Object.keys(router._def.procedures) is enough

[shahzaib-cmyk]

I figured something out with the help of AI, just gonna paste here just in case it helps.
`import type { AnyTRPCProcedure, TRPCRouterRecord } from "@trpc/server";

import type { AppRouter } from "./main-router";

/**

• Internal helper to extract record from either:
• • a real TRPC router
• • or a plain TRPCRouterRecord
    */
    type GetRecord = T extends { _def: { record: infer R } }
    ? R
    : T extends TRPCRouterRecord
    ? T
    : never;

/**

• Hybrid path extractor that works with:
• • createTRPCRouter()
• • plain objects satisfying TRPCRouterRecord
    */
    export type ExtractAllProcedurePaths<T, Prefix extends string = ""> = {
    [K in keyof GetRecord]: GetRecord[K] extends AnyTRPCProcedure
    ? ${Prefix}${Extract<K, string>}
    : GetRecord[K] extends object
    ? ExtractAllProcedurePaths<
    GetRecord[K],
    ${Prefix}${Extract<K, string>}.
    : never;
    }[keyof GetRecord];

export type AppRouterPaths = ExtractAllProcedurePaths & {};
`
The issue I was initially having with extracting paths was that not all of my routers used the createTRPCRouter function, and instead were just an object that satisfied the TRPCRouterRecord interface. This takes care of that. I plan to use this to maintain a Record that maps procedure names to header overrides, so I can enable cdn caching on certain routes in the responseMeta function.