# tRPC Protected Procedure Missing Authentication

- ID: trpc-missing-auth-middleware
- Severity: CRITICAL
- CWE: Improper Authorization (CWE-285)
- Languages: JavaScript, TypeScript
- Frameworks: trpc

## Description

Using publicProcedure for mutations or user-specific data allows unauthenticated
access and account manipulation.

## Detection Message

Procedure '{procedure}' handles sensitive data but uses publicProcedure. Use protected procedure with authentication middleware.

## Remediation

Use protectedProcedure with authentication middleware for sensitive operations.

```typescript
const isAuthed = t.middleware(async ({ ctx, next }) => {
  if (!ctx.session?.user) {
    throw new TRPCError({ code: 'UNAUTHORIZED' });
  }
  return next({ ctx: { user: ctx.session.user } });
});

const protectedProcedure = t.procedure.use(isAuthed);

export const userRouter = router({
  updateProfile: protectedProcedure
    .input(z.object({ bio: z.string() }))
    .mutation(async ({ ctx, input }) => {
      return await db.user.update({
        where: { id: ctx.user.id },
        data: { bio: input.bio }
      });
    })
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-285/missing-auth-middleware

## Documentation

[object Object]

## Related Rules

- **Angular Missing Route Guard** [CRITICAL]: 
- **NestJS Sensitive Route Missing Guard** [CRITICAL]: