clerk-sdk-ruby 1.0.2 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cef3c6d803258b6f1e265dad2cd2de936f96c50df20b87cfbf2b925c37ecd443
-  data.tar.gz: d280a0b94a0fa8a89d267a7af6915171c5e4860a21fafad2c400f9c3a1610126
+  metadata.gz: a7c5c3acce169c08f7086a82fa9cca56744cfe3e04b38108d3ed0b67b513465c
+  data.tar.gz: f6f7c462e1e20dc21aae755ba3d1415a532e064bd261bccd5b70326535771314
 SHA512:
-  metadata.gz: 3784def3d89def58174ee71733119162a4e579ac99ee4b016bbea7d234e28caa71e59d0c74e3cf3b06b557164ed81c9cdb9630d000929656e4cc4dcb16254861
-  data.tar.gz: 0f71e96b2781cdfbade6173cb28f9ea14d6f61b4dcd11014dc95b8baa2d45c660ea4d1c21ff5fa87c1bbb60daff8d6eab1c61d354a8f45be21e282e585390ef3
+  metadata.gz: 9dff36e343ccaf010b311f24daaee819602ea1b1861b4aeece0961c417bc98ede1e9e70598cc4b41f83cd1a64a3114dd00b1df0cca321a380a3fe4b2e9049112
+  data.tar.gz: b0cff1342e5175b4264258fcb581698d514ba693000d3165f7187b994f649b40c40b88033e2f383071f42db48752d2218413b49a310752def343d17d7f2c3ff6

data/.gitignore

@@ -6,3 +6,6 @@
 /pkg/
 /spec/reports/
 /tmp/
+
+.byebug_history
+*.gem

data/CHANGELOG.md

@@ -1,5 +1,22 @@
 ## unreleased
 
+## 2.0.0 - 2021-10-21
+
+This release introduces the new networkless middleware which works with the new 
+authentication scheme, [Auth v2](https://docs.clerk.dev/main-concepts/auth-v2).
+
+It is backwards-incompatible with applications using Auth v1.
+
+- [BREAKING]: In order to use this version, you must set the authVersion prop 
+    accordingly in your frontend: `Clerk.load({authVersion: 2})`
+
+For more information on Auth v2, please refer to 
+https://docs.clerk.dev/main-concepts/auth-v2.
+
+## 1.0.3 - 2021-07-21
+
+- fix: Proper endpoint for oauth_access_token method
+
 ## 1.0.2 - 2021-06-03
 
 - fix: Instantiation of `Clerk::SDK` without prior call to `Clerk.configure`

data/Gemfile.lock

@@ -1,13 +1,15 @@
 PATH
   remote: .
   specs:
-    clerk-sdk-ruby (1.0.2)
+    clerk-sdk-ruby (1.0.3)
       faraday (~> 1.4.1)
+      jwt (~> 2.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    faraday (1.4.2)
+    byebug (11.1.3)
+    faraday (1.4.3)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
       faraday-excon (~> 1.1)
@@ -19,19 +21,23 @@ GEM
     faraday-em_synchrony (1.0.0)
     faraday-excon (1.1.0)
     faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.1.0)
+    faraday-net_http_persistent (1.2.0)
+    jwt (2.2.3)
     minitest (5.14.2)
     multipart-post (2.1.1)
     rake (13.0.3)
-    ruby2_keywords (0.0.4)
+    ruby2_keywords (0.0.5)
+    timecop (0.9.4)
 
 PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  byebug (~> 11.1)
   clerk-sdk-ruby!
   minitest (~> 5.0)
   rake (~> 13.0)
+  timecop (~> 0.9.4)
 
 BUNDLED WITH
-   2.2.15
+   2.2.24

data/README.md

@@ -6,6 +6,16 @@ session & user management needs!
 This SDK allows you to call the Clerk Backend API from Ruby code without having
 to implement the calls yourself.
 
+---------
+
+**Note**: This is the v2 branch, which requires that you use [Auth 
+v2](https://docs.clerk.dev/main-concepts/auth-v2).
+
+If you're looking for the legacy authentication scheme (Auth v1), refer to the 
+[`main`](https://github.com/clerkinc/clerk-sdk-ruby/tree/main) branch.
+
+----------
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/bin/console

@@ -3,6 +3,7 @@
 
 require "bundler/setup"
 require "clerk"
+require "byebug"
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.

data/clerk-sdk-ruby.gemspec

@@ -28,4 +28,8 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "faraday", "~> 1.4.1"
+  spec.add_dependency "jwt", '~> 2.2'
+
+  spec.add_development_dependency "byebug", "~> 11.1"
+  spec.add_development_dependency "timecop", "~> 0.9.4"
 end

data/lib/clerk/authenticatable.rb

@@ -5,16 +5,52 @@ module Clerk
     extend ActiveSupport::Concern
 
     protected
+
+    # Makes a request to the Clerk API to verify the session again and return
+    # the Session object. Subsequent calls to this method will return the cached
+    # Session object.
+    #
+    # NOTE: For better performance, you can instead use `#clerk_session_claims`
+    # which already contains the verified claims as retrieved from the session
+    # token.
     def clerk_session
       request.env["clerk"].session
     end
 
+    # Makes a request to the Clerk API to verify the session again. Returns the
+    # session object as fetched from the API.
+    #
+    # NOTE: For better performance, you can instead use `#clerk_session_claims`
+    # which already contains the verified claims as retrieved from the session
+    # token.
+    #
+    # See https://docs.clerk.dev/reference/backend-api-reference/sessions#verify-a-session
+    def clerk_reverify_session!
+      request.env["clerk"].verify_session
+    end
+
+    def clerk_verified_session_claims
+      request.env["clerk"].session_claims
+    end
+
+    def clerk_verified_session_token
+      request.env["clerk"].session_token
+    end
+
+    # Makes a request to the Clerk API to fetch the data of the authenticated
+    # session's user. If caching is configured (see
+    # Config.middleware_cache_store), subsequent calls will return the cached
+    # object.
     def clerk_user
       request.env["clerk"].user
     end
 
+    def clerk_user_id
+      request.env["clerk"].user_id
+    end
+
     def clerk_user_signed_in?
-      !!clerk_user
+      !!clerk_verified_session_claims
     end
 
     def clerk_sign_in_url
@@ -30,8 +66,10 @@ module Clerk
     end
 
     included do
-      helper_method :clerk_session, :clerk_user, :clerk_user_signed_in?,
-        :clerk_sign_in_url, :clerk_sign_up_url, :clerk_user_profile_url
+      helper_method :clerk_session, :clerk_reverify_session!,
+        :clerk_verified_session_claims, :clerk_verified_session_token,
+        :clerk_user, :clerk_user_id, :clerk_user_signed_in?, :clerk_sign_in_url,
+        :clerk_sign_up_url, :clerk_user_profile_url
     end
   end
 end

data/lib/clerk/rack_middleware_v2.rb

@@ -0,0 +1,168 @@
+require "clerk"
+
+module Clerk
+  class RackMiddlewareV2
+    class ProxyV2
+      CACHE_TTL = 60 # seconds
+
+      attr_reader :session_claims, :session_token
+
+      def initialize(session_claims: nil, session_token: nil)
+        @session_claims = session_claims
+        @session_token = session_token
+        @session = nil
+      end
+
+      def session
+        return nil if @session_claims.nil?
+
+        @session ||= verify_session
+      end
+
+      def verify_session
+        return nil if @session_claims.nil?
+
+        sdk.sessions.verify_token(@session_claims["sid"], @session_token)
+      end
+
+      def user
+        return nil if user_id.nil?
+
+        @user ||= fetch_user(user_id)
+      end
+
+      def user_id
+        return nil if @session_claims.nil?
+
+        @session_claims["sub"]
+      end
+
+      private
+
+      def fetch_user(user_id)
+        cached_fetch("clerk_user:#{user_id}") do
+          sdk.users.find(user_id)
+        end
+      end
+
+      def cached_fetch(key, &block)
+        if store = Clerk.configuration.middleware_cache_store
+          store.fetch(key, expires_in: CACHE_TTL, &block)
+        else
+          yield
+        end
+      end
+
+      def sdk
+        @sdk ||= Clerk::SDK.new
+      end
+    end
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @env = env
+      @req = Rack::Request.new(env)
+      @env["clerk"] = ProxyV2.new
+      @header_token = @req.env["HTTP_AUTHORIZATION"]&.strip
+      @cookie_token = @req.cookies["__session"]
+      @client_uat = @req.cookies["__client_uat"]
+
+      ##########################################################################
+      #                                                                        #
+      #                          HEADER AUTHENTICATION                         #
+      #                                                                        #
+      ##########################################################################
+      if @header_token
+        return signed_out if !sdk.decode_token(@header_token) # malformed JWT
+
+        token = verify_token(@header_token)
+        return signed_in(token, @header_token) if token
+
+        # Clerk.js should refresh the token and retry
+        return unknown(interstitial: false)
+      end
+
+      # in cross-origin XHRs the use of Authorization header is mandatory.
+      if cross_origin_request?(@req)
+        return signed_out
+      end
+
+      ##########################################################################
+      #                                                                        #
+      #                             COOKIE AUTHENTICATION                      #
+      #                                                                        #
+      ##########################################################################
+      if development_or_staging? && (@req.referrer.nil? || cross_origin_request?(@req))
+        return unknown(interstitial: true)
+      end
+
+      if production? && @client_uat.nil?
+        return signed_out
+      end
+
+      if @client_uat == "0"
+        return signed_out
+      end
+
+      token = verify_token(@cookie_token)
+
+      if token && token["iat"] && @client_uat && Integer(@client_uat) <= token["iat"]
+        return signed_in(token, @cookie_token)
+      end
+
+      unknown(interstitial: true)
+    end
+
+    private
+
+    # Outcome A
+    def signed_in(claims, token)
+      @env["clerk"] = ProxyV2.new(session_claims: claims, session_token: token)
+
+      @app.call(@env)
+    end
+
+    # Outcome B
+    def signed_out
+      @app.call(@env)
+    end
+
+    # Outcome C
+    def unknown(interstitial: false)
+      return [401, {}, []] if !interstitial
+
+      # Load Clerk.js to update the __session and __client_uat cookies.
+      [401, {"Content-Type" => "text/html"}, [sdk.interstitial]]
+    end
+
+    def development_or_staging?
+      Clerk.configuration.api_key.start_with?("test_")
+    end
+
+    def production?
+      !development_or_staging?
+    end
+
+    def cross_origin_request?(req)
+      origin = req.env["HTTP_ORIGIN"]
+      origin && origin.sub(/(^\w+:|^)\/\//, '') != req.host
+    end
+
+    def verify_token(token)
+      return false if token.nil? || token.strip.empty?
+
+      begin
+        @session = sdk.verify_token(token)
+      rescue JWT::DecodeError, JWT::RequiredDependencyError => e
+        false
+      end
+    end
+
+    def sdk
+      @sdk ||= Clerk::SDK.new
+    end
+  end
+end

data/lib/clerk/railtie.rb

@@ -1,11 +1,12 @@
 # frozen_string_literal: true
 #
 require_relative "rack_middleware"
+require_relative "rack_middleware_v2"
 
 module Clerk
   class Railtie < ::Rails::Railtie
     initializer "clerk_railtie.configure_rails_initialization" do |app|
-      app.middleware.use Clerk::RackMiddleware
+      app.middleware.use Clerk::RackMiddlewareV2
     end
   end
 end

data/lib/clerk/resources/jwks.rb

@@ -0,0 +1,18 @@
+require "forwardable"
+require_relative "plural_resource"
+
+module Clerk
+  module Resources
+    class JWKS
+      extend Forwardable
+
+      def initialize(client)
+        @client = client
+      end
+
+      def all(timeout: 5)
+        @client.request(:get, "jwks", timeout: timeout)
+      end
+    end
+  end
+end

data/lib/clerk/resources/users.rb

@@ -7,10 +7,15 @@ module Clerk
       extend Forwardable
 
       def initialize(client)
+        @client = client
         @resource = PluralResource.new(client, "users")
       end
 
       def_delegators :@resource, :all, :find, :update, :delete
+
+      def oauth_access_token(user_id, provider)
+        @client.request(:get, "#{@resource.resource_path(user_id)}/oauth_access_tokens/#{provider}")
+      end
     end
   end
 end

data/lib/clerk/resources.rb

@@ -5,3 +5,4 @@ require_relative "resources/emails"
 require_relative "resources/sessions"
 require_relative "resources/sms_messages"
 require_relative "resources/users"
+require_relative "resources/jwks"

data/lib/clerk/sdk.rb

@@ -4,6 +4,7 @@ require "faraday"
 require "logger"
 require "net/http"
 require "json"
+require "jwt"
 
 require_relative "resources/allowlist_identifiers"
 require_relative "resources/allowlist"
@@ -12,6 +13,8 @@ require_relative "resources/emails"
 require_relative "resources/sessions"
 require_relative "resources/sms_messages"
 require_relative "resources/users"
+require_relative "resources/users"
+require_relative "resources/jwks"
 require_relative "errors"
 
 module Clerk
@@ -20,8 +23,13 @@ module Clerk
       "User-Agent" => "Clerk/#{Clerk::VERSION}; Faraday/#{Faraday::VERSION}; Ruby/#{RUBY_VERSION}"
     }
 
+    # How often (in seconds) should JWKs be refreshed
+    JWKS_CACHE_LIFETIME = 3600 # 1 hour
+
     def initialize(api_key: nil, base_url: nil, logger: nil, ssl_verify: true,
                    connection: nil)
+      @jwks_fetched_at = nil
+
       if connection # Inject a Faraday::Connection for testing or full control over Faraday
         @conn = connection
         return
@@ -48,16 +56,26 @@ module Clerk
       end
     end
 
-    def request(method, path, query: [], body: nil)
+    def request(method, path, query: [], body: nil, timeout: nil)
       response = case method
                  when :get
-                   @conn.get(path, query)
+                   @conn.get(path, query) do |req|
+                     req.options.timeout = timeout if timeout
+                   end
                  when :post
-                   @conn.post(path, body)
+                   @conn.post(path, body) do |req|
+                     req.body = body
+                     req.options.timeout = timeout if timeout
+                   end
                  when :patch
-                   @conn.patch(path, body)
+                   @conn.patch(path, body) do |req|
+                     req.body = body
+                     req.options.timeout = timeout if timeout
+                   end
                  when :delete
-                   @conn.delete(path)
+                   @conn.delete(path) do |req|
+                     req.options.timeout = timeout if timeout
+                   end
                  end
 
       body = if response["Content-Type"] == "application/json"
@@ -106,5 +124,50 @@ module Clerk
     def users
       Resources::Users.new(self)
     end
+
+    def jwks
+      Resources::JWKS.new(self)
+    end
+
+    def interstitial(refresh=false)
+      request(:get, "internal/interstitial")
+    end
+
+    # Returns the decoded JWT payload without verifying if the signature is
+    # valid.
+    #
+    # WARNING: This will not verify whether the signature is valid. You
+    # should not use this for untrusted messages! You most likely want to use
+    # verify_token.
+    def decode_token(token)
+      JWT.decode(token, nil, false).first
+    end
+
+    # Decode the JWT and verify it's valid (verify claims, signature etc.) using
+    # the provided algorithms.
+    #
+    # JWKS are cached for JWKS_CACHE_LIFETIME seconds, in order to avoid
+    # unecessary roundtrips. In order to invalidate the cache, pass
+    # `force_refresh_jwks: true`.
+    #
+    # A timeout for the request to the JWKs endpoint can be set with the
+    # `timeout` argument.
+    def verify_token(token, force_refresh_jwks: false, algorithms: ['RS256'], timeout: 5)
+      jwk_loader = ->(options) do
+        @cached_jwks = nil if options[:invalidate] || force_refresh_jwks
+        @cached_jwks = nil if @jwks_fetched_at && Time.now.to_i - @jwks_fetched_at > JWKS_CACHE_LIFETIME
+
+        @cached_jwks ||= begin
+          keys = jwks.all["keys"]
+          @jwks_fetched_at = Time.now.to_i
+
+          # JWT.decode requires that the 'keys' key in the Hash is a symbol (as
+          # opposed to a string which our SDK returns by default)
+          { keys: keys }
+        end
+      end
+
+      JWT.decode(token, nil, true, algorithms: algorithms, jwks: jwk_loader).first
+    end
   end
 end

data/lib/clerk/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Clerk
-  VERSION = "1.0.2"
+  VERSION = "2.0.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: clerk-sdk-ruby
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 2.0.1
 platform: ruby
 authors:
 - Clerk
-autorequire:
+autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-06-03 00:00:00.000000000 Z
+date: 2021-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -24,6 +24,48 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.4.1
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.4
 description: Client SDK for the Clerk backend API.
 email:
 - ruby-sdk@clerk.dev
@@ -47,12 +89,14 @@ files:
 - lib/clerk/errors.rb
 - lib/clerk/proxy.rb
 - lib/clerk/rack_middleware.rb
+- lib/clerk/rack_middleware_v2.rb
 - lib/clerk/railtie.rb
 - lib/clerk/resources.rb
 - lib/clerk/resources/allowlist.rb
 - lib/clerk/resources/allowlist_identifiers.rb
 - lib/clerk/resources/clients.rb
 - lib/clerk/resources/emails.rb
+- lib/clerk/resources/jwks.rb
 - lib/clerk/resources/plural_resource.rb
 - lib/clerk/resources/sessions.rb
 - lib/clerk/resources/singular_resource.rb
@@ -68,7 +112,7 @@ metadata:
   homepage_uri: https://github.com/clerkinc/clerk-sdk-ruby
   source_code_uri: https://github.com/clerkinc/clerk-sdk-ruby
   changelog_uri: https://github.com/clerkinc/clerk-sdk-ruby/blob/main/CHANGELOG.md
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -83,8 +127,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.15
-signing_key:
+rubygems_version: 3.2.5
+signing_key: 
 specification_version: 4
 summary: Clerk SDK for Ruby.
 test_files: []