clerk-sdk-ruby 2.0.3 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 692cc6e564176d884eb9697a0bfe4a02affda01032c73a9bf704700e45265e4f
-  data.tar.gz: 1f425dd5b92b2bb51e20661d2415c4c1d094c781c2b4a7c0b0199dce29897c74
+  metadata.gz: dd893298c9206f7cacd07fd7c8db9278c2f1c8353d43582a3275ac2a98558bfb
+  data.tar.gz: 7dc3976d5c922f648df6fbf77afd43ea1d2b185d828d23617dad0ac960ea9503
 SHA512:
-  metadata.gz: f6497dff3fb8bc8f9a32747dd790a8481571d5b460ee83737c9ca6e43ef98db1dfa5fb8277d10f79b516c62fc58233088dcebd3aa3fd7770ba1f6311d7881b57
-  data.tar.gz: 8ed32ac76cdd9d9c3615375310808919b139bfc22480a2cdcd05cd8ec1a2b3ce68c62864576c91694888e2164856c341577dc89a2adede157996e68421b3fa1f
+  metadata.gz: 17db456db28fc892f2df82e7ee84d2f3799a804c223e7b1e815fc7f6b0ec5a439ac23c7a781495fa8fc5ff0d3b6d2b52171081349f7ce9f27f53bcb1251d91e1
+  data.tar.gz: 02fb997d526e9d4116558c88201f2da5db5c8cbeef947dd6aac73373b8d8ed235225f661f9f8d11a538c346140edd66bb8a9b3d503949b226195f374fc86e51e

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 ## unreleased
 
+## 2.1.2 - 2022-08-26
+
+- fix: Gracefully handle invalid JSON in Authorization header [https://github.com/clerkinc/clerk-sdk-ruby/pull/16]
+
+## 2.1.1 - 2022-02-24
+
+- fix: Make Authv2 middleware thread-safe
+
 ## 2.0.0 - 2021-10-21
 
 This release introduces the new networkless middleware which works with the new 

data/README.md

@@ -1,20 +1,25 @@
 # Clerk Ruby SDK
 
+
 Thank you for choosing [Clerk](https://clerk.dev/) for your authentication,
 session & user management needs!
 
 This SDK allows you to call the Clerk Backend API from Ruby code without having
 to implement the calls yourself.
 
----------
-
-**Note**: This is the v2 branch, which requires that you use [Auth 
+**Note**: You're looking at the main branch, which requires that you use [Auth 
 v2](https://docs.clerk.dev/main-concepts/auth-v2).
 
-If you're looking for the legacy authentication scheme (Auth v1), refer to the 
-[`main`](https://github.com/clerkinc/clerk-sdk-ruby/tree/main) branch.
+If you're looking for the legacy authentication scheme, refer to the 
+[`v1`](https://github.com/clerkinc/clerk-sdk-ruby/tree/v1) branch.
+
+---
+
+**Clerk is Hiring!**
+
+Would you like to work on Open Source software and help maintain this repository? Apply today https://apply.workable.com/clerk-dev/.
 
-----------
+---
 
 ## Installation
 

data/lib/clerk/authenticatable.rb

@@ -10,7 +10,7 @@ module Clerk
     # the Session object. Subsequent calls to this method will return the cached
     # Session object.
     #
-    # NOTE: For better performance, you can instead use `#clerk_session_claims`
+    # NOTE: For better performance, you can instead use `#clerk_verified_session_claims`
     # which already contains the verified claims as retrieved from the session
     # token.
     def clerk_session
@@ -20,7 +20,7 @@ module Clerk
     # Makes a request to the Clerk API to verify the session again. Returns the
     # session object as fetched from the API.
     #
-    # NOTE: For better performance, you can instead use `#clerk_session_claims`
+    # NOTE: For better performance, you can instead use `#clerk_verified_session_claims`
     # which already contains the verified claims as retrieved from the session
     # token.
     #

data/lib/clerk/rack_middleware_v2.rb

@@ -1,93 +1,107 @@
 require "clerk"
 
 module Clerk
-  class RackMiddlewareV2
-    class ProxyV2
-      CACHE_TTL = 60 # seconds
+  class ProxyV2
+    CACHE_TTL = 60 # seconds
 
-      attr_reader :session_claims, :session_token
+    attr_reader :session_claims, :session_token
 
-      def initialize(session_claims: nil, session_token: nil)
-        @session_claims = session_claims
-        @session_token = session_token
-        @session = nil
-      end
+    def initialize(session_claims: nil, session_token: nil)
+      @session_claims = session_claims
+      @session_token = session_token
+      @session = nil
+    end
 
-      def session
-        return nil if @session_claims.nil?
+    def session
+      return nil if @session_claims.nil?
 
-        @session ||= verify_session
-      end
+      @session ||= verify_session
+    end
 
-      def verify_session
-        return nil if @session_claims.nil?
+    def verify_session
+      return nil if @session_claims.nil?
 
-        sdk.sessions.verify_token(@session_claims["sid"], @session_token)
-      end
+      sdk.sessions.verify_token(@session_claims["sid"], @session_token)
+    end
 
-      def user
-        return nil if user_id.nil?
+    def user
+      return nil if user_id.nil?
 
-        @user ||= fetch_user(user_id)
-      end
+      @user ||= fetch_user(user_id)
+    end
 
-      def user_id
-        return nil if @session_claims.nil?
+    def user_id
+      return nil if @session_claims.nil?
 
-        @session_claims["sub"]
-      end
+      @session_claims["sub"]
+    end
 
-      private
+    private
 
-      def fetch_user(user_id)
-        cached_fetch("clerk_user:#{user_id}") do
-          sdk.users.find(user_id)
-        end
+    def fetch_user(user_id)
+      cached_fetch("clerk_user:#{user_id}") do
+        sdk.users.find(user_id)
       end
+    end
 
-      def cached_fetch(key, &block)
-        if store = Clerk.configuration.middleware_cache_store
-          store.fetch(key, expires_in: CACHE_TTL, &block)
-        else
-          yield
-        end
+    def cached_fetch(key, &block)
+      if store = Clerk.configuration.middleware_cache_store
+        store.fetch(key, expires_in: CACHE_TTL, &block)
+      else
+        yield
       end
+    end
 
-      def sdk
-        @sdk ||= Clerk::SDK.new
-      end
+    def sdk
+      @sdk ||= Clerk::SDK.new
     end
+  end
 
+  class RackMiddlewareV2
     def initialize(app)
       @app = app
     end
 
     def call(env)
-      @env = env
-      @req = Rack::Request.new(env)
-      @env["clerk"] = ProxyV2.new
-      @header_token = @req.env["HTTP_AUTHORIZATION"]&.strip
-      @cookie_token = @req.cookies["__session"]
-      @client_uat = @req.cookies["__client_uat"]
+      env = env
+      req = Rack::Request.new(env)
+      env["clerk"] = Clerk::ProxyV2.new
+      header_token = req.env["HTTP_AUTHORIZATION"]
+      header_token = header_token.strip.sub(/\ABearer /, '') if header_token
+      cookie_token = req.cookies["__session"]
+      client_uat = req.cookies["__client_uat"]
 
       ##########################################################################
       #                                                                        #
       #                          HEADER AUTHENTICATION                         #
       #                                                                        #
       ##########################################################################
-      if @header_token
-        return signed_out if !sdk.decode_token(@header_token) # malformed JWT
-
-        token = verify_token(@header_token)
-        return signed_in(token, @header_token) if token
+      if header_token
+        begin
+          return signed_out(env) if !sdk.decode_token(header_token) # malformed JWT
+        rescue JWT::DecodeError
+          return signed_out(env)  # malformed JSON authorization header
+        end
+        
+        token = verify_token(header_token)
+        return signed_in(env, token, header_token) if token
 
         # Clerk.js should refresh the token and retry
         return unknown(interstitial: false)
       end
 
       # in cross-origin XHRs the use of Authorization header is mandatory.
-      if cross_origin_request?(@req)
-        return signed_out
+      if cross_origin_request?(req)
+        return signed_out(env)
+      end
+
+      if development_or_staging? && !browser_request?(req)
+        # the interstitial won't work if the user agent is not a browser, so
+        # short-circuit and avoid rendering it
+        #
+        # We only limit this to dev/stg because we're not yet sure how robust
+        # this strategy is, yet. In the future, we might enable it for prod too.
+        return signed_out(env)
       end
 
       ##########################################################################
@@ -95,22 +109,22 @@ module Clerk
       #                             COOKIE AUTHENTICATION                      #
       #                                                                        #
       ##########################################################################
-      if development_or_staging? && (@req.referrer.nil? || cross_origin_request?(@req))
+      if development_or_staging? && (req.referrer.nil? || cross_origin_request?(req))
         return unknown(interstitial: true)
       end
 
-      if production? && @client_uat.nil?
-        return signed_out
+      if production? && client_uat.nil?
+        return signed_out(env)
       end
 
-      if @client_uat == "0"
-        return signed_out
+      if client_uat == "0"
+        return signed_out(env)
       end
 
-      token = verify_token(@cookie_token)
+      token = verify_token(cookie_token)
 
-      if token && token["iat"] && @client_uat && Integer(@client_uat) <= token["iat"]
-        return signed_in(token, @cookie_token)
+      if token && token["iat"] && client_uat && Integer(client_uat) <= token["iat"]
+        return signed_in(env, token, cookie_token)
       end
 
       unknown(interstitial: true)
@@ -119,15 +133,15 @@ module Clerk
     private
 
     # Outcome A
-    def signed_in(claims, token)
-      @env["clerk"] = ProxyV2.new(session_claims: claims, session_token: token)
+    def signed_in(env, claims, token)
+      env["clerk"] = ProxyV2.new(session_claims: claims, session_token: token)
 
-      @app.call(@env)
+      @app.call(env)
     end
 
     # Outcome B
-    def signed_out
-      @app.call(@env)
+    def signed_out(env)
+      @app.call(env)
     end
 
     # Outcome C
@@ -153,7 +167,7 @@ module Clerk
       return false if origin.nil?
 
       # strip scheme
-      origin = origin.strip.sub(/(^\w+:|^)\/\//, '')
+      origin = origin.strip.sub(/\A(\w+:)?\/\//, '')
       return false if origin.empty?
 
       # Rack's host and port helpers are reverse-proxy-aware; that
@@ -164,18 +178,24 @@ module Clerk
       origin != request_host
     end
 
+    def browser_request?(req)
+      user_agent = req.env["HTTP_USER_AGENT"]
+
+      !user_agent.nil? && user_agent.starts_with?("Mozilla/")
+    end
+
     def verify_token(token)
       return false if token.nil? || token.strip.empty?
 
       begin
-        @session = sdk.verify_token(token)
+        sdk.verify_token(token)
       rescue JWT::DecodeError, JWT::RequiredDependencyError => e
         false
       end
     end
 
     def sdk
-      @sdk ||= Clerk::SDK.new
+      Clerk::SDK.new
     end
   end
 end

data/lib/clerk/sdk.rb

@@ -20,7 +20,8 @@ require_relative "errors"
 module Clerk
   class SDK
     DEFAULT_HEADERS = {
-      "User-Agent" => "Clerk/#{Clerk::VERSION}; Faraday/#{Faraday::VERSION}; Ruby/#{RUBY_VERSION}"
+      "User-Agent" => "Clerk/#{Clerk::VERSION}; Faraday/#{Faraday::VERSION}; Ruby/#{RUBY_VERSION}",
+      "X-Clerk-SDK" => "ruby/#{Clerk::VERSION}"
     }
 
     # How often (in seconds) should JWKs be refreshed

data/lib/clerk/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Clerk
-  VERSION = "2.0.3"
+  VERSION = "2.1.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: clerk-sdk-ruby
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.1.2
 platform: ruby
 authors:
 - Clerk
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-10-22 00:00:00.000000000 Z
+date: 2022-08-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday