RubyGems - clerk-sdk-ruby - Versions diffs - 2.0.3 → 2.1.2 - Mend

clerk-sdk-ruby 2.0.3 → 2.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +8 -0
data/README.md +11 -6
data/lib/clerk/authenticatable.rb +2 -2
data/lib/clerk/rack_middleware_v2.rb +88 -68
data/lib/clerk/sdk.rb +2 -1
data/lib/clerk/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 692cc6e564176d884eb9697a0bfe4a02affda01032c73a9bf704700e45265e4f
-  data.tar.gz: 1f425dd5b92b2bb51e20661d2415c4c1d094c781c2b4a7c0b0199dce29897c74
+  metadata.gz: dd893298c9206f7cacd07fd7c8db9278c2f1c8353d43582a3275ac2a98558bfb
+  data.tar.gz: 7dc3976d5c922f648df6fbf77afd43ea1d2b185d828d23617dad0ac960ea9503
 SHA512:
-  metadata.gz: f6497dff3fb8bc8f9a32747dd790a8481571d5b460ee83737c9ca6e43ef98db1dfa5fb8277d10f79b516c62fc58233088dcebd3aa3fd7770ba1f6311d7881b57
-  data.tar.gz: 8ed32ac76cdd9d9c3615375310808919b139bfc22480a2cdcd05cd8ec1a2b3ce68c62864576c91694888e2164856c341577dc89a2adede157996e68421b3fa1f
+  metadata.gz: 17db456db28fc892f2df82e7ee84d2f3799a804c223e7b1e815fc7f6b0ec5a439ac23c7a781495fa8fc5ff0d3b6d2b52171081349f7ce9f27f53bcb1251d91e1
+  data.tar.gz: 02fb997d526e9d4116558c88201f2da5db5c8cbeef947dd6aac73373b8d8ed235225f661f9f8d11a538c346140edd66bb8a9b3d503949b226195f374fc86e51e

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 ## unreleased
+## 2.1.2 - 2022-08-26
+- fix: Gracefully handle invalid JSON in Authorization header [https://github.com/clerkinc/clerk-sdk-ruby/pull/16]
+## 2.1.1 - 2022-02-24
+- fix: Make Authv2 middleware thread-safe
 ## 2.0.0 - 2021-10-21
 This release introduces the new networkless middleware which works with the new

data/README.md CHANGED Viewed

@@ -1,20 +1,25 @@
 # Clerk Ruby SDK
 Thank you for choosing [Clerk](https://clerk.dev/) for your authentication,
 session & user management needs!
 This SDK allows you to call the Clerk Backend API from Ruby code without having
 to implement the calls yourself.
----------
-**Note**: This is the v2 branch, which requires that you use [Auth
+**Note**: You're looking at the main branch, which requires that you use [Auth
 v2](https://docs.clerk.dev/main-concepts/auth-v2).
-If you're looking for the legacy authentication scheme (Auth v1), refer to the
-[`main`](https://github.com/clerkinc/clerk-sdk-ruby/tree/main) branch.
+If you're looking for the legacy authentication scheme, refer to the
+[`v1`](https://github.com/clerkinc/clerk-sdk-ruby/tree/v1) branch.
+---
+**Clerk is Hiring!**
+Would you like to work on Open Source software and help maintain this repository? Apply today https://apply.workable.com/clerk-dev/.
-----------
+---
 ## Installation

data/lib/clerk/authenticatable.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module Clerk
     # the Session object. Subsequent calls to this method will return the cached
     # Session object.
     #
-    # NOTE: For better performance, you can instead use `#clerk_session_claims`
+    # NOTE: For better performance, you can instead use `#clerk_verified_session_claims`
     # which already contains the verified claims as retrieved from the session
     # token.
     def clerk_session
@@ -20,7 +20,7 @@ module Clerk
     # Makes a request to the Clerk API to verify the session again. Returns the
     # session object as fetched from the API.
     #
-    # NOTE: For better performance, you can instead use `#clerk_session_claims`
+    # NOTE: For better performance, you can instead use `#clerk_verified_session_claims`
     # which already contains the verified claims as retrieved from the session
     # token.
     #

data/lib/clerk/rack_middleware_v2.rb CHANGED Viewed

@@ -1,93 +1,107 @@
 require "clerk"
 module Clerk
-  class RackMiddlewareV2
-    class ProxyV2
-      CACHE_TTL = 60 # seconds
+  class ProxyV2
+    CACHE_TTL = 60 # seconds
-      attr_reader :session_claims, :session_token
+    attr_reader :session_claims, :session_token
-      def initialize(session_claims: nil, session_token: nil)
-        @session_claims = session_claims
-        @session_token = session_token
-        @session = nil
-      end
+    def initialize(session_claims: nil, session_token: nil)
+      @session_claims = session_claims
+      @session_token = session_token
+      @session = nil
+    end
-      def session
-        return nil if @session_claims.nil?
+    def session
+      return nil if @session_claims.nil?
-        @session ||= verify_session
-      end
+      @session ||= verify_session
+    end
-      def verify_session
-        return nil if @session_claims.nil?
+    def verify_session
+      return nil if @session_claims.nil?
-        sdk.sessions.verify_token(@session_claims["sid"], @session_token)
-      end
+      sdk.sessions.verify_token(@session_claims["sid"], @session_token)
+    end
-      def user
-        return nil if user_id.nil?
+    def user
+      return nil if user_id.nil?
-        @user ||= fetch_user(user_id)
-      end
+      @user ||= fetch_user(user_id)
+    end
-      def user_id
-        return nil if @session_claims.nil?
+    def user_id
+      return nil if @session_claims.nil?
-        @session_claims["sub"]
-      end
+      @session_claims["sub"]
+    end
-      private
+    private
-      def fetch_user(user_id)
-        cached_fetch("clerk_user:#{user_id}") do
-          sdk.users.find(user_id)
-        end
+    def fetch_user(user_id)
+      cached_fetch("clerk_user:#{user_id}") do
+        sdk.users.find(user_id)
       end
+    end
-      def cached_fetch(key, &block)
-        if store = Clerk.configuration.middleware_cache_store
-          store.fetch(key, expires_in: CACHE_TTL, &block)
-        else
-          yield
-        end
+    def cached_fetch(key, &block)
+      if store = Clerk.configuration.middleware_cache_store
+        store.fetch(key, expires_in: CACHE_TTL, &block)
+      else
+        yield
       end
+    end
-      def sdk
-        @sdk ||= Clerk::SDK.new
-      end
+    def sdk
+      @sdk ||= Clerk::SDK.new
     end
+  end
+  class RackMiddlewareV2
     def initialize(app)
       @app = app
     end
     def call(env)
-      @env = env
-      @req = Rack::Request.new(env)
-      @env["clerk"] = ProxyV2.new
-      @header_token = @req.env["HTTP_AUTHORIZATION"]&.strip
-      @cookie_token = @req.cookies["__session"]
-      @client_uat = @req.cookies["__client_uat"]
+      env = env
+      req = Rack::Request.new(env)
+      env["clerk"] = Clerk::ProxyV2.new
+      header_token = req.env["HTTP_AUTHORIZATION"]
+      header_token = header_token.strip.sub(/\ABearer /, '') if header_token
+      cookie_token = req.cookies["__session"]
+      client_uat = req.cookies["__client_uat"]
       ##########################################################################
       #                                                                        #
       #                          HEADER AUTHENTICATION                         #
       #                                                                        #
       ##########################################################################
-      if @header_token
-        return signed_out if !sdk.decode_token(@header_token) # malformed JWT
-        token = verify_token(@header_token)
-        return signed_in(token, @header_token) if token
+      if header_token
+        begin
+          return signed_out(env) if !sdk.decode_token(header_token) # malformed JWT
+        rescue JWT::DecodeError
+          return signed_out(env)  # malformed JSON authorization header
+        end
+        token = verify_token(header_token)
+        return signed_in(env, token, header_token) if token
         # Clerk.js should refresh the token and retry
         return unknown(interstitial: false)
       end
       # in cross-origin XHRs the use of Authorization header is mandatory.
-      if cross_origin_request?(@req)
-        return signed_out
+      if cross_origin_request?(req)
+        return signed_out(env)
+      end
+      if development_or_staging? && !browser_request?(req)
+        # the interstitial won't work if the user agent is not a browser, so
+        # short-circuit and avoid rendering it
+        #
+        # We only limit this to dev/stg because we're not yet sure how robust
+        # this strategy is, yet. In the future, we might enable it for prod too.
+        return signed_out(env)
       end
       ##########################################################################
@@ -95,22 +109,22 @@ module Clerk
       #                             COOKIE AUTHENTICATION                      #
       #                                                                        #
       ##########################################################################
-      if development_or_staging? && (@req.referrer.nil? || cross_origin_request?(@req))
+      if development_or_staging? && (req.referrer.nil? || cross_origin_request?(req))
         return unknown(interstitial: true)
       end
-      if production? && @client_uat.nil?
-        return signed_out
+      if production? && client_uat.nil?
+        return signed_out(env)
       end
-      if @client_uat == "0"
-        return signed_out
+      if client_uat == "0"
+        return signed_out(env)
       end
-      token = verify_token(@cookie_token)
+      token = verify_token(cookie_token)
-      if token && token["iat"] && @client_uat && Integer(@client_uat) <= token["iat"]
-        return signed_in(token, @cookie_token)
+      if token && token["iat"] && client_uat && Integer(client_uat) <= token["iat"]
+        return signed_in(env, token, cookie_token)
       end
       unknown(interstitial: true)
@@ -119,15 +133,15 @@ module Clerk
     private
     # Outcome A
-    def signed_in(claims, token)
-      @env["clerk"] = ProxyV2.new(session_claims: claims, session_token: token)
+    def signed_in(env, claims, token)
+      env["clerk"] = ProxyV2.new(session_claims: claims, session_token: token)
-      @app.call(@env)
+      @app.call(env)
     end
     # Outcome B
-    def signed_out
-      @app.call(@env)
+    def signed_out(env)
+      @app.call(env)
     end
     # Outcome C
@@ -153,7 +167,7 @@ module Clerk
       return false if origin.nil?
       # strip scheme
-      origin = origin.strip.sub(/(^\w+:|^)\/\//, '')
+      origin = origin.strip.sub(/\A(\w+:)?\/\//, '')
       return false if origin.empty?
       # Rack's host and port helpers are reverse-proxy-aware; that
@@ -164,18 +178,24 @@ module Clerk
       origin != request_host
     end
+    def browser_request?(req)
+      user_agent = req.env["HTTP_USER_AGENT"]
+      !user_agent.nil? && user_agent.starts_with?("Mozilla/")
+    end
     def verify_token(token)
       return false if token.nil? || token.strip.empty?
       begin
-        @session = sdk.verify_token(token)
+        sdk.verify_token(token)
       rescue JWT::DecodeError, JWT::RequiredDependencyError => e
         false
       end
     end
     def sdk
-      @sdk ||= Clerk::SDK.new
+      Clerk::SDK.new
     end
   end
 end

data/lib/clerk/sdk.rb CHANGED Viewed

@@ -20,7 +20,8 @@ require_relative "errors"
 module Clerk
   class SDK
     DEFAULT_HEADERS = {
-      "User-Agent" => "Clerk/#{Clerk::VERSION}; Faraday/#{Faraday::VERSION}; Ruby/#{RUBY_VERSION}"
+      "User-Agent" => "Clerk/#{Clerk::VERSION}; Faraday/#{Faraday::VERSION}; Ruby/#{RUBY_VERSION}",
+      "X-Clerk-SDK" => "ruby/#{Clerk::VERSION}"
     }
     # How often (in seconds) should JWKs be refreshed

data/lib/clerk/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Clerk
-  VERSION = "2.0.3"
+  VERSION = "2.1.2"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: clerk-sdk-ruby
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.1.2
 platform: ruby
 authors:
 - Clerk
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-10-22 00:00:00.000000000 Z
+date: 2022-08-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday