clerk-sdk-ruby 4.0.0.beta3 → 4.0.0.beta4

data/lib/clerk/authenticate_request.rb

@@ -1,253 +1,261 @@
+# frozen_string_literal: true
+
+require "clerk/proxy"
+require "rack/utils"
+
 module Clerk
-    ##
-    # This class represents a service object used to determine the current request state
-    # for the current env passed based on a provided Clerk::AuthenticateContext.
-    # There is only 1 public method exposed (`resolve`) to be invoked with a env parameter.
-    class AuthenticateRequest
-        attr_reader :auth_context
-
-        ##
-        # Creates a new instance using Clerk::AuthenticateContext object.
-        def initialize(auth_context)
-            @auth_context = auth_context
-        end
+  # This class represents a service object used to determine the current request state
+  # for the current env passed based on a provided Clerk::AuthenticateContext.
+  # There is only 1 public method exposed (`resolve`) to be invoked with a env parameter.
+  class AuthenticateRequest
+    attr_reader :auth_context
+
+    # Creates a new instance using Clerk::AuthenticateContext object.
+    def initialize(auth_context)
+      @auth_context = auth_context
+    end
 
-        ##
-        # Determines the current request state by verifying a Clerk token in headers or cookies.
-        # The possible outcomes of this method are `signed-in`, `signed-out` or `handshake` states.
-        # The return values are the same as a return value of a rack middleware `[http_status_code, headers, body]`.
-        # When used in a middleware the consumer of this service should return the return value when there is an
-        # `http_status_code` provided otherwise the should continue with the middleware chain.
-        # The headers provided in the return value is a hash of { header_key => header_value } and in the case
-        # of a `Set-Cookie` header the `header_value` used is a list of raw HTTP Set-Cookie directives.
-        def resolve(env)
-            if auth_context.session_token_in_header?
-                resolve_header_token(env)
-            else
-                resolve_cookie_token(env)
-            end
-        end
+    # Determines the current request state by verifying a Clerk token in headers or cookies.
+    # The possible outcomes of this method are `signed-in`, `signed-out` or `handshake` states.
+    # The return values are the same as a return value of a rack middleware `[http_status_code, headers, body]`.
+    # When used in a middleware the consumer of this service should return the return value when there is an
+    # `http_status_code` provided otherwise the should continue with the middleware chain.
+    # The headers provided in the return value is a hash of { header_key => header_value } and in the case
+    # of a `Set-Cookie` header the `header_value` used is a list of raw HTTP Set-Cookie directives.
+    def resolve(env)
+      if auth_context.session_token_in_header?
+        resolve_header_token(env)
+      else
+        resolve_cookie_token(env)
+      end
+    end
 
-        protected
-
-        def resolve_header_token(env)
-            begin
-                # malformed JWT
-                return signed_out(reason: TokenVerificationErrorReason::TOKEN_INVALID) if !sdk.decode_token(auth_context.session_token_in_header)
-
-                claims = verify_token(auth_context.session_token_in_header)
-                return signed_in(env, claims, auth_context.session_token_in_header) if claims
-            rescue JWT::DecodeError
-                # malformed JSON authorization header
-                return signed_out(reason: TokenVerificationErrorReason::TOKEN_INVALID)
-            rescue JWT::ExpiredSignature
-                return signed_out(enforce_auth: true, reason: TokenVerificationErrorReason::TOKEN_EXPIRED)
-            rescue JWT::InvalidIatError
-                return signed_out(enforce_auth: true, reason: TokenVerificationErrorReason::TOKEN_NOT_ACTIVE_YET)
-            end
-
-            # Clerk.js should refresh the token and retry
-            return signed_out(enforce_auth: true)
-        end
+    protected
 
-        def resolve_cookie_token(env)
-            # in cross-origin XHRs the use of Authorization header is mandatory.
-            # TODO: add reason
-            return signed_out if auth_context.cross_origin_request?
-
-            if auth_context.handshake_token?
-                return resolve_handshake(env)
-            end
-
-            if auth_context.development_instance? && auth_context.dev_browser?
-                return handle_handshake_maybe_status(env, reason: AuthErrorReason::DEV_BROWSER_SYNC)
-            end
-
-            # TODO(dimkl): Add multi-domain support for production
-            # if auth_context.production_instance? && auth_context.eligible_for_multi_domain?
-                # return handle_handshake_maybe_status(env, reason: AuthErrorReason::SATELLITE_COOKIE_NEEDS_SYNCING)
-            # end
-
-            # TODO(dimkl): Add multi-domain support for development
-            # if auth_context.development_instance? && auth_context.eligible_for_multi_domain?
-                # trigger handshake using auth_context.sign_in_url as base redirect_url
-                # return handle_handshake_maybe_status(env, reason: AuthErrorReason::SATELLITE_COOKIE_NEEDS_SYNCING, '', headers);
-            # end
-
-            # TODO(dimkl): Add multi-domain support for development in primary
-            # if auth_context.development_instance? && !auth_context.is_satellite? && auth_context.clerk_redirect_url
-                # trigger handshake using auth_context.clerk_redirect_url as base redirect_url + mark it as clerk_synced
-                # return handle_handshake_maybe_status(env, reason: AuthErrorReason::PRIMARY_RESPONDS_TO_SYNCING, '', headers);
-            # end
-
-            if !auth_context.active_client? && !auth_context.session_token_in_cookie?
-                return signed_out(reason: AuthErrorReason::SESSION_TOKEN_AND_UAT_MISSING)
-            end
-
-            # This can eagerly run handshake since client_uat is SameSite=Strict in dev
-            if !auth_context.active_client? && auth_context.session_token_in_cookie?
-                return handle_handshake_maybe_status(env, reason: AuthErrorReason::SESSION_TOKEN_WITHOUT_CLIENT_UAT)
-            end
-
-            if auth_context.active_client? && !auth_context.session_token_in_cookie?
-                return handle_handshake_maybe_status(env, reason: AuthErrorReason::CLIENT_UAT_WITHOUT_SESSION_TOKEN)
-            end
-
-            begin
-                token = verify_token(auth_context.session_token_in_cookie)
-                return signed_out if !token
-
-                if token["iat"] < auth_context.client_uat
-                    return handle_handshake_maybe_status(env, reason: AuthErrorReason::SESSION_TOKEN_OUTDATED);
-                end
-
-                return signed_in(env, token, auth_context.session_token_in_cookie)
-            rescue JWT::ExpiredSignature
-                handshake(env, reason: TokenVerificationErrorReason::TOKEN_EXPIRED)
-            rescue JWT::InvalidIatError
-                handshake(env, reason: TokenVerificationErrorReason::TOKEN_NOT_ACTIVE_YET)
-            end
-
-            signed_out
+    def resolve_header_token(env)
+      begin
+        # malformed JWT
+        unless sdk.decode_token(auth_context.session_token_in_header)
+          return signed_out(reason: TokenVerificationErrorReason::TOKEN_INVALID)
         end
 
-        def resolve_handshake(env)
-            headers = { 
-                "Access-Control-Allow-Origin" => "null",
-                "Access-Control-Allow-Credentials" => "true"
-            }
-            
-            session_token = ''
-
-            # Return signed-out outcome if the handshake verification fails
-            handshake_payload = verify_token(auth_context.handshake_token)
-            return signed_out(enforce_auth: true, reason: TokenVerificationErrorReason::JWK_FAILED_TO_RESOLVE) if !handshake_payload
-
-            # Retrieve the cookie directives included in handshake token payload and convert it to set-cookie headers
-            # Also retrieve the session token separately to determine the outcome of the request
-            cookies_to_set = handshake_payload[HANDSHAKE_COOKIE_DIRECTIVES_KEY] || []
-            cookies_to_set.each do |cookie|
-                headers[COOKIE_HEADER] ||= []
-                headers[COOKIE_HEADER] << cookie
-
-                if cookie.start_with?("#{SESSION_COOKIE}=")
-                    session_token = cookie.split(';')[0].split('=')[1]
-                end
-            end
-
-            # Clear handshake token from query params and set headers to redirect to the initial request url
-            if auth_context.development_instance?
-                redirect_url = auth_context.clerk_url.dup
-                remove_from_query_string(redirect_url, HANDSHAKE_COOKIE)
-                remove_from_query_string(redirect_url, HANDSHAKE_HELP_QUERY_PARAM)
-
-                headers[LOCATION_HEADER] = redirect_url.to_s
-            end
-            
-            if !session_token
-                return signed_out(reason: AuthErrorReason::SESSION_TOKEN_MISSING, headers: headers)
-            end
-
-            verify_token_with_retry(env, session_token)
-        end
+        claims = verify_token(auth_context.session_token_in_header)
+        return signed_in(env, claims, auth_context.session_token_in_header) if claims
+      rescue JWT::ExpiredSignature
+        # Expired token
+        return signed_out(enforce_auth: true, reason: TokenVerificationErrorReason::TOKEN_EXPIRED)
+      rescue JWT::InvalidIatError
+        # Token not active yet
+        return signed_out(enforce_auth: true, reason: TokenVerificationErrorReason::TOKEN_NOT_ACTIVE_YET)
+      rescue JWT::DecodeError
+        # Malformed JWT (NOTE: Must be the last rescue block as it catches all decoding errors)
+        return signed_out(reason: TokenVerificationErrorReason::TOKEN_INVALID)
+      end
+
+      # Clerk.js should refresh the token and retry
+      signed_out(enforce_auth: true)
+    end
 
-        def handle_handshake_maybe_status(env, **opts)
-            return signed_out if !eligible_for_handshake?
-            handshake(env, **opts)
+    def resolve_cookie_token(env)
+      # in cross-origin XHRs the use of Authorization header is mandatory.
+      # TODO: add reason
+      return signed_out if auth_context.cross_origin_request?
+
+      return resolve_handshake(env) if auth_context.handshake_token?
+
+      if auth_context.development_instance? && auth_context.dev_browser_in_url?
+        return handle_handshake_maybe_status(env, reason: AuthErrorReason::DEV_BROWSER_SYNC)
+      end
+
+      if auth_context.development_instance? && !auth_context.dev_browser?
+        return handle_handshake_maybe_status(env, reason: AuthErrorReason::DEV_BROWSER_MISSING)
+      end
+
+      # TODO: Add multi-domain support for production
+      # if auth_context.production_instance? && auth_context.eligible_for_multi_domain?
+      #   return handle_handshake_maybe_status(env, reason: AuthErrorReason::SATELLITE_COOKIE_NEEDS_SYNCING)
+      # end
+
+      # TODO: Add multi-domain support for development
+      # if auth_context.development_instance? && auth_context.eligible_for_multi_domain?
+      #   # trigger handshake using auth_context.sign_in_url as base redirect_url
+      #   # return handle_handshake_maybe_status(env, reason: AuthErrorReason::SATELLITE_COOKIE_NEEDS_SYNCING, '', headers)
+      # end
+
+      # TODO: Add multi-domain support for development in primary
+      # if auth_context.development_instance? && !auth_context.is_satellite? && auth_context.clerk_redirect_url
+      #   # trigger handshake using auth_context.clerk_redirect_url as base redirect_url + mark it as clerk_synced
+      #   # return handle_handshake_maybe_status(env, reason: AuthErrorReason::PRIMARY_RESPONDS_TO_SYNCING, '', headers)
+      # end
+
+      if !auth_context.active_client? && !auth_context.session_token_in_cookie?
+        return signed_out(reason: AuthErrorReason::SESSION_TOKEN_AND_UAT_MISSING)
+      end
+
+      # This can eagerly run handshake since client_uat is SameSite=Strict in dev
+      if !auth_context.active_client? && auth_context.session_token_in_cookie?
+        return handle_handshake_maybe_status(env, reason: AuthErrorReason::SESSION_TOKEN_WITHOUT_CLIENT_UAT)
+      end
+
+      if auth_context.active_client? && !auth_context.session_token_in_cookie?
+        return handle_handshake_maybe_status(env, reason: AuthErrorReason::CLIENT_UAT_WITHOUT_SESSION_TOKEN)
+      end
+
+      begin
+        claims = verify_token(auth_context.session_token_in_cookie)
+        return signed_out unless claims
+
+        if claims["iat"] < auth_context.client_uat.to_i
+          return handle_handshake_maybe_status(env, reason: AuthErrorReason::SESSION_TOKEN_OUTDATED)
         end
 
-        # A outcome
-        def handshake(env, **opts)
-            redirect_headers = { LOCATION_HEADER => redirect_to_handshake }
-            [307, debug_auth_headers(**opts).merge(redirect_headers), []]
-        end
+        signed_in(env, claims, auth_context.session_token_in_cookie)
+      rescue JWT::ExpiredSignature
+        handshake(env, reason: TokenVerificationErrorReason::TOKEN_EXPIRED)
+      rescue JWT::InvalidIatError
+        handshake(env, reason: TokenVerificationErrorReason::TOKEN_NOT_ACTIVE_YET)
+      rescue JWT::DecodeError
+        signed_out(reason: TokenVerificationErrorReason::TOKEN_INVALID)
+      rescue
+        signed_out
+      end
+    end
 
-        # B outcome
-        def signed_out(**opts)
-            headers = opts.delete(:headers) || {}
-            enforce_auth = opts.delete(:enforce_auth)
+    def resolve_handshake(env)
+      headers = {
+        "Access-Control-Allow-Origin" => "null",
+        "Access-Control-Allow-Credentials" => "true"
+      }
+      session_token = nil
 
-            if enforce_auth
-                [401, debug_auth_headers(**opts).merge(headers), []]
-            else
-                [nil, headers, []]
-            end
-        end
+      # Return signed-out outcome if the handshake verification fails
+      handshake_payload = verify_token(auth_context.handshake_token)
+      unless handshake_payload
+        return signed_out(enforce_auth: true, reason: TokenVerificationErrorReason::JWK_FAILED_TO_RESOLVE)
+      end
 
-        # C outcome
-        def signed_in(env, claims, token, **headers)
-            env["clerk"] = ProxyV2.new(session_claims: claims, session_token: token)
-            [nil, headers, []]
-        end
+      # Retrieve the cookie directives included in handshake token payload and convert it to set-cookie headers
+      # Also retrieve the session token separately to determine the outcome of the request
+      cookies_to_set = handshake_payload[HANDSHAKE_COOKIE_DIRECTIVES_KEY] || []
+      cookies_to_set.each do |cookie|
+        headers[SET_COOKIE_HEADER] ||= []
+        headers[SET_COOKIE_HEADER] << cookie
 
-        def eligible_for_handshake?
-            auth_context.document_request? || (!auth_context.document_request? && auth_context.accepts_html?)
-        end
+        session_token = cookie.split(";")[0].split("=")[1] if cookie.start_with?("#{SESSION_COOKIE}=")
+      end
 
-        private
+      # Clear handshake token from query params and set headers to redirect to the initial request url
+      if auth_context.development_instance?
+        redirect_url = auth_context.clerk_url.dup
+        remove_from_query_string(redirect_url, HANDSHAKE_COOKIE)
 
-        def redirect_to_handshake
-            redirect_url = auth_context.clerk_url.dup
-            remove_from_query_string(redirect_url, DEV_BROWSER_COOKIE)
+        headers[LOCATION_HEADER] = redirect_url.to_s
+      end
 
-            handshake_url = URI.parse("https://#{auth_context.frontend_api}/v1/client/handshake")
-            handshake_url_qs = Rack::Utils.parse_query(handshake_url.query)
-            handshake_url_qs["redirect_url"] = redirect_url
+      return signed_out(reason: AuthErrorReason::SESSION_TOKEN_MISSING, headers: headers) unless session_token
 
-            if auth_context.development_instance? && auth_context.dev_browser?
-                handshake_url_qs[DEV_BROWSER_COOKIE] = auth_context.dev_browser
-            end
+      verify_token_with_retry(env, session_token)
+    end
 
-            handshake_url.query = handshake_url_qs.to_query
-            handshake_url.to_s
-        end
+    def handle_handshake_maybe_status(env, **opts)
+      return signed_out unless eligible_for_handshake?
 
-        def remove_from_query_string(url, key)
-            qs = Rack::Utils.parse_query(url.query)
-            qs.delete(key)
-            url.query = qs.to_query
-        end
+      handshake(env, **opts)
+    end
 
-        def verify_token(token, **opts)
-            return false if token.nil? || token.strip.empty?
-        
-            begin
-                sdk.verify_token(token, **opts)
-            rescue JWT::ExpiredSignature, JWT::InvalidIatError => e
-                raise e
-            rescue JWT::DecodeError, JWT::RequiredDependencyError => e
-                false
-            end
-        end
+    # A outcome
+    def handshake(_env, **opts)
+      redirect_headers = {LOCATION_HEADER => redirect_to_handshake}
+      [307, debug_auth_headers(**opts).merge(redirect_headers), []]
+    end
 
-        # Verify session token and provide a 1-day leeway for development if initial verification
-        # fails for development instance due to invalid exp or iat
-        def verify_token_with_retry(env, token)
-            claims = verify_token(token)
-            return signed_in(env, claims, token) if claims
-        rescue JWT::ExpiredSignature, JWT::InvalidIatError => e
-            if auth_context.development_instance?
-                # TODO: log possible Clock skew detected
-            
-                # Retry with a generous clock skew allowance (1 day)
-                claims = verify_token(token, timeout: 86_400)
-                return signed_in(env, claims, token) if claims
-            end
-            
-            # Raise error if handshake resolution fails in production
-            raise e
-        end
+    # B outcome
+    def signed_out(**opts)
+      headers = opts.delete(:headers) || {}
+      enforce_auth = opts.delete(:enforce_auth)
 
-        def sdk
-            Clerk::SDK.new
-        end
-    
-        def debug_auth_headers(reason: nil, message: nil, status: nil)
-            {
-                AUTH_REASON_HEADER => reason,
-                AUTH_MESSAGE_HEADER => message,
-                AUTH_STATUS_HEADER => status,
-            }.compact
-        end
+      [
+        enforce_auth ? 401 : nil,
+        debug_auth_headers(**opts).merge(headers),
+        []
+      ]
+    end
+
+    # C outcome
+    def signed_in(env, claims, token, **headers)
+      env["clerk"] = Proxy.new(session_claims: claims, session_token: token)
+      [nil, headers, []]
+    end
+
+    def eligible_for_handshake?
+      auth_context.document_request? || (!auth_context.document_request? && auth_context.accepts_html?)
+    end
+
+    private
+
+    def redirect_to_handshake
+      redirect_url = auth_context.clerk_url.dup
+      remove_from_query_string(redirect_url, DEV_BROWSER_COOKIE)
+
+      handshake_url = URI.parse("https://#{auth_context.frontend_api}/v1/client/handshake")
+      handshake_url_qs = ::Rack::Utils.parse_query(handshake_url.query)
+      handshake_url_qs["redirect_url"] = redirect_url
+
+      if auth_context.development_instance? && auth_context.dev_browser?
+        handshake_url_qs[DEV_BROWSER_COOKIE] = auth_context.dev_browser
+      end
+
+      handshake_url.query = ::Rack::Utils.build_query(handshake_url_qs)
+      handshake_url.to_s
+    end
+
+    def remove_from_query_string(url, key)
+      qs = ::Rack::Utils.parse_query(url.query)
+      qs.delete(key)
+
+      url.query = ::Rack::Utils.build_query(qs)
+    end
+
+    def verify_token(token, **opts)
+      return false if token.nil? || token.strip.empty?
+
+      begin
+        sdk.verify_token(token, **opts)
+      rescue JWT::ExpiredSignature, JWT::InvalidIatError => e
+        raise e
+      rescue JWT::DecodeError, JWT::RequiredDependencyError => _
+        false
+      end
+    end
+
+    # Verify session token and provide a 1-day leeway for development if initial verification
+    # fails for development instance due to invalid exp or iat
+    def verify_token_with_retry(env, token)
+      claims = verify_token(token)
+      signed_in(env, claims, token) if claims
+    rescue JWT::ExpiredSignature, JWT::InvalidIatError => e
+      if auth_context.development_instance?
+        # TODO: log possible Clock skew detected
+
+        # Retry with a generous clock skew allowance (1 day)
+        claims = verify_token(token, timeout: 86_400)
+        return signed_in(env, claims, token) if claims
+      end
+
+      # Raise error if handshake resolution fails in production
+      raise e
+    end
+
+    def sdk
+      SDK.new
+    end
+
+    def debug_auth_headers(reason: nil, message: nil, status: nil)
+      {
+        AUTH_REASON_HEADER => reason,
+        AUTH_MESSAGE_HEADER => message,
+        AUTH_STATUS_HEADER => status
+      }.compact
     end
-end
+  end
+end

data/lib/clerk/configuration.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "clerk-http-client"
+
+module Clerk
+  class Configuration
+    attr_reader :cache_store
+    attr_reader :debug
+    attr_reader :excluded_routes
+    attr_reader :publishable_key
+    attr_reader :secret_key
+
+    def initialize
+      @excluded_routes = []
+      @publishable_key = ENV["CLERK_PUBLISHABLE_KEY"]
+      @secret_key = ENV["CLERK_SECRET_KEY"]
+
+      # Default to Rails.cache or ActiveSupport::Cache::MemoryStore, if available, otherwise nil
+      @cache_store = if defined?(::Rails)
+        ::Rails.cache
+      elsif defined?(::ActiveSupport::Cache::MemoryStore)
+        ::ActiveSupport::Cache::MemoryStore.new
+      end
+
+      ClerkHttpClient.configure do |config|
+        unless secret_key.nil? || secret_key.empty?
+          config.access_token = @secret_key
+        end
+      end
+    end
+
+    def self.default
+      @@default ||= new
+    end
+
+    def update(options)
+      options.each do |key, value|
+        send(:"#{key}=", value)
+      end
+    end
+
+    def debug=(value)
+      ClerkHttpClient::Configuration.default.debugging = value
+      @debug = value
+    end
+
+    def cache_store=(store)
+      if !store
+        @cache_store = nil
+        return
+      end
+
+      raise ArgumentError, "cache_store must respond to :fetch" unless store.respond_to?(:fetch)
+
+      @cache_store = store
+    end
+
+    def excluded_routes=(routes)
+      raise ArgumentError, "excluded_routes must be an array" unless routes.is_a?(Array)
+      raise ArgumentError, "All elements in the excluded_routes array must be strings" unless routes.all? { |r| r.is_a?(String) }
+
+      @excluded_routes = routes
+    end
+
+    def publishable_key=(pk)
+      raise ArgumentError, "publishable_key must start with 'pk_'" unless pk.start_with?("pk_")
+
+      @publishable_key = pk
+    end
+
+    def secret_key=(sk)
+      raise ArgumentError, "secret_key must start with 'sk_'" unless sk.start_with?("sk_")
+
+      ClerkHttpClient::Configuration.default.access_token = sk
+      @secret_key = sk
+    end
+  end
+end