clerk-sdk-ruby 4.0.0.beta3 → 4.0.0.beta4

data/lib/clerk/constants.rb

@@ -1,50 +1,72 @@
+# frozen_string_literal: true
+
 module Clerk
-    SESSION_COOKIE = "__session".freeze
-    CLIENT_UAT_COOKIE = "__client_uat".freeze
-    
-    # Dev Browser
-    DEV_BROWSER_COOKIE = "__clerk_db_jwt".freeze
-
-    # Handshake
-    HANDSHAKE_COOKIE = "__clerk_handshake".freeze
-    HANDSHAKE_HELP_QUERY_PARAM = "__clerk_help".freeze
-    HANDSHAKE_COOKIE_DIRECTIVES_KEY = "handshake".freeze
-
-    # auth debug response headers
-    AUTH_STATUS_HEADER = "X-Clerk-Auth-Status".freeze
-    AUTH_REASON_HEADER = "X-Clerk-Auth-Reason".freeze
-    AUTH_MESSAGE_HEADER = "X-Clerk-Auth-Message".freeze
-
-    #
-    CONTENT_TYPE_HEADER = "Content-Type".freeze
-    SEC_FETCH_DEST_HEADER = "HTTP_SEC_FETCH_DEST".freeze
-    
-    # headers used in response - should be lowered case and without http prefix
-    LOCATION_HEADER = "Location".freeze
-    COOKIE_HEADER = "Set-Cookie".freeze
-
-    # clerk url related headers
-    AUTHORIZATION_HEADER = "HTTP_AUTHORIZATION".freeze
-    ACCEPT_HEADER = "HTTP_ACCEPT".freeze
-    USER_AGENT_HEADER = "HTTP_USER_AGENT".freeze
-    ORIGIN_HEADER = "HTTP_ORIGIN".freeze
-
-    module TokenVerificationErrorReason
-        TOKEN_INVALID = "token-invalid".freeze
-        TOKEN_EXPIRED = "token-expired".freeze
-        TOKEN_NOT_ACTIVE_YET = "token-not-active-yet".freeze
-        JWK_FAILED_TO_RESOLVE = "jwk-failed-to-resolve".freeze
+  SESSION_COOKIE = "__session"
+  CLIENT_UAT_COOKIE = "__client_uat"
+
+  # Dev Browser
+  DEV_BROWSER_COOKIE = "__clerk_db_jwt"
+
+  # Handshake
+  HANDSHAKE_COOKIE = "__clerk_handshake"
+  HANDSHAKE_COOKIE_DIRECTIVES_KEY = "handshake"
+
+  # auth debug response headers
+  AUTH_STATUS_HEADER = "X-Clerk-Auth-Status"
+  AUTH_REASON_HEADER = "X-Clerk-Auth-Reason"
+  AUTH_MESSAGE_HEADER = "X-Clerk-Auth-Message"
+
+  CONTENT_TYPE_HEADER = "Content-Type"
+  SEC_FETCH_DEST_HEADER = "HTTP_SEC_FETCH_DEST"
+
+  # headers used in response - should be lowered case and without http prefix
+  LOCATION_HEADER = "Location"
+  SET_COOKIE_HEADER = "set-cookie"
+
+  # clerk url related headers
+  AUTHORIZATION_HEADER = "HTTP_AUTHORIZATION"
+  ACCEPT_HEADER = "HTTP_ACCEPT"
+  USER_AGENT_HEADER = "HTTP_USER_AGENT"
+  ORIGIN_HEADER = "HTTP_ORIGIN"
+
+  module TokenVerificationErrorReason
+    TOKEN_INVALID = "token-invalid"
+    TOKEN_EXPIRED = "token-expired"
+    TOKEN_NOT_ACTIVE_YET = "token-not-active-yet"
+    JWK_FAILED_TO_RESOLVE = "jwk-failed-to-resolve"
+  end
+
+  module AuthErrorReason
+    CLIENT_UAT_WITHOUT_SESSION_TOKEN = "client-uat-but-no-session-token"
+    DEV_BROWSER_SYNC = "dev-browser-sync"
+    DEV_BROWSER_MISSING = "dev-browser-missing"
+    PRIMARY_RESPONDS_TO_SYNCING = "primary-responds-to-syncing"
+    SATELLITE_COOKIE_NEEDS_SYNCING = "satellite-needs-syncing"
+    SESSION_TOKEN_AND_UAT_MISSING = "session-token-and-uat-missing"
+    SESSION_TOKEN_MISSING = "session-token-missing"
+    SESSION_TOKEN_OUTDATED = "session-token-outdated"
+    SESSION_TOKEN_WITHOUT_CLIENT_UAT = "session-token-but-no-client-uat"
+    UNEXPECTED_ERROR = "unexpected-error"
+  end
+
+  module StepUp
+    module Preset
+      STRICT_MFA = {after_minutes: 10, level: :multi_factor}
+      STRICT = {after_minutes: 10, level: :second_factor}
+      MODERATE = {after_minutes: 60, level: :second_factor}
+      LAX = {after_minutes: 1440, level: :second_factor}
     end
 
-    module AuthErrorReason
-        CLIENT_UAT_WITHOUT_SESSION_TOKEN = "client-uat-but-no-session-token".freeze
-        DEV_BROWSER_SYNC = "dev-browser-sync".freeze
-        PRIMARY_RESPONDS_TO_SYNCING = "primary-responds-to-syncing".freeze
-        SATELLITE_COOKIE_NEEDS_SYNCING = "satellite-needs-syncing".freeze
-        SESSION_TOKEN_AND_UAT_MISSING = "session-token-and-uat-missing".freeze
-        SESSION_TOKEN_MISSING = "session-token-missing".freeze
-        SESSION_TOKEN_OUTDATED = "session-token-outdated".freeze
-        SESSION_TOKEN_WITHOUT_CLIENT_UAT = "session-token-but-no-client-uat".freeze
-        UNEXPECTED_ERROR = "unexpected-error".freeze
+    module Reverification
+      def self.error_payload(missing_config)
+        {
+          clerk_error: {
+            type: "forbidden",
+            reason: "reverification-error",
+            metadata: {reverification: missing_config}
+          }
+        }
+      end
     end
-end
+  end
+end

data/lib/clerk/error.rb

@@ -0,0 +1,17 @@
+module Clerk
+  class Error < StandardError
+    attr_reader :status
+
+    def initialize(msg, status:)
+      @errors = msg["errors"]
+      @status = status
+      super(msg.merge(status: status))
+    end
+  end
+
+  class AuthenticationError < Error; end
+
+  class ConfigurationError < StandardError; end
+
+  class FatalError < Error; end
+end

data/lib/clerk/jwks_cache.rb

@@ -1,32 +1,37 @@
-class JWKSCache
-  def initialize(lifetime)
-    @lifetime = lifetime
-    @jwks = nil
-    @last_update = nil
-    @lock = Concurrent::ReadWriteLock.new
-  end
+require "concurrent"
 
-  def fetch(sdk, force_refresh: false, kid_not_found: false)
-    should_refresh = @lock.with_read_lock do
-      @jwks.nil? || @last_update.nil? || force_refresh ||
-        (Time.now.to_i-@last_update > @lifetime) ||
-        (kid_not_found && Time.now.to_i-@last_update > 300)
+module Clerk
+  class JWKSCache
+    def initialize(lifetime)
+      @lifetime = lifetime
+      @jwks = nil
+      @last_update = nil
+      @lock = Concurrent::ReadWriteLock.new
     end
 
-    if should_refresh
-      @lock.with_write_lock do
-        @last_update = Time.now.to_i
+    def fetch(sdk, force_refresh: false, kid_not_found: false)
+      should_refresh = @lock.with_read_lock do
+        now = Time.now.to_i
+
+        @jwks.nil? || @last_update.nil? || force_refresh ||
+          (now - @last_update > @lifetime) ||
+          (kid_not_found && now - @last_update > 300)
+      end
 
-        @jwks = begin
-          sdk.jwks.all["keys"]
-        rescue Clerk::Errors::Base
-          nil
+      if should_refresh
+        @lock.with_write_lock do
+          @last_update = Time.now.to_i
+          @jwks = begin
+            sdk.jwks.get.keys.map(&:to_hash)
+          rescue Clerk::Error, ClerkHttpClient::ApiError
+            nil
+          end
         end
       end
-    end
 
-    @lock.with_read_lock do
-      @jwks
+      @lock.with_read_lock do
+        @jwks
+      end
     end
   end
 end

data/lib/clerk/proxy.rb

@@ -0,0 +1,135 @@
+require "clerk"
+require "clerk/authenticate_context"
+require "clerk/authenticate_request"
+
+module Clerk
+  class Proxy
+    CACHE_TTL = 60 # seconds
+
+    attr_reader :session_claims, :session_token
+
+    def initialize(session_claims: nil, session_token: nil)
+      @session_claims = session_claims
+      @session_token = session_token
+    end
+
+    def user?
+      !@session_claims.nil?
+    end
+
+    def user
+      return nil unless user?
+
+      @user ||= fetch_user(user_id)
+    end
+
+    def user_id
+      return nil unless user?
+
+      @session_claims["sub"]
+    end
+
+    def organization?
+      !organization_id.nil?
+    end
+
+    def organization
+      return nil unless organization?
+
+      @org ||= fetch_org(organization_id)
+    end
+
+    def organization_id
+      return nil unless user?
+
+      @session_claims["org_id"]
+    end
+
+    def organization_role
+      return nil if @session_claims.nil?
+
+      @session_claims["org_role"]
+    end
+
+    def organization_permissions
+      return nil if @session_claims.nil?
+
+      @session_claims["org_permissions"]
+    end
+
+    # Returns true if the session needs to perform step up verification
+    def user_reverified?(params)
+      return false unless user?
+
+      fva = session_claims["fva"]
+
+      # the feature is disabled
+      return true if fva.nil?
+
+      level = params[:level]
+      after_minutes = params[:after_minutes].to_i
+
+      return false if after_minutes.nil? || level.nil?
+
+      factor1_age, factor2_age = fva
+      is_valid_factor1 = factor1_age != -1 && after_minutes > factor1_age
+      is_valid_factor2 = factor2_age != -1 && after_minutes > factor2_age
+
+      case level
+      when :first_factor
+        is_valid_factor1
+      when :second_factor
+        (factor2_age == -1) ? is_valid_factor1 : is_valid_factor2
+      when :multi_factor
+        (factor2_age == -1) ? is_valid_factor1 : is_valid_factor1 && is_valid_factor2
+      end
+    end
+
+    def user_needs_reverification?(preset = StepUp::Preset::STRICT)
+      !user_reverified?(preset)
+    end
+
+    def user_require_reverification!(preset = StepUp::Preset::STRICT, &block)
+      return unless user_needs_reverification?(preset)
+      yield(preset) if block_given?
+    end
+
+    def user_reverification_rack_response(config = nil)
+      raise ArgumentError, "Missing config, please pass a preset a la `Clerk::StepUp::Preset::*`" if config.nil?
+
+      [
+        403,
+        {"Content-Type" => "application/json"},
+        [StepUp::Reverification.error_payload(config).to_json]
+      ]
+    end
+
+    private
+
+    def fetch_user(user_id)
+      cached_fetch("clerk:user:#{user_id}") do
+        sdk.users.find(user_id)
+      end
+    end
+
+    def fetch_org(org_id)
+      cached_fetch("clerk:org:#{org_id}") do
+        sdk.organizations.find(org_id)
+      end
+    end
+
+    def cached_fetch(key, &block)
+      store = Clerk.configuration.cache_store
+
+      if store
+        store.fetch(key, expires_in: CACHE_TTL, &block)
+      else
+        yield
+      end
+    end
+
+    def sdk
+      @sdk ||= Clerk::SDK.new
+    end
+  end
+end

data/lib/clerk/rack.rb

@@ -0,0 +1,2 @@
+require "clerk"
+require "clerk/rack_middleware"

data/lib/clerk/rack_middleware.rb

@@ -1,97 +1,112 @@
-require_relative "sdk"
+require "clerk"
+require "clerk/authenticate_context"
+require "clerk/authenticate_request"
+require "clerk/proxy"
+require "clerk/utils"
 
 module Clerk
-  class RackMiddleware
-    def initialize(app)
-      @app = app
-    end
+  module Rack
+    class Middleware
+      def initialize(app, options = {})
+        @app = app
 
-    def call(env)
-      req = Rack::Request.new(env)
-      env["clerk"] = Proxy.new(env)
-      @app.call(env)
-    end
-  end
+        Clerk.configuration.update(options) if options
+        @excluded_routes, @excluded_routes_wildcards = Clerk::Utils.filter_routes(Clerk.configuration.excluded_routes)
+      end
 
-  class Proxy
-    attr_reader :session_id, :error
-    def initialize(env)
-      req = Rack::Request.new(env)
-      @token = req.cookies[SESSION_COOKIE]
-      @session_id = req.params["_clerk_session_id"]
-      @session = nil
-      @user_id = nil
-      @user = nil
-    end
+      def call(env)
+        env["clerk.initialized"] = true
 
-    def session
-      return nil if @token.nil?
-      return @session if @session
+        req = ::Rack::Request.new(env)
 
-      begin
-        @session = fetch_session
-      rescue Errors::Authentication => e
-        @error = e
-      end
-      @session
-    end
+        if @excluded_routes[req.path]
+          env["clerk.excluded_route"] = true
+          return @app.call(env)
+        end
 
-    def user_id
-      @user_id ||= session.dig("user_id")
-    end
+        @excluded_routes_wildcards.each do |route|
+          if req.path.start_with?(route)
+            env["clerk.excluded_route"] = true
+            return @app.call(env)
+          end
+        end
 
-    def user
-      return nil if session.nil?
-      @user ||= fetch_user(user_id)
-    end
+        env["clerk"] = Clerk::Proxy.new
 
-    def debug
-      (instance_variables - [:@sdk]).map do |ivar|
-        [ivar.to_s, instance_variable_get(ivar)]
-      end.to_h
-    end
+        auth_context = AuthenticateContext.new(req, Clerk.configuration)
+        auth_request = AuthenticateRequest.new(auth_context)
 
-    private
-    def sdk
-      @sdk ||= SDK.new
-    end
+        status, auth_request_headers, body = auth_request.resolve(env)
 
-    def cache_key
-      @cache_key ||= @token.split(".")[1]
-    end
+        return [status, auth_request_headers, body] if status
+
+        status, headers, body = @app.call(env)
 
-    def fetch_session
-      if session_id
-        cached_fetch("clerk_session:#{session_id}:#{cache_key}") do
-          sdk.sessions.verify_token(session_id, @token)
+        unless auth_request_headers.empty?
+          # Remove them to avoid overriding existing cookies set in headers by other middlewares
+          auth_request_cookies = auth_request_headers.delete(SET_COOKIE_HEADER.downcase)
+          # merge non-cookie related headers into response headers
+          headers.merge!(auth_request_headers)
+
+          set_cookie_headers!(headers, auth_request_cookies) if auth_request_cookies
         end
-      else
-        cached_fetch("clerk_session:#{cache_key}") do
-          client = sdk.clients.verify_token(@token)
-          @session_id = client["last_active_session_id"]
-          client["sessions"].find do |sess|
-            sess["id"] == @session_id
-          end
+
+        [status, headers, body]
+      end
+
+      private
+
+      def parse_cookie_key(cookie_header)
+        cookie_header.split(";")[0].split("=")[0]
+      end
+
+      def set_cookie_headers!(headers, cookie_headers)
+        cookie_headers.each do |cookie_header|
+          cookie_key = parse_cookie_key(cookie_header)
+          cookie = ::Rack::Utils.parse_cookies_header(cookie_header)
+          cookie_params = convert_http_cookie_to_cookie_setter_params(cookie_key, cookie)
+          ::Rack::Utils.set_cookie_header!(headers, cookie_key, cookie_params)
         end
       end
-    end
 
-    def fetch_user(user_id)
-      cached_fetch("clerk_user:#{user_id}") do
-        sdk.users.find(user_id)
+      def convert_http_cookie_to_cookie_setter_params(cookie_key, cookie)
+        # convert cookie to to match cookie setter method params (lowercase symbolized keys with `:value` key)
+        cookie_params = cookie.transform_keys { |k| k.downcase.to_sym }
+        # drop the current cookie name key to avoid polluting the expected cookie params
+        cookie_params[:value] = cookie_params.delete(cookie_key.to_sym)
+
+        # Ensure secure and httponly are set to true if present
+        cookie_params[:secure] = cookie_params.has_key?(:secure)
+        cookie_params[:httponly] = cookie_params.has_key?(:httponly)
+
+        # fix issue with cookie expiration expected to be Date type
+        cookie_params[:expires] = Date.parse(cookie_params[:expires]) if cookie_params[:expires]
+
+        cookie_params
       end
     end
 
-    def cached_fetch(key, &block)
-      if store = Clerk.configuration.middleware_cache_store
-        store.fetch(key, expires_in: cache_ttl, &block)
-      else
-        yield
+    class Reverification
+      def initialize(app, routes: ["/*"], preset: Clerk::StepUp::Preset::STRICT)
+        @app = app
+        @preset = preset
+
+        @included_routes, @included_routes_wildcards = Clerk::Utils.filter_routes(routes)
       end
-    end
 
-    def cache_ttl
-      60
+      def call(env)
+        raise Clerk::ConfigurationError, "`Clerk::Rack::Reverification` must be initialized after `Clerk::Rack::Middleware`" unless env["clerk.initialized"]
+        return @app.call(env) if env["clerk.excluded_route"]
+
+        req = ::Rack::Request.new(env)
+        valid_route = @included_routes[req.path] || @included_routes_wildcards.any? { |route| req.path.start_with?(route) }
+
+        if valid_route && env["clerk"].user_needs_reverification?(@preset)
+          return env["clerk"].user_reverification_rack_response(@preset)
+        end
+
+        @app.call(env)
+      end
     end
   end
 end

data/lib/clerk/rails.rb

@@ -0,0 +1,3 @@
+require "clerk"
+require "clerk/authenticatable"
+require "clerk/railtie"

data/lib/clerk/railtie.rb

@@ -1,12 +1,13 @@
 # frozen_string_literal: true
-#
-require_relative "rack_middleware"
-require_relative "rack_middleware_v2"
+
+require "clerk/rack_middleware"
 
 module Clerk
-  class Railtie < ::Rails::Railtie
-    initializer "clerk_railtie.configure_rails_initialization" do |app|
-      app.middleware.use Clerk::RackMiddlewareV2
+  module Rails
+    class Railtie < ::Rails::Railtie
+      initializer "clerk.configure_rails_initialization" do |app|
+        app.middleware.use Clerk::Rack::Middleware
+      end
     end
   end
 end