clerk-sdk-ruby 1.0.3 → 2.0.0.alpha.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b552d3c5f39415cb8ec3b53e0161d141fa551a2fb57caf3428ac74c7696c4703
-  data.tar.gz: a04cbc5d764f5afcca0b8a16e1f54759ca0e11d9879d92192d7fde554d71de7a
+  metadata.gz: 1e7b69485de55997a4dac75759908e7709dcb7fdb83c92fe09d2c4748a0a74f7
+  data.tar.gz: a0afbe19f7d6a7a9a998e82b798a8a548f051505e14f3b1d50688d2aaa436d7f
 SHA512:
-  metadata.gz: ec8fba622266a4b2ea2bd99ba3cc08dafe92c7daa130fc1d0955a68af56314c3eabd740f164931270d3da25a603b213b24024ee5cb96dabb0afd067a4eecd31a
-  data.tar.gz: 52edbcac0b3af2396c11240e3e438f2560a7c2f312ae5299025ce6b22e3b345b32159ef9ec9123d22fc5c3b6a556155558f0581d10d6a95bc9f07cd248b6eb9f
+  metadata.gz: 062e4297db4b8b20e1a6ed6bf6d69a2b0f2df0f5aecc5d716e6b883877fea484476c9d75bf7e7fda294b88774b707b60fd09a85604f7f9363b1161f622d4947a
+  data.tar.gz: 50ecd09031d4383b5d136840f8457841253c86122fb3a4a8769d8d86553fb3d2ff9323f0cb98bdde68f4990d2c4cc955b9996a3fca09a0c597e10a7bbb39d8eb

data/.gitignore

@@ -6,3 +6,5 @@
 /pkg/
 /spec/reports/
 /tmp/
+
+.byebug_history

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 ## unreleased
 
+This release (v2) introduces the new networkless middleware which is compatible 
+with the new authentication scheme, dubbed *AuthV2*.
+
+It is backwards-incompatible with applications using AuthV1.
+
+- [BREAKING]: In order to use this version, you must set the authVersion prop 
+    accordingly in your frontend: `Clerk.load({authVersion: 2})`
+
 ## 1.0.3 - 2021-07-21
 
 - fix: Proper endpoint for oauth_access_token method

data/Gemfile.lock

@@ -1,13 +1,15 @@
 PATH
   remote: .
   specs:
-    clerk-sdk-ruby (1.0.2)
+    clerk-sdk-ruby (1.0.3)
       faraday (~> 1.4.1)
+      jwt (~> 2.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    faraday (1.4.2)
+    byebug (11.1.3)
+    faraday (1.4.3)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
       faraday-excon (~> 1.1)
@@ -19,19 +21,23 @@ GEM
     faraday-em_synchrony (1.0.0)
     faraday-excon (1.1.0)
     faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.1.0)
+    faraday-net_http_persistent (1.2.0)
+    jwt (2.2.3)
     minitest (5.14.2)
     multipart-post (2.1.1)
     rake (13.0.3)
-    ruby2_keywords (0.0.4)
+    ruby2_keywords (0.0.5)
+    timecop (0.9.4)
 
 PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  byebug (~> 11.1)
   clerk-sdk-ruby!
   minitest (~> 5.0)
   rake (~> 13.0)
+  timecop (~> 0.9.4)
 
 BUNDLED WITH
-   2.2.15
+   2.2.24

data/README.md

@@ -1,5 +1,15 @@
 # Clerk Ruby SDK
 
+**NOTE**: This is the v2 branch of the SDK, which requires that you use AuthV2 
+in your frontend. This means that you have to set the `authVersion` prop 
+accordingly in your frontend:
+
+```javascript
+Clerk.load({authVersion: 2})
+```
+
+----------
+
 Thank you for choosing [Clerk](https://clerk.dev/) for your authentication,
 session & user management needs!
 

data/bin/console

@@ -3,6 +3,7 @@
 
 require "bundler/setup"
 require "clerk"
+require "byebug"
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.

data/clerk-sdk-ruby.gemspec

@@ -28,4 +28,8 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "faraday", "~> 1.4.1"
+  spec.add_dependency "jwt", '~> 2.2'
+
+  spec.add_development_dependency "byebug", "~> 11.1"
+  spec.add_development_dependency "timecop", "~> 0.9.4"
 end

data/lib/clerk/authenticatable.rb

@@ -5,16 +5,52 @@ module Clerk
     extend ActiveSupport::Concern
 
     protected
+
+    # Makes a request to the Clerk API to verify the session again and return
+    # the Session object. Subsequent calls to this method will return the cached
+    # Session object.
+    #
+    # NOTE: For better performance, you can instead use `#clerk_session_claims`
+    # which already contains the verified claims as retrieved from the session
+    # token.
     def clerk_session
       request.env["clerk"].session
     end
 
+    # Makes a request to the Clerk API to verify the session again. Returns the
+    # session object as fetched from the API.
+    #
+    # NOTE: For better performance, you can instead use `#clerk_session_claims`
+    # which already contains the verified claims as retrieved from the session
+    # token.
+    #
+    # See https://docs.clerk.dev/reference/backend-api-reference/sessions#verify-a-session
+    def clerk_reverify_session!
+      request.env["clerk"].verify_session
+    end
+
+    def clerk_verified_session_claims
+      request.env["clerk"].session_claims
+    end
+
+    def clerk_verified_session_token
+      request.env["clerk"].session_token
+    end
+
+    # Makes a request to the Clerk API to fetch the data of the authenticated
+    # session's user. If caching is configured (see
+    # Config.middleware_cache_store), subsequent calls will return the cached
+    # object.
     def clerk_user
       request.env["clerk"].user
     end
 
+    def clerk_user_id
+      request.env["clerk"].user_id
+    end
+
     def clerk_user_signed_in?
-      !!clerk_user
+      !!clerk_verified_session_claims
     end
 
     def clerk_sign_in_url
@@ -30,8 +66,10 @@ module Clerk
     end
 
     included do
-      helper_method :clerk_session, :clerk_user, :clerk_user_signed_in?,
-        :clerk_sign_in_url, :clerk_sign_up_url, :clerk_user_profile_url
+      helper_method :clerk_session, :clerk_reverify_session!,
+        :clerk_verified_session_claims, :clerk_verified_session_token,
+        :clerk_user, :clerk_user_id, :clerk_user_signed_in?, :clerk_sign_in_url,
+        :clerk_sign_up_url, :clerk_user_profile_url
     end
   end
 end

data/lib/clerk/rack_middleware_v2.rb

@@ -0,0 +1,168 @@
+require "clerk"
+
+module Clerk
+  class RackMiddlewareV2
+    class ProxyV2
+      CACHE_TTL = 60 # seconds
+
+      attr_reader :session_claims, :session_token
+
+      def initialize(session_claims: nil, session_token: nil)
+        @session_claims = session_claims
+        @session_token = session_token
+        @session = nil
+      end
+
+      def session
+        return nil if @session_claims.nil?
+
+        @session ||= verify_session
+      end
+
+      def verify_session
+        return nil if @session_claims.nil?
+
+        sdk.sessions.verify_token(@session_claims["sid"], @session_token)
+      end
+
+      def user
+        return nil if user_id.nil?
+
+        @user ||= fetch_user(user_id)
+      end
+
+      def user_id
+        return nil if @session_claims.nil?
+
+        @session_claims["sub"]
+      end
+
+      private
+
+      def fetch_user(user_id)
+        cached_fetch("clerk_user:#{user_id}") do
+          sdk.users.find(user_id)
+        end
+      end
+
+      def cached_fetch(key, &block)
+        if store = Clerk.configuration.middleware_cache_store
+          store.fetch(key, expires_in: CACHE_TTL, &block)
+        else
+          yield
+        end
+      end
+
+      def sdk
+        @sdk ||= Clerk::SDK.new
+      end
+    end
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @env = env
+      @req = Rack::Request.new(env)
+      @env["clerk"] = ProxyV2.new
+      @header_token = @req.env["HTTP_AUTHORIZATION"]&.strip
+      @cookie_token = @req.cookies["__session"]
+      @client_uat = @req.cookies["__client_uat"]
+
+      ##########################################################################
+      #                                                                        #
+      #                          HEADER AUTHENTICATION                         #
+      #                                                                        #
+      ##########################################################################
+      if @header_token
+        return signed_out if !sdk.decode_token(@header_token) # malformed JWT
+
+        token = verify_token(@header_token)
+        return signed_in(token, @header_token) if token
+
+        # Clerk.js should refresh the token and retry
+        return unknown(interstitial: false)
+      end
+
+      # in cross-origin XHRs the use of Authorization header is mandatory.
+      if cross_origin_request?(@req) && @header_token.nil?
+        return signed_out
+      end
+
+      ##########################################################################
+      #                                                                        #
+      #                             COOKIE AUTHENTICATION                      #
+      #                                                                        #
+      ##########################################################################
+      if development_or_staging? && (@req.referrer.nil? || cross_origin_request?(@req))
+        return unknown(interstitial: true)
+      end
+
+      if production? && @client_uat.nil?
+        return signed_out
+      end
+
+      if @client_uat == "0"
+        return signed_out
+      end
+
+      token = verify_token(@cookie_token)
+
+      if token && token["iat"] && @client_uat && Integer(@client_uat) <= token["iat"]
+        return signed_in(token, @cookie_token)
+      end
+
+      unknown(interstitial: true)
+    end
+
+    private
+
+    # Outcome A
+    def signed_in(claims, token)
+      @env["clerk"] = ProxyV2.new(session_claims: claims, session_token: token)
+
+      @app.call(@env)
+    end
+
+    # Outcome B
+    def signed_out
+      @app.call(@env)
+    end
+
+    # Outcome C
+    def unknown(interstitial: false)
+      return [401, {}, []] if !interstitial
+
+      # Load Clerk.js to update the __session and __client_uat cookies.
+      [401, {"Content-Type" => "text/html"}, [sdk.interstitial]]
+    end
+
+    def development_or_staging?
+      Clerk.configuration.api_key.start_with?("test_")
+    end
+
+    def production?
+      !development_or_staging?
+    end
+
+    def cross_origin_request?(req)
+      origin = req.env["HTTP_ORIGIN"]
+      origin && origin != req.host
+    end
+
+    def verify_token(token)
+      return false if token.nil? || token.strip.empty?
+
+      begin
+        @session = sdk.verify_token(token)
+      rescue JWT::DecodeError, JWT::RequiredDependencyError => e
+        false
+      end
+    end
+
+    def sdk
+      @sdk ||= Clerk::SDK.new
+    end
+  end
+end

data/lib/clerk/railtie.rb

@@ -1,11 +1,12 @@
 # frozen_string_literal: true
 #
 require_relative "rack_middleware"
+require_relative "rack_middleware_v2"
 
 module Clerk
   class Railtie < ::Rails::Railtie
     initializer "clerk_railtie.configure_rails_initialization" do |app|
-      app.middleware.use Clerk::RackMiddleware
+      app.middleware.use Clerk::RackMiddlewareV2
     end
   end
 end

data/lib/clerk/resources/jwks.rb

@@ -0,0 +1,18 @@
+require "forwardable"
+require_relative "plural_resource"
+
+module Clerk
+  module Resources
+    class JWKS
+      extend Forwardable
+
+      def initialize(client)
+        @client = client
+      end
+
+      def all(timeout: 5)
+        @client.request(:get, "jwks", timeout: timeout)
+      end
+    end
+  end
+end

data/lib/clerk/resources.rb

@@ -5,3 +5,4 @@ require_relative "resources/emails"
 require_relative "resources/sessions"
 require_relative "resources/sms_messages"
 require_relative "resources/users"
+require_relative "resources/jwks"

data/lib/clerk/sdk.rb

@@ -4,6 +4,7 @@ require "faraday"
 require "logger"
 require "net/http"
 require "json"
+require "jwt"
 
 require_relative "resources/allowlist_identifiers"
 require_relative "resources/allowlist"
@@ -12,6 +13,8 @@ require_relative "resources/emails"
 require_relative "resources/sessions"
 require_relative "resources/sms_messages"
 require_relative "resources/users"
+require_relative "resources/users"
+require_relative "resources/jwks"
 require_relative "errors"
 
 module Clerk
@@ -20,8 +23,13 @@ module Clerk
       "User-Agent" => "Clerk/#{Clerk::VERSION}; Faraday/#{Faraday::VERSION}; Ruby/#{RUBY_VERSION}"
     }
 
+    # How often (in seconds) should JWKs be refreshed
+    JWKS_CACHE_LIFETIME = 3600 # 1 hour
+
     def initialize(api_key: nil, base_url: nil, logger: nil, ssl_verify: true,
                    connection: nil)
+      @jwks_fetched_at = nil
+
       if connection # Inject a Faraday::Connection for testing or full control over Faraday
         @conn = connection
         return
@@ -48,16 +56,26 @@ module Clerk
       end
     end
 
-    def request(method, path, query: [], body: nil)
+    def request(method, path, query: [], body: nil, timeout: nil)
       response = case method
                  when :get
-                   @conn.get(path, query)
+                   @conn.get(path, query) do |req|
+                     req.options.timeout = timeout if timeout
+                   end
                  when :post
-                   @conn.post(path, body)
+                   @conn.post(path, body) do |req|
+                     req.body = body
+                     req.options.timeout = timeout if timeout
+                   end
                  when :patch
-                   @conn.patch(path, body)
+                   @conn.patch(path, body) do |req|
+                     req.body = body
+                     req.options.timeout = timeout if timeout
+                   end
                  when :delete
-                   @conn.delete(path)
+                   @conn.delete(path) do |req|
+                     req.options.timeout = timeout if timeout
+                   end
                  end
 
       body = if response["Content-Type"] == "application/json"
@@ -106,5 +124,50 @@ module Clerk
     def users
       Resources::Users.new(self)
     end
+
+    def jwks
+      Resources::JWKS.new(self)
+    end
+
+    def interstitial(refresh=false)
+      request(:get, "internal/interstitial")
+    end
+
+    # Returns the decoded JWT payload without verifying if the signature is
+    # valid.
+    #
+    # WARNING: This will not verify whether the signature is valid. You
+    # should not use this for untrusted messages! You most likely want to use
+    # verify_token.
+    def decode_token(token)
+      JWT.decode(token, nil, false).first
+    end
+
+    # Decode the JWT and verify it's valid (verify claims, signature etc.) using
+    # the provided algorithms.
+    #
+    # JWKS are cached for JWKS_CACHE_LIFETIME seconds, in order to avoid
+    # unecessary roundtrips. In order to invalidate the cache, pass
+    # `force_refresh_jwks: true`.
+    #
+    # A timeout for the request to the JWKs endpoint can be set with the
+    # `timeout` argument.
+    def verify_token(token, force_refresh_jwks: false, algorithms: ['RS256'], timeout: 5)
+      jwk_loader = ->(options) do
+        @cached_jwks = nil if options[:invalidate] || force_refresh_jwks
+        @cached_jwks = nil if @jwks_fetched_at && Time.now.to_i - @jwks_fetched_at > JWKS_CACHE_LIFETIME
+
+        @cached_jwks ||= begin
+          keys = jwks.all["keys"]
+          @jwks_fetched_at = Time.now.to_i
+
+          # JWT.decode requires that the 'keys' key in the Hash is a symbol (as
+          # opposed to a string which our SDK returns by default)
+          { keys: keys }
+        end
+      end
+
+      JWT.decode(token, nil, true, algorithms: algorithms, jwks: jwk_loader).first
+    end
   end
 end

data/lib/clerk/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Clerk
-  VERSION = "1.0.3"
+  VERSION = "2.0.0.alpha.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: clerk-sdk-ruby
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 2.0.0.alpha.1
 platform: ruby
 authors:
 - Clerk
-autorequire:
+autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-07-21 00:00:00.000000000 Z
+date: 2021-10-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -24,6 +24,48 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.4.1
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.4
 description: Client SDK for the Clerk backend API.
 email:
 - ruby-sdk@clerk.dev
@@ -47,12 +89,14 @@ files:
 - lib/clerk/errors.rb
 - lib/clerk/proxy.rb
 - lib/clerk/rack_middleware.rb
+- lib/clerk/rack_middleware_v2.rb
 - lib/clerk/railtie.rb
 - lib/clerk/resources.rb
 - lib/clerk/resources/allowlist.rb
 - lib/clerk/resources/allowlist_identifiers.rb
 - lib/clerk/resources/clients.rb
 - lib/clerk/resources/emails.rb
+- lib/clerk/resources/jwks.rb
 - lib/clerk/resources/plural_resource.rb
 - lib/clerk/resources/sessions.rb
 - lib/clerk/resources/singular_resource.rb
@@ -68,7 +112,7 @@ metadata:
   homepage_uri: https://github.com/clerkinc/clerk-sdk-ruby
   source_code_uri: https://github.com/clerkinc/clerk-sdk-ruby
   changelog_uri: https://github.com/clerkinc/clerk-sdk-ruby/blob/main/CHANGELOG.md
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -79,12 +123,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.2.15
-signing_key:
+rubygems_version: 3.2.5
+signing_key: 
 specification_version: 4
 summary: Clerk SDK for Ruby.
 test_files: []