RubyGems - th7-clerk-sdk-ruby - Versions diffs - 4.2.2 - Mend

th7-clerk-sdk-ruby 4.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

checksums.yaml +7 -0
data/.env.example +3 -0
data/.github/workflows/main.yml +30 -0
data/.github/workflows/semgrep.yml +24 -0
data/.gitignore +21 -0
data/.rspec +3 -0
data/.ruby-version +1 -0
data/CHANGELOG.md +212 -0
data/Gemfile +33 -0
data/Gemfile.lock +300 -0
data/Guardfile +14 -0
data/LICENSE.txt +21 -0
data/README.md +278 -0
data/Rakefile +56 -0
data/apps/rack/app.rb +67 -0
data/apps/rack/config.ru +17 -0
data/apps/rack/middleware/disable_paths.rb +13 -0
data/apps/rails-api/.dockerignore +41 -0
data/apps/rails-api/.gitattributes +9 -0
data/apps/rails-api/.gitignore +32 -0
data/apps/rails-api/.kamal/hooks/docker-setup.sample +3 -0
data/apps/rails-api/.kamal/hooks/post-deploy.sample +14 -0
data/apps/rails-api/.kamal/hooks/post-proxy-reboot.sample +3 -0
data/apps/rails-api/.kamal/hooks/pre-build.sample +51 -0
data/apps/rails-api/.kamal/hooks/pre-connect.sample +47 -0
data/apps/rails-api/.kamal/hooks/pre-deploy.sample +109 -0
data/apps/rails-api/.kamal/hooks/pre-proxy-reboot.sample +3 -0
data/apps/rails-api/.kamal/secrets +17 -0
data/apps/rails-api/.rubocop.yml +8 -0
data/apps/rails-api/.ruby-version +1 -0
data/apps/rails-api/Dockerfile +69 -0
data/apps/rails-api/Gemfile +54 -0
data/apps/rails-api/Gemfile.lock +374 -0
data/apps/rails-api/README.md +24 -0
data/apps/rails-api/Rakefile +6 -0
data/apps/rails-api/app/controllers/application_controller.rb +3 -0
data/apps/rails-api/app/controllers/home_controller.rb +5 -0
data/apps/rails-api/app/jobs/application_job.rb +7 -0
data/apps/rails-api/app/mailers/application_mailer.rb +4 -0
data/apps/rails-api/app/models/application_record.rb +3 -0
data/apps/rails-api/app/views/layouts/mailer.html.erb +13 -0
data/apps/rails-api/app/views/layouts/mailer.text.erb +1 -0
data/apps/rails-api/bin/brakeman +7 -0
data/apps/rails-api/bin/bundle +109 -0
data/apps/rails-api/bin/dev +2 -0
data/apps/rails-api/bin/docker-entrypoint +14 -0
data/apps/rails-api/bin/jobs +6 -0
data/apps/rails-api/bin/kamal +27 -0
data/apps/rails-api/bin/rails +4 -0
data/apps/rails-api/bin/rake +4 -0
data/apps/rails-api/bin/rubocop +8 -0
data/apps/rails-api/bin/setup +34 -0
data/apps/rails-api/bin/thrust +5 -0
data/apps/rails-api/config/application.rb +36 -0
data/apps/rails-api/config/boot.rb +4 -0
data/apps/rails-api/config/cable.yml +17 -0
data/apps/rails-api/config/cache.yml +16 -0
data/apps/rails-api/config/credentials.yml.enc +1 -0
data/apps/rails-api/config/database.yml +41 -0
data/apps/rails-api/config/deploy.yml +116 -0
data/apps/rails-api/config/environment.rb +5 -0
data/apps/rails-api/config/environments/development.rb +70 -0
data/apps/rails-api/config/environments/production.rb +88 -0
data/apps/rails-api/config/environments/test.rb +53 -0
data/apps/rails-api/config/initializers/cors.rb +16 -0
data/apps/rails-api/config/initializers/filter_parameter_logging.rb +8 -0
data/apps/rails-api/config/initializers/inflections.rb +16 -0
data/apps/rails-api/config/locales/en.yml +31 -0
data/apps/rails-api/config/puma.rb +41 -0
data/apps/rails-api/config/queue.yml +18 -0
data/apps/rails-api/config/recurring.yml +10 -0
data/apps/rails-api/config/routes.rb +10 -0
data/apps/rails-api/config/storage.yml +34 -0
data/apps/rails-api/config.ru +6 -0
data/apps/rails-api/db/cable_schema.rb +11 -0
data/apps/rails-api/db/cache_schema.rb +14 -0
data/apps/rails-api/db/queue_schema.rb +129 -0
data/apps/rails-api/db/seeds.rb +9 -0
data/apps/rails-api/public/robots.txt +1 -0
data/apps/rails-api/test/controllers/home_controller_test.rb +7 -0
data/apps/rails-api/test/test_helper.rb +15 -0
data/apps/rails-full/.dockerignore +47 -0
data/apps/rails-full/.gitattributes +9 -0
data/apps/rails-full/.gitignore +34 -0
data/apps/rails-full/.kamal/hooks/docker-setup.sample +3 -0
data/apps/rails-full/.kamal/hooks/post-deploy.sample +14 -0
data/apps/rails-full/.kamal/hooks/post-proxy-reboot.sample +3 -0
data/apps/rails-full/.kamal/hooks/pre-build.sample +51 -0
data/apps/rails-full/.kamal/hooks/pre-connect.sample +47 -0
data/apps/rails-full/.kamal/hooks/pre-deploy.sample +109 -0
data/apps/rails-full/.kamal/hooks/pre-proxy-reboot.sample +3 -0
data/apps/rails-full/.kamal/secrets +17 -0
data/apps/rails-full/.rubocop.yml +8 -0
data/apps/rails-full/.ruby-version +1 -0
data/apps/rails-full/Dockerfile +72 -0
data/apps/rails-full/Gemfile +70 -0
data/apps/rails-full/Gemfile.lock +429 -0
data/apps/rails-full/README.md +24 -0
data/apps/rails-full/Rakefile +6 -0
data/apps/rails-full/app/assets/stylesheets/application.css +10 -0
data/apps/rails-full/app/controllers/application_controller.rb +6 -0
data/apps/rails-full/app/controllers/home_controller.rb +11 -0
data/apps/rails-full/app/helpers/application_helper.rb +2 -0
data/apps/rails-full/app/helpers/home_helper.rb +2 -0
data/apps/rails-full/app/javascript/application.js +3 -0
data/apps/rails-full/app/javascript/controllers/application.js +9 -0
data/apps/rails-full/app/javascript/controllers/hello_controller.js +7 -0
data/apps/rails-full/app/javascript/controllers/index.js +4 -0
data/apps/rails-full/app/jobs/application_job.rb +7 -0
data/apps/rails-full/app/mailers/application_mailer.rb +4 -0
data/apps/rails-full/app/models/application_record.rb +3 -0
data/apps/rails-full/app/views/home/index.html.erb +7 -0
data/apps/rails-full/app/views/layouts/application.html.erb +60 -0
data/apps/rails-full/app/views/layouts/mailer.html.erb +13 -0
data/apps/rails-full/app/views/layouts/mailer.text.erb +1 -0
data/apps/rails-full/app/views/pwa/manifest.json.erb +22 -0
data/apps/rails-full/app/views/pwa/service-worker.js +26 -0
data/apps/rails-full/bin/brakeman +7 -0
data/apps/rails-full/bin/bundle +109 -0
data/apps/rails-full/bin/dev +2 -0
data/apps/rails-full/bin/docker-entrypoint +14 -0
data/apps/rails-full/bin/importmap +4 -0
data/apps/rails-full/bin/jobs +6 -0
data/apps/rails-full/bin/kamal +27 -0
data/apps/rails-full/bin/rails +4 -0
data/apps/rails-full/bin/rake +4 -0
data/apps/rails-full/bin/rubocop +8 -0
data/apps/rails-full/bin/setup +34 -0
data/apps/rails-full/bin/thrust +5 -0
data/apps/rails-full/config/application.rb +31 -0
data/apps/rails-full/config/boot.rb +4 -0
data/apps/rails-full/config/cable.yml +17 -0
data/apps/rails-full/config/cache.yml +16 -0
data/apps/rails-full/config/credentials.yml.enc +1 -0
data/apps/rails-full/config/database.yml +41 -0
data/apps/rails-full/config/deploy.yml +116 -0
data/apps/rails-full/config/environment.rb +5 -0
data/apps/rails-full/config/environments/development.rb +72 -0
data/apps/rails-full/config/environments/production.rb +91 -0
data/apps/rails-full/config/environments/test.rb +53 -0
data/apps/rails-full/config/importmap.rb +7 -0
data/apps/rails-full/config/initializers/assets.rb +7 -0
data/apps/rails-full/config/initializers/clerk.rb +4 -0
data/apps/rails-full/config/initializers/content_security_policy.rb +25 -0
data/apps/rails-full/config/initializers/filter_parameter_logging.rb +8 -0
data/apps/rails-full/config/initializers/inflections.rb +16 -0
data/apps/rails-full/config/locales/en.yml +31 -0
data/apps/rails-full/config/puma.rb +41 -0
data/apps/rails-full/config/queue.yml +18 -0
data/apps/rails-full/config/recurring.yml +10 -0
data/apps/rails-full/config/routes.rb +15 -0
data/apps/rails-full/config/storage.yml +34 -0
data/apps/rails-full/config.ru +6 -0
data/apps/rails-full/db/cable_schema.rb +11 -0
data/apps/rails-full/db/cache_schema.rb +14 -0
data/apps/rails-full/db/queue_schema.rb +129 -0
data/apps/rails-full/db/seeds.rb +9 -0
data/apps/rails-full/public/400.html +114 -0
data/apps/rails-full/public/404.html +114 -0
data/apps/rails-full/public/406-unsupported-browser.html +114 -0
data/apps/rails-full/public/422.html +114 -0
data/apps/rails-full/public/500.html +114 -0
data/apps/rails-full/public/icon.png +0 -0
data/apps/rails-full/public/icon.svg +3 -0
data/apps/rails-full/public/robots.txt +1 -0
data/apps/rails-full/test/application_system_test_case.rb +5 -0
data/apps/rails-full/test/controllers/home_controller_test.rb +7 -0
data/apps/rails-full/test/test_helper.rb +15 -0
data/apps/sinatra/app.rb +29 -0
data/apps/sinatra/config.ru +8 -0
data/apps/sinatra/views/index.erb +44 -0
data/bin/console +16 -0
data/bin/release +21 -0
data/bin/setup +8 -0
data/clerk-sdk-ruby.gemspec +38 -0
data/docs/clerk-logo-dark.png +0 -0
data/docs/clerk-logo-light.png +0 -0
data/lib/clerk/authenticatable.rb +32 -0
data/lib/clerk/authenticate_context.rb +168 -0
data/lib/clerk/authenticate_request.rb +261 -0
data/lib/clerk/configuration.rb +84 -0
data/lib/clerk/constants.rb +74 -0
data/lib/clerk/error.rb +17 -0
data/lib/clerk/jwks_cache.rb +37 -0
data/lib/clerk/proxy.rb +135 -0
data/lib/clerk/rack.rb +2 -0
data/lib/clerk/rack_middleware.rb +112 -0
data/lib/clerk/rails.rb +3 -0
data/lib/clerk/railtie.rb +15 -0
data/lib/clerk/sdk.rb +84 -0
data/lib/clerk/sinatra.rb +52 -0
data/lib/clerk/utils.rb +73 -0
data/lib/clerk/version.rb +5 -0
data/lib/clerk.rb +27 -0
metadata +340 -0

data/clerk-sdk-ruby.gemspec ADDED Viewed

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+require_relative "lib/clerk/version"
+Gem::Specification.new do |spec|
+  spec.name          = "th7-clerk-sdk-ruby"
+  spec.version       = Clerk::VERSION
+  spec.authors       = ["Tyler"]
+  spec.email         = ["tylerhartland7@gmail.com"]
+  spec.summary       = "Fork of Clerk SDK for Ruby."
+  spec.description   = "Fork of Client SDK for the Clerk"
+  spec.homepage      = "https://github.com/th7/clerk-sdk-ruby"
+  spec.license       = "MIT"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.4.0")
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/th7/clerk-sdk-ruby"
+  spec.metadata["changelog_uri"] = "https://github.com/th7/clerk-sdk-ruby/blob/main/CHANGELOG.md"
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{\A(?:test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+  spec.add_dependency "faraday", ">= 1.4.1", "< 3.0"
+  spec.add_dependency "jwt", '~> 2.5'
+  spec.add_dependency "clerk-http-client", "~> 2.0"
+  spec.add_dependency "concurrent-ruby", "~> 1.1"
+  spec.add_dependency "ostruct", "~> 0.6.1"
+  spec.add_development_dependency "byebug", "~> 11.1"
+  spec.add_development_dependency "timecop", "~> 0.9.4"
+end

data/docs/clerk-logo-dark.png ADDED Viewed

Binary file

data/docs/clerk-logo-light.png ADDED Viewed

Binary file

data/lib/clerk/authenticatable.rb ADDED Viewed

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+require "active_support/concern"
+module Clerk
+  module Authenticatable
+    extend ActiveSupport::Concern
+    protected
+    def clerk
+      request.env["clerk"]
+    end
+    def require_reverification!(preset = StepUp::Preset::STRICT, &block)
+      clerk.user_require_reverification!(preset) do
+        return yield(preset) if block_given?
+        render_reverification!(preset)
+      end
+    end
+    def render_reverification!(preset = nil)
+      render status: 403, json: StepUp::Reverification.error_payload(preset)
+    end
+    included do
+      if respond_to?(:helper_method)
+        helper_method :clerk, :require_reverification!, :render_reverification!
+      end
+    end
+  end
+end

data/lib/clerk/authenticate_context.rb ADDED Viewed

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+require "ostruct"
+require "forwardable"
+module Clerk
+  # This class represents a parameter object used to contain all request and configuration
+  # information required by the middleware to resolve the current request state.
+  # link: https://refactoring.guru/introduce-parameter-object
+  class AuthenticateContext
+    extend Forwardable
+    # Expose the url of the request that this parameter object was created from as a URI object.
+    attr_reader :clerk_url
+    # Expose properties that does not require validations or complex logic to retrieve
+    # values by delegating them to the cookies or headers variables.
+    def_delegators :@cookies, :session_token_in_cookie, :client_uat
+    def_delegators :@headers, :session_token_in_header, :sec_fetch_dest
+    # Creates a new parameter object using ::Rack::Request and Clerk::Config objects.
+    def initialize(request, config)
+      @clerk_url = URI.parse(request.url)
+      @config = config
+      @cookies = OpenStruct.new({
+        client_uat: request.cookies[CLIENT_UAT_COOKIE],
+        dev_browser: request.cookies[DEV_BROWSER_COOKIE],
+        handshake_token: request.cookies[HANDSHAKE_COOKIE],
+        session_token_in_cookie: request.cookies[SESSION_COOKIE]
+      })
+      @headers = OpenStruct.new({
+        accept: Utils.retrieve_header_from_request(request, ACCEPT_HEADER),
+        host: request.host,
+        origin: Utils.retrieve_header_from_request(request, ORIGIN_HEADER),
+        port: request.port,
+        sec_fetch_dest: Utils.retrieve_header_from_request(request, SEC_FETCH_DEST_HEADER),
+        session_token_in_header: Utils.retrieve_header_from_request(request, AUTHORIZATION_HEADER).gsub(/bearer/i, "").strip
+      })
+    end
+    # The following properties are part of the props supported in all the AuthenticateContext
+    # objects across all of our SDKs (eg JS, Go)
+    def secret_key
+      raise ConfigurationError, "Clerk secret key is not set" if @config.secret_key.to_s.empty?
+      @config.secret_key.to_s
+    end
+    def publishable_key
+      raise ConfigurationError, "Clerk publishable key is not set" if @config.publishable_key.to_s.to_s.empty?
+      @config.publishable_key.to_s
+    end
+    def proxy_url?
+      !proxy_url.empty?
+    end
+    def handshake_token
+      @handshake_token ||= Utils.retrieve_from_query_string(@clerk_url, HANDSHAKE_COOKIE) || @cookies.handshake_token.to_s
+    end
+    def dev_browser
+      @dev_browser ||= dev_browser_in_url || @cookies.dev_browser.to_s
+    end
+    # The frontend_api returned is without protocol prefix
+    def frontend_api
+      return "" unless Utils.valid_publishable_key?(publishable_key.to_s)
+      @frontend_api ||= if proxy_url?
+        proxy_url
+      elsif development_instance? && !domain.empty?
+        "clerk.#{domain}"
+      else
+        # remove $ postfix
+        Utils.decode_publishable_key(publishable_key).chop.to_s
+      end
+    end
+    def development_instance?
+      secret_key.start_with?("sk_test_")
+    end
+    def production_instance?
+      secret_key.start_with?("sk_live_")
+    end
+    def document_request?
+      @headers.sec_fetch_dest == "document"
+    end
+    def accepts_html?
+      @headers.accept&.start_with?("text/html")
+    end
+    def eligible_for_multi_domain?
+      is_satellite? && document_request? && !clerk_synced?
+    end
+    def active_client?
+      @cookies.client_uat.to_i.positive?
+    end
+    def cross_origin_request?
+      # origin contains scheme+host and optionally port (omitted if 80 or 443)
+      # ref. https://www.rfc-editor.org/rfc/rfc6454#section-6.1
+      return false if @headers.origin.nil?
+      # strip scheme
+      origin = @headers.origin.strip.sub(%r{\A(\w+:)?//}, "")
+      return false if origin.empty?
+      # Rack's host and port helpers are reverse-proxy-aware; that
+      # is, they prefer the de-facto X-Forwarded-* headers if they're set
+      request_host = @headers.host
+      request_host << ":#{@headers.port}" if @headers.port != 80 && @headers.port != 443
+      origin != request_host
+    end
+    def dev_browser?
+      !dev_browser.empty?
+    end
+    def session_token_in_header?
+      !session_token_in_header.to_s.empty?
+    end
+    def handshake_token?
+      !handshake_token.to_s.empty?
+    end
+    def session_token_in_cookie?
+      !session_token_in_cookie.to_s.empty?
+    end
+    def dev_browser_in_url
+      Utils.retrieve_from_query_string(@clerk_url, DEV_BROWSER_COOKIE)
+    end
+    def dev_browser_in_url?
+      !!dev_browser_in_url
+    end
+    def domain
+      "" # TODO: Add multi-domain support
+    end
+    def is_satellite?
+      false # TODO: Add multi-domain support
+    end
+    def proxy_url
+      "" # TODO: Add multi-domain support
+    end
+    def clerk_synced?
+      false # TODO: Add multi-domain support
+    end
+    def clerk_redirect_url
+      "" # TODO: Add multi-domain support
+    end
+  end
+end

data/lib/clerk/authenticate_request.rb ADDED Viewed

@@ -0,0 +1,261 @@
+# frozen_string_literal: true
+require "clerk/proxy"
+require "rack/utils"
+module Clerk
+  # This class represents a service object used to determine the current request state
+  # for the current env passed based on a provided Clerk::AuthenticateContext.
+  # There is only 1 public method exposed (`resolve`) to be invoked with a env parameter.
+  class AuthenticateRequest
+    attr_reader :auth_context
+    # Creates a new instance using Clerk::AuthenticateContext object.
+    def initialize(auth_context)
+      @auth_context = auth_context
+    end
+    # Determines the current request state by verifying a Clerk token in headers or cookies.
+    # The possible outcomes of this method are `signed-in`, `signed-out` or `handshake` states.
+    # The return values are the same as a return value of a rack middleware `[http_status_code, headers, body]`.
+    # When used in a middleware the consumer of this service should return the return value when there is an
+    # `http_status_code` provided otherwise the should continue with the middleware chain.
+    # The headers provided in the return value is a hash of { header_key => header_value } and in the case
+    # of a `Set-Cookie` header the `header_value` used is a list of raw HTTP Set-Cookie directives.
+    def resolve(env)
+      if auth_context.session_token_in_header?
+        resolve_header_token(env)
+      else
+        resolve_cookie_token(env)
+      end
+    end
+    protected
+    def resolve_header_token(env)
+      begin
+        # malformed JWT
+        unless sdk.decode_token(auth_context.session_token_in_header)
+          return signed_out(reason: TokenVerificationErrorReason::TOKEN_INVALID)
+        end
+        claims = verify_token(auth_context.session_token_in_header)
+        return signed_in(env, claims, auth_context.session_token_in_header) if claims
+      rescue JWT::ExpiredSignature
+        # Expired token
+        return signed_out(enforce_auth: true, reason: TokenVerificationErrorReason::TOKEN_EXPIRED)
+      rescue JWT::InvalidIatError
+        # Token not active yet
+        return signed_out(enforce_auth: true, reason: TokenVerificationErrorReason::TOKEN_NOT_ACTIVE_YET)
+      rescue JWT::DecodeError
+        # Malformed JWT (NOTE: Must be the last rescue block as it catches all decoding errors)
+        return signed_out(reason: TokenVerificationErrorReason::TOKEN_INVALID)
+      end
+      # Clerk.js should refresh the token and retry
+      signed_out(enforce_auth: true)
+    end
+    def resolve_cookie_token(env)
+      # in cross-origin XHRs the use of Authorization header is mandatory.
+      # TODO: add reason
+      return signed_out if auth_context.cross_origin_request?
+      return resolve_handshake(env) if auth_context.handshake_token?
+      if auth_context.development_instance? && auth_context.dev_browser_in_url?
+        return handle_handshake_maybe_status(env, reason: AuthErrorReason::DEV_BROWSER_SYNC)
+      end
+      if auth_context.development_instance? && !auth_context.dev_browser?
+        return handle_handshake_maybe_status(env, reason: AuthErrorReason::DEV_BROWSER_MISSING)
+      end
+      # TODO: Add multi-domain support for production
+      # if auth_context.production_instance? && auth_context.eligible_for_multi_domain?
+      #   return handle_handshake_maybe_status(env, reason: AuthErrorReason::SATELLITE_COOKIE_NEEDS_SYNCING)
+      # end
+      # TODO: Add multi-domain support for development
+      # if auth_context.development_instance? && auth_context.eligible_for_multi_domain?
+      #   # trigger handshake using auth_context.sign_in_url as base redirect_url
+      #   # return handle_handshake_maybe_status(env, reason: AuthErrorReason::SATELLITE_COOKIE_NEEDS_SYNCING, '', headers)
+      # end
+      # TODO: Add multi-domain support for development in primary
+      # if auth_context.development_instance? && !auth_context.is_satellite? && auth_context.clerk_redirect_url
+      #   # trigger handshake using auth_context.clerk_redirect_url as base redirect_url + mark it as clerk_synced
+      #   # return handle_handshake_maybe_status(env, reason: AuthErrorReason::PRIMARY_RESPONDS_TO_SYNCING, '', headers)
+      # end
+      if !auth_context.active_client? && !auth_context.session_token_in_cookie?
+        return signed_out(reason: AuthErrorReason::SESSION_TOKEN_AND_UAT_MISSING)
+      end
+      # This can eagerly run handshake since client_uat is SameSite=Strict in dev
+      if !auth_context.active_client? && auth_context.session_token_in_cookie?
+        return handle_handshake_maybe_status(env, reason: AuthErrorReason::SESSION_TOKEN_WITHOUT_CLIENT_UAT)
+      end
+      if auth_context.active_client? && !auth_context.session_token_in_cookie?
+        return handle_handshake_maybe_status(env, reason: AuthErrorReason::CLIENT_UAT_WITHOUT_SESSION_TOKEN)
+      end
+      begin
+        claims = verify_token(auth_context.session_token_in_cookie)
+        return signed_out unless claims
+        if claims["iat"] < auth_context.client_uat.to_i
+          return handle_handshake_maybe_status(env, reason: AuthErrorReason::SESSION_TOKEN_OUTDATED)
+        end
+        signed_in(env, claims, auth_context.session_token_in_cookie)
+      rescue JWT::ExpiredSignature
+        handshake(env, reason: TokenVerificationErrorReason::TOKEN_EXPIRED)
+      rescue JWT::InvalidIatError
+        handshake(env, reason: TokenVerificationErrorReason::TOKEN_NOT_ACTIVE_YET)
+      rescue JWT::DecodeError
+        signed_out(reason: TokenVerificationErrorReason::TOKEN_INVALID)
+      rescue
+        signed_out
+      end
+    end
+    def resolve_handshake(env)
+      headers = {
+        Clerk::ACCESS_CONTROL_ALLOW_ORIGIN_HEADER => "null",
+        Clerk::ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER => "true"
+      }
+      session_token = nil
+      # Return signed-out outcome if the handshake verification fails
+      handshake_payload = verify_token(auth_context.handshake_token)
+      unless handshake_payload
+        return signed_out(enforce_auth: true, reason: TokenVerificationErrorReason::JWK_FAILED_TO_RESOLVE)
+      end
+      # Retrieve the cookie directives included in handshake token payload and convert it to set-cookie headers
+      # Also retrieve the session token separately to determine the outcome of the request
+      cookies_to_set = handshake_payload[HANDSHAKE_COOKIE_DIRECTIVES_KEY] || []
+      cookies_to_set.each do |cookie|
+        headers[SET_COOKIE_HEADER] ||= []
+        headers[SET_COOKIE_HEADER] << cookie
+        session_token = cookie.split(";")[0].split("=")[1] if cookie.start_with?("#{SESSION_COOKIE}=")
+      end
+      # Clear handshake token from query params and set headers to redirect to the initial request url
+      if auth_context.development_instance?
+        redirect_url = auth_context.clerk_url.dup
+        remove_from_query_string(redirect_url, HANDSHAKE_COOKIE)
+        headers[LOCATION_HEADER] = redirect_url.to_s
+      end
+      return signed_out(reason: AuthErrorReason::SESSION_TOKEN_MISSING, headers: headers) unless session_token
+      verify_token_with_retry(env, session_token)
+    end
+    def handle_handshake_maybe_status(env, **opts)
+      return signed_out unless eligible_for_handshake?
+      handshake(env, **opts)
+    end
+    # A outcome
+    def handshake(_env, **opts)
+      redirect_headers = {LOCATION_HEADER => redirect_to_handshake}
+      [307, debug_auth_headers(**opts).merge(redirect_headers), []]
+    end
+    # B outcome
+    def signed_out(**opts)
+      headers = opts.delete(:headers) || {}
+      enforce_auth = opts.delete(:enforce_auth)
+      [
+        enforce_auth ? 401 : nil,
+        debug_auth_headers(**opts).merge(headers),
+        []
+      ]
+    end
+    # C outcome
+    def signed_in(env, claims, token, **headers)
+      env["clerk"] = Proxy.new(session_claims: claims, session_token: token)
+      [nil, headers, []]
+    end
+    def eligible_for_handshake?
+      auth_context.document_request? || (!auth_context.document_request? && auth_context.accepts_html?)
+    end
+    private
+    def redirect_to_handshake
+      redirect_url = auth_context.clerk_url.dup
+      remove_from_query_string(redirect_url, DEV_BROWSER_COOKIE)
+      handshake_url = URI.parse("https://#{auth_context.frontend_api}/v1/client/handshake")
+      handshake_url_qs = ::Rack::Utils.parse_query(handshake_url.query)
+      handshake_url_qs["redirect_url"] = redirect_url
+      if auth_context.development_instance? && auth_context.dev_browser?
+        handshake_url_qs[DEV_BROWSER_COOKIE] = auth_context.dev_browser
+      end
+      handshake_url.query = ::Rack::Utils.build_query(handshake_url_qs)
+      handshake_url.to_s
+    end
+    def remove_from_query_string(url, key)
+      qs = ::Rack::Utils.parse_query(url.query)
+      qs.delete(key)
+      url.query = ::Rack::Utils.build_query(qs)
+    end
+    def verify_token(token, **opts)
+      return false if token.nil? || token.strip.empty?
+      begin
+        sdk.verify_token(token, **opts)
+      rescue JWT::ExpiredSignature, JWT::InvalidIatError => e
+        raise e
+      rescue JWT::DecodeError, JWT::RequiredDependencyError => _
+        false
+      end
+    end
+    # Verify session token and provide a 1-day leeway for development if initial verification
+    # fails for development instance due to invalid exp or iat
+    def verify_token_with_retry(env, token)
+      claims = verify_token(token)
+      signed_in(env, claims, token) if claims
+    rescue JWT::ExpiredSignature, JWT::InvalidIatError => e
+      if auth_context.development_instance?
+        # TODO: log possible Clock skew detected
+        # Retry with a generous clock skew allowance (1 day)
+        claims = verify_token(token, timeout: 86_400)
+        return signed_in(env, claims, token) if claims
+      end
+      # Raise error if handshake resolution fails in production
+      raise e
+    end
+    def sdk
+      SDK.new
+    end
+    def debug_auth_headers(reason: nil, message: nil, status: nil)
+      {
+        AUTH_REASON_HEADER => reason,
+        AUTH_MESSAGE_HEADER => message,
+        AUTH_STATUS_HEADER => status
+      }.compact
+    end
+  end
+end

data/lib/clerk/configuration.rb ADDED Viewed

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+require "clerk-http-client"
+module Clerk
+  class Configuration
+    attr_reader :cache_store
+    attr_reader :debug
+    attr_reader :logger
+    attr_reader :excluded_routes
+    attr_reader :publishable_key
+    attr_reader :secret_key
+    def initialize
+      @excluded_routes = []
+      @publishable_key = ENV["CLERK_PUBLISHABLE_KEY"]
+      @secret_key = ENV["CLERK_SECRET_KEY"]
+      # Default to Rails.cache or ActiveSupport::Cache::MemoryStore, if available, otherwise nil
+      @cache_store = if defined?(::Rails)
+        ::Rails.cache
+      elsif defined?(::ActiveSupport::Cache::MemoryStore)
+        ::ActiveSupport::Cache::MemoryStore.new
+      end
+      ClerkHttpClient.configure do |config|
+        unless secret_key.nil? || secret_key.empty?
+          config.access_token = @secret_key
+        end
+      end
+    end
+    def self.default
+      @@default ||= new
+    end
+    def update(options)
+      options.each do |key, value|
+        send(:"#{key}=", value)
+      end
+    end
+    def debug=(value)
+      ClerkHttpClient::Configuration.default.debugging = value
+      @debug = value
+    end
+    def cache_store=(store)
+      if !store
+        @cache_store = nil
+        return
+      end
+      raise ArgumentError, "cache_store must respond to :fetch" unless store.respond_to?(:fetch)
+      @cache_store = store
+    end
+    def excluded_routes=(routes)
+      raise ArgumentError, "excluded_routes must be an array" unless routes.is_a?(Array)
+      raise ArgumentError, "All elements in the excluded_routes array must be strings" unless routes.all? { |r| r.is_a?(String) }
+      @excluded_routes = routes
+    end
+    def publishable_key=(pk)
+      raise ArgumentError, "publishable_key must start with 'pk_'" unless pk.start_with?("pk_")
+      @publishable_key = pk
+    end
+    def secret_key=(sk)
+      raise ArgumentError, "secret_key must start with 'sk_'" unless sk.start_with?("sk_")
+      ClerkHttpClient::Configuration.default.access_token = sk
+      @secret_key = sk
+    end
+    def logger=(logger)
+      ClerkHttpClient::Configuration.default.logger = logger
+      @logger = logger
+    end
+  end
+end

data/lib/clerk/constants.rb ADDED Viewed

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+module Clerk
+  SESSION_COOKIE = "__session"
+  CLIENT_UAT_COOKIE = "__client_uat"
+  # Dev Browser
+  DEV_BROWSER_COOKIE = "__clerk_db_jwt"
+  # Handshake
+  HANDSHAKE_COOKIE = "__clerk_handshake"
+  HANDSHAKE_COOKIE_DIRECTIVES_KEY = "handshake"
+  # auth debug response headers
+  AUTH_STATUS_HEADER = "x-clerk-auth-status"
+  AUTH_REASON_HEADER = "x-clerk-auth-reason"
+  AUTH_MESSAGE_HEADER = "x-clerk-auth-message"
+  SEC_FETCH_DEST_HEADER = "HTTP_SEC_FETCH_DEST"
+  # headers used in response - should be lowered case and without http prefix
+  ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER = "access-control-allow-credentials"
+  ACCESS_CONTROL_ALLOW_ORIGIN_HEADER = "access-control-allow-origin"
+  CONTENT_TYPE_HEADER = "content-type"
+  LOCATION_HEADER = "location"
+  SET_COOKIE_HEADER = "set-cookie"
+  # clerk url related headers
+  AUTHORIZATION_HEADER = "HTTP_AUTHORIZATION"
+  ACCEPT_HEADER = "HTTP_ACCEPT"
+  USER_AGENT_HEADER = "HTTP_USER_AGENT"
+  ORIGIN_HEADER = "HTTP_ORIGIN"
+  module TokenVerificationErrorReason
+    TOKEN_INVALID = "token-invalid"
+    TOKEN_EXPIRED = "token-expired"
+    TOKEN_NOT_ACTIVE_YET = "token-not-active-yet"
+    JWK_FAILED_TO_RESOLVE = "jwk-failed-to-resolve"
+  end
+  module AuthErrorReason
+    CLIENT_UAT_WITHOUT_SESSION_TOKEN = "client-uat-but-no-session-token"
+    DEV_BROWSER_SYNC = "dev-browser-sync"
+    DEV_BROWSER_MISSING = "dev-browser-missing"
+    PRIMARY_RESPONDS_TO_SYNCING = "primary-responds-to-syncing"
+    SATELLITE_COOKIE_NEEDS_SYNCING = "satellite-needs-syncing"
+    SESSION_TOKEN_AND_UAT_MISSING = "session-token-and-uat-missing"
+    SESSION_TOKEN_MISSING = "session-token-missing"
+    SESSION_TOKEN_OUTDATED = "session-token-outdated"
+    SESSION_TOKEN_WITHOUT_CLIENT_UAT = "session-token-but-no-client-uat"
+    UNEXPECTED_ERROR = "unexpected-error"
+  end
+  module StepUp
+    module Preset
+      STRICT_MFA = {after_minutes: 10, level: :multi_factor}
+      STRICT = {after_minutes: 10, level: :second_factor}
+      MODERATE = {after_minutes: 60, level: :second_factor}
+      LAX = {after_minutes: 1440, level: :second_factor}
+    end
+    module Reverification
+      def self.error_payload(missing_config)
+        {
+          clerk_error: {
+            type: "forbidden",
+            reason: "reverification-error",
+            metadata: {reverification: missing_config}
+          }
+        }
+      end
+    end
+  end
+end

data/lib/clerk/error.rb ADDED Viewed

@@ -0,0 +1,17 @@
+module Clerk
+  class Error < StandardError
+    attr_reader :status
+    def initialize(msg, status:)
+      @errors = msg["errors"]
+      @status = status
+      super(msg.merge(status: status))
+    end
+  end
+  class AuthenticationError < Error; end
+  class ConfigurationError < StandardError; end
+  class FatalError < Error; end
+end