@clerk/backend 3.0.0-snapshot.v20251204143242 → 3.0.0-snapshot.v20251208202852
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/api/resources/IdPOAuthAccessToken.d.ts +6 -0
- package/dist/api/resources/IdPOAuthAccessToken.d.ts.map +1 -1
- package/dist/{chunk-QYKVFAML.mjs → chunk-SNA7AD3D.mjs} +8 -7
- package/dist/chunk-SNA7AD3D.mjs.map +1 -0
- package/dist/{chunk-HNJNM32R.mjs → chunk-TCIXZLLW.mjs} +11 -4
- package/dist/{chunk-HNJNM32R.mjs.map → chunk-TCIXZLLW.mjs.map} +1 -1
- package/dist/{chunk-3734JYPC.mjs → chunk-XZ7V2XHT.mjs} +132 -9
- package/dist/chunk-XZ7V2XHT.mjs.map +1 -0
- package/dist/errors.d.ts +6 -3
- package/dist/errors.d.ts.map +1 -1
- package/dist/errors.js +10 -3
- package/dist/errors.js.map +1 -1
- package/dist/errors.mjs +1 -1
- package/dist/fixtures/index.d.ts +12 -0
- package/dist/fixtures/index.d.ts.map +1 -1
- package/dist/fixtures/machine.d.ts +2 -0
- package/dist/fixtures/machine.d.ts.map +1 -1
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +145 -14
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +3 -3
- package/dist/internal.js +145 -14
- package/dist/internal.js.map +1 -1
- package/dist/internal.mjs +3 -3
- package/dist/jwt/assertions.d.ts +1 -1
- package/dist/jwt/assertions.d.ts.map +1 -1
- package/dist/jwt/index.js +6 -5
- package/dist/jwt/index.js.map +1 -1
- package/dist/jwt/index.mjs +2 -2
- package/dist/jwt/verifyJwt.d.ts +5 -0
- package/dist/jwt/verifyJwt.d.ts.map +1 -1
- package/dist/tokens/machine.d.ts +23 -0
- package/dist/tokens/machine.d.ts.map +1 -1
- package/dist/tokens/verify.d.ts +1 -1
- package/dist/tokens/verify.d.ts.map +1 -1
- package/dist/util/shared.d.ts +1 -1
- package/package.json +2 -2
- package/dist/chunk-3734JYPC.mjs.map +0 -1
- package/dist/chunk-QYKVFAML.mjs.map +0 -1
package/dist/errors.d.ts
CHANGED
|
@@ -46,16 +46,19 @@ export declare const MachineTokenVerificationErrorCode: {
|
|
|
46
46
|
readonly TokenInvalid: "token-invalid";
|
|
47
47
|
readonly InvalidSecretKey: "secret-key-invalid";
|
|
48
48
|
readonly UnexpectedError: "unexpected-error";
|
|
49
|
+
readonly TokenVerificationFailed: "token-verification-failed";
|
|
49
50
|
};
|
|
50
51
|
export type MachineTokenVerificationErrorCode = (typeof MachineTokenVerificationErrorCode)[keyof typeof MachineTokenVerificationErrorCode];
|
|
51
52
|
export declare class MachineTokenVerificationError extends Error {
|
|
52
53
|
code: MachineTokenVerificationErrorCode;
|
|
53
54
|
long_message?: string;
|
|
54
|
-
status
|
|
55
|
-
|
|
55
|
+
status?: number;
|
|
56
|
+
action?: TokenVerificationErrorAction;
|
|
57
|
+
constructor({ message, code, status, action, }: {
|
|
56
58
|
message: string;
|
|
57
59
|
code: MachineTokenVerificationErrorCode;
|
|
58
|
-
status
|
|
60
|
+
status?: number;
|
|
61
|
+
action?: TokenVerificationErrorAction;
|
|
59
62
|
});
|
|
60
63
|
getFullMessage(): string;
|
|
61
64
|
}
|
package/dist/errors.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAE/C,eAAO,MAAM,0BAA0B;;CAEtC,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG,CAAC,OAAO,0BAA0B,CAAC,CAAC,MAAM,OAAO,0BAA0B,CAAC,CAAC;AAEtH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;CAgBxC,CAAC;AAEF,MAAM,MAAM,4BAA4B,GACtC,CAAC,OAAO,4BAA4B,CAAC,CAAC,MAAM,OAAO,4BAA4B,CAAC,CAAC;AAEnF,eAAO,MAAM,4BAA4B;;;;;;CAMxC,CAAC;AAEF,MAAM,MAAM,4BAA4B,GACtC,CAAC,OAAO,4BAA4B,CAAC,CAAC,MAAM,OAAO,4BAA4B,CAAC,CAAC;AAEnF,qBAAa,sBAAuB,SAAQ,KAAK;IAC/C,MAAM,CAAC,EAAE,4BAA4B,CAAC;IACtC,MAAM,EAAE,4BAA4B,CAAC;IACrC,YAAY,CAAC,EAAE,YAAY,CAAC;gBAEhB,EACV,MAAM,EACN,OAAO,EACP,MAAM,GACP,EAAE;QACD,MAAM,CAAC,EAAE,4BAA4B,CAAC;QACtC,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,4BAA4B,CAAC;KACtC;IAUM,cAAc;CAKtB;AAED,qBAAa,YAAa,SAAQ,KAAK;CAAG;AAE1C,eAAO,MAAM,iCAAiC
|
|
1
|
+
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAE/C,eAAO,MAAM,0BAA0B;;CAEtC,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG,CAAC,OAAO,0BAA0B,CAAC,CAAC,MAAM,OAAO,0BAA0B,CAAC,CAAC;AAEtH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;CAgBxC,CAAC;AAEF,MAAM,MAAM,4BAA4B,GACtC,CAAC,OAAO,4BAA4B,CAAC,CAAC,MAAM,OAAO,4BAA4B,CAAC,CAAC;AAEnF,eAAO,MAAM,4BAA4B;;;;;;CAMxC,CAAC;AAEF,MAAM,MAAM,4BAA4B,GACtC,CAAC,OAAO,4BAA4B,CAAC,CAAC,MAAM,OAAO,4BAA4B,CAAC,CAAC;AAEnF,qBAAa,sBAAuB,SAAQ,KAAK;IAC/C,MAAM,CAAC,EAAE,4BAA4B,CAAC;IACtC,MAAM,EAAE,4BAA4B,CAAC;IACrC,YAAY,CAAC,EAAE,YAAY,CAAC;gBAEhB,EACV,MAAM,EACN,OAAO,EACP,MAAM,GACP,EAAE;QACD,MAAM,CAAC,EAAE,4BAA4B,CAAC;QACtC,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,4BAA4B,CAAC;KACtC;IAUM,cAAc;CAKtB;AAED,qBAAa,YAAa,SAAQ,KAAK;CAAG;AAE1C,eAAO,MAAM,iCAAiC;;;;;CAKpC,CAAC;AAEX,MAAM,MAAM,iCAAiC,GAC3C,CAAC,OAAO,iCAAiC,CAAC,CAAC,MAAM,OAAO,iCAAiC,CAAC,CAAC;AAE7F,qBAAa,6BAA8B,SAAQ,KAAK;IACtD,IAAI,EAAE,iCAAiC,CAAC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,4BAA4B,CAAC;gBAE1B,EACV,OAAO,EACP,IAAI,EACJ,MAAM,EACN,MAAM,GACP,EAAE;QACD,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,iCAAiC,CAAC;QACxC,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,4BAA4B,CAAC;KACvC;IASM,cAAc;CAGtB"}
|
package/dist/errors.js
CHANGED
|
@@ -77,17 +77,24 @@ var SignJWTError = class extends Error {
|
|
|
77
77
|
var MachineTokenVerificationErrorCode = {
|
|
78
78
|
TokenInvalid: "token-invalid",
|
|
79
79
|
InvalidSecretKey: "secret-key-invalid",
|
|
80
|
-
UnexpectedError: "unexpected-error"
|
|
80
|
+
UnexpectedError: "unexpected-error",
|
|
81
|
+
TokenVerificationFailed: "token-verification-failed"
|
|
81
82
|
};
|
|
82
83
|
var MachineTokenVerificationError = class _MachineTokenVerificationError extends Error {
|
|
83
|
-
constructor({
|
|
84
|
+
constructor({
|
|
85
|
+
message,
|
|
86
|
+
code,
|
|
87
|
+
status,
|
|
88
|
+
action
|
|
89
|
+
}) {
|
|
84
90
|
super(message);
|
|
85
91
|
Object.setPrototypeOf(this, _MachineTokenVerificationError.prototype);
|
|
86
92
|
this.code = code;
|
|
87
93
|
this.status = status;
|
|
94
|
+
this.action = action;
|
|
88
95
|
}
|
|
89
96
|
getFullMessage() {
|
|
90
|
-
return `${this.message} (code=${this.code}, status=${this.status})`;
|
|
97
|
+
return `${this.message} (code=${this.code}, status=${this.status || "n/a"})`;
|
|
91
98
|
}
|
|
92
99
|
};
|
|
93
100
|
// Annotate the CommonJS export names for ESM import in node:
|
package/dist/errors.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/errors.ts"],"sourcesContent":["export type TokenCarrier = 'header' | 'cookie';\n\nexport const TokenVerificationErrorCode = {\n InvalidSecretKey: 'clerk_key_invalid',\n};\n\nexport type TokenVerificationErrorCode = (typeof TokenVerificationErrorCode)[keyof typeof TokenVerificationErrorCode];\n\nexport const TokenVerificationErrorReason = {\n TokenExpired: 'token-expired',\n TokenInvalid: 'token-invalid',\n TokenInvalidAlgorithm: 'token-invalid-algorithm',\n TokenInvalidAuthorizedParties: 'token-invalid-authorized-parties',\n TokenInvalidSignature: 'token-invalid-signature',\n TokenNotActiveYet: 'token-not-active-yet',\n TokenIatInTheFuture: 'token-iat-in-the-future',\n TokenVerificationFailed: 'token-verification-failed',\n InvalidSecretKey: 'secret-key-invalid',\n LocalJWKMissing: 'jwk-local-missing',\n RemoteJWKFailedToLoad: 'jwk-remote-failed-to-load',\n RemoteJWKInvalid: 'jwk-remote-invalid',\n RemoteJWKMissing: 'jwk-remote-missing',\n JWKFailedToResolve: 'jwk-failed-to-resolve',\n JWKKidMismatch: 'jwk-kid-mismatch',\n};\n\nexport type TokenVerificationErrorReason =\n (typeof TokenVerificationErrorReason)[keyof typeof TokenVerificationErrorReason];\n\nexport const TokenVerificationErrorAction = {\n ContactSupport: 'Contact support@clerk.com',\n EnsureClerkJWT: 'Make sure that this is a valid Clerk-generated JWT.',\n SetClerkJWTKey: 'Set the CLERK_JWT_KEY environment variable.',\n SetClerkSecretKey: 'Set the CLERK_SECRET_KEY environment variable.',\n EnsureClockSync: 'Make sure your system clock is in sync (e.g. turn off and on automatic time synchronization).',\n};\n\nexport type TokenVerificationErrorAction =\n (typeof TokenVerificationErrorAction)[keyof typeof TokenVerificationErrorAction];\n\nexport class TokenVerificationError extends Error {\n action?: TokenVerificationErrorAction;\n reason: TokenVerificationErrorReason;\n tokenCarrier?: TokenCarrier;\n\n constructor({\n action,\n message,\n reason,\n }: {\n action?: TokenVerificationErrorAction;\n message: string;\n reason: TokenVerificationErrorReason;\n }) {\n super(message);\n\n Object.setPrototypeOf(this, TokenVerificationError.prototype);\n\n this.reason = reason;\n this.message = message;\n this.action = action;\n }\n\n public getFullMessage() {\n return `${[this.message, this.action].filter(m => m).join(' ')} (reason=${this.reason}, token-carrier=${\n this.tokenCarrier\n })`;\n }\n}\n\nexport class SignJWTError extends Error {}\n\nexport const MachineTokenVerificationErrorCode = {\n TokenInvalid: 'token-invalid',\n InvalidSecretKey: 'secret-key-invalid',\n UnexpectedError: 'unexpected-error',\n} as const;\n\nexport type MachineTokenVerificationErrorCode =\n (typeof MachineTokenVerificationErrorCode)[keyof typeof MachineTokenVerificationErrorCode];\n\nexport class MachineTokenVerificationError extends Error {\n code: MachineTokenVerificationErrorCode;\n long_message?: string;\n status
|
|
1
|
+
{"version":3,"sources":["../src/errors.ts"],"sourcesContent":["export type TokenCarrier = 'header' | 'cookie';\n\nexport const TokenVerificationErrorCode = {\n InvalidSecretKey: 'clerk_key_invalid',\n};\n\nexport type TokenVerificationErrorCode = (typeof TokenVerificationErrorCode)[keyof typeof TokenVerificationErrorCode];\n\nexport const TokenVerificationErrorReason = {\n TokenExpired: 'token-expired',\n TokenInvalid: 'token-invalid',\n TokenInvalidAlgorithm: 'token-invalid-algorithm',\n TokenInvalidAuthorizedParties: 'token-invalid-authorized-parties',\n TokenInvalidSignature: 'token-invalid-signature',\n TokenNotActiveYet: 'token-not-active-yet',\n TokenIatInTheFuture: 'token-iat-in-the-future',\n TokenVerificationFailed: 'token-verification-failed',\n InvalidSecretKey: 'secret-key-invalid',\n LocalJWKMissing: 'jwk-local-missing',\n RemoteJWKFailedToLoad: 'jwk-remote-failed-to-load',\n RemoteJWKInvalid: 'jwk-remote-invalid',\n RemoteJWKMissing: 'jwk-remote-missing',\n JWKFailedToResolve: 'jwk-failed-to-resolve',\n JWKKidMismatch: 'jwk-kid-mismatch',\n};\n\nexport type TokenVerificationErrorReason =\n (typeof TokenVerificationErrorReason)[keyof typeof TokenVerificationErrorReason];\n\nexport const TokenVerificationErrorAction = {\n ContactSupport: 'Contact support@clerk.com',\n EnsureClerkJWT: 'Make sure that this is a valid Clerk-generated JWT.',\n SetClerkJWTKey: 'Set the CLERK_JWT_KEY environment variable.',\n SetClerkSecretKey: 'Set the CLERK_SECRET_KEY environment variable.',\n EnsureClockSync: 'Make sure your system clock is in sync (e.g. turn off and on automatic time synchronization).',\n};\n\nexport type TokenVerificationErrorAction =\n (typeof TokenVerificationErrorAction)[keyof typeof TokenVerificationErrorAction];\n\nexport class TokenVerificationError extends Error {\n action?: TokenVerificationErrorAction;\n reason: TokenVerificationErrorReason;\n tokenCarrier?: TokenCarrier;\n\n constructor({\n action,\n message,\n reason,\n }: {\n action?: TokenVerificationErrorAction;\n message: string;\n reason: TokenVerificationErrorReason;\n }) {\n super(message);\n\n Object.setPrototypeOf(this, TokenVerificationError.prototype);\n\n this.reason = reason;\n this.message = message;\n this.action = action;\n }\n\n public getFullMessage() {\n return `${[this.message, this.action].filter(m => m).join(' ')} (reason=${this.reason}, token-carrier=${\n this.tokenCarrier\n })`;\n }\n}\n\nexport class SignJWTError extends Error {}\n\nexport const MachineTokenVerificationErrorCode = {\n TokenInvalid: 'token-invalid',\n InvalidSecretKey: 'secret-key-invalid',\n UnexpectedError: 'unexpected-error',\n TokenVerificationFailed: 'token-verification-failed',\n} as const;\n\nexport type MachineTokenVerificationErrorCode =\n (typeof MachineTokenVerificationErrorCode)[keyof typeof MachineTokenVerificationErrorCode];\n\nexport class MachineTokenVerificationError extends Error {\n code: MachineTokenVerificationErrorCode;\n long_message?: string;\n status?: number;\n action?: TokenVerificationErrorAction;\n\n constructor({\n message,\n code,\n status,\n action,\n }: {\n message: string;\n code: MachineTokenVerificationErrorCode;\n status?: number;\n action?: TokenVerificationErrorAction;\n }) {\n super(message);\n Object.setPrototypeOf(this, MachineTokenVerificationError.prototype);\n\n this.code = code;\n this.status = status;\n this.action = action;\n }\n\n public getFullMessage() {\n return `${this.message} (code=${this.code}, status=${this.status || 'n/a'})`;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEO,IAAM,6BAA6B;AAAA,EACxC,kBAAkB;AACpB;AAIO,IAAM,+BAA+B;AAAA,EAC1C,cAAc;AAAA,EACd,cAAc;AAAA,EACd,uBAAuB;AAAA,EACvB,+BAA+B;AAAA,EAC/B,uBAAuB;AAAA,EACvB,mBAAmB;AAAA,EACnB,qBAAqB;AAAA,EACrB,yBAAyB;AAAA,EACzB,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,uBAAuB;AAAA,EACvB,kBAAkB;AAAA,EAClB,kBAAkB;AAAA,EAClB,oBAAoB;AAAA,EACpB,gBAAgB;AAClB;AAKO,IAAM,+BAA+B;AAAA,EAC1C,gBAAgB;AAAA,EAChB,gBAAgB;AAAA,EAChB,gBAAgB;AAAA,EAChB,mBAAmB;AAAA,EACnB,iBAAiB;AACnB;AAKO,IAAM,yBAAN,MAAM,gCAA+B,MAAM;AAAA,EAKhD,YAAY;AAAA,IACV;AAAA,IACA;AAAA,IACA;AAAA,EACF,GAIG;AACD,UAAM,OAAO;AAEb,WAAO,eAAe,MAAM,wBAAuB,SAAS;AAE5D,SAAK,SAAS;AACd,SAAK,UAAU;AACf,SAAK,SAAS;AAAA,EAChB;AAAA,EAEO,iBAAiB;AACtB,WAAO,GAAG,CAAC,KAAK,SAAS,KAAK,MAAM,EAAE,OAAO,OAAK,CAAC,EAAE,KAAK,GAAG,CAAC,YAAY,KAAK,MAAM,mBACnF,KAAK,YACP;AAAA,EACF;AACF;AAEO,IAAM,eAAN,cAA2B,MAAM;AAAC;AAElC,IAAM,oCAAoC;AAAA,EAC/C,cAAc;AAAA,EACd,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,yBAAyB;AAC3B;AAKO,IAAM,gCAAN,MAAM,uCAAsC,MAAM;AAAA,EAMvD,YAAY;AAAA,IACV;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,GAKG;AACD,UAAM,OAAO;AACb,WAAO,eAAe,MAAM,+BAA8B,SAAS;AAEnE,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,SAAS;AAAA,EAChB;AAAA,EAEO,iBAAiB;AACtB,WAAO,GAAG,KAAK,OAAO,UAAU,KAAK,IAAI,YAAY,KAAK,UAAU,KAAK;AAAA,EAC3E;AACF;","names":[]}
|
package/dist/errors.mjs
CHANGED
package/dist/fixtures/index.d.ts
CHANGED
|
@@ -16,6 +16,18 @@ export declare const mockJwtPayload: {
|
|
|
16
16
|
sid: string;
|
|
17
17
|
sub: string;
|
|
18
18
|
};
|
|
19
|
+
export declare const mockOAuthAccessTokenJwtPayload: {
|
|
20
|
+
iss: string;
|
|
21
|
+
sub: string;
|
|
22
|
+
client_id: string;
|
|
23
|
+
scope: string;
|
|
24
|
+
jti: string;
|
|
25
|
+
exp: number;
|
|
26
|
+
iat: number;
|
|
27
|
+
nbf: number;
|
|
28
|
+
azp: string;
|
|
29
|
+
sid: string;
|
|
30
|
+
};
|
|
19
31
|
export declare const mockRsaJwkKid = "ins_2GIoQhbUpy0hX7B2cVkuTMinXoD";
|
|
20
32
|
export declare const mockRsaJwk: {
|
|
21
33
|
use: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/fixtures/index.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,OAAO,2uBACstB,CAAC;AAG3uB,eAAO,MAAM,cAAc,2uBAC+sB,CAAC;AAE3uB,eAAO,MAAM,uBAAuB,quBACgsB,CAAC;AAEruB,eAAO,MAAM,gBAAgB,+cACib,CAAC;AAK/c,eAAO,MAAM,aAAa;;;;CAIzB,CAAC;AAEF,eAAO,MAAM,cAAc;;;;;;;;CAQ1B,CAAC;AAEF,eAAO,MAAM,aAAa,oCAAoC,CAAC;AAE/D,eAAO,MAAM,UAAU;;;;;;;CAOtB,CAAC;AAEF,eAAO,MAAM,QAAQ;;;;;;;;;CAEpB,CAAC;AAEF,eAAO,MAAM,UAAU,6YACqX,CAAC;AAE7Y,eAAO,MAAM,UAAU;;;;;;CAMtB,CAAC;AAEF,eAAO,MAAM,aAAa,QASE,CAAC;AAE7B,eAAO,MAAM,iBAAiB,usDA2BJ,CAAC;AAE3B,eAAO,MAAM,mBAAmB,+cAQP,CAAC;AAE1B,eAAO,MAAM,kBAAkB,+cAQN,CAAC;AAG1B,eAAO,MAAM,WAAW;;;;;;;;;;;;;CAavB,CAAC;AAEF,eAAO,MAAM,UAAU;;;;;;;CAOtB,CAAC;AAGF,eAAO,MAAM,SAAS,2uBACotB,CAAC;AAE3uB,eAAO,MAAM,MAAM,uDAAuD,CAAC;AAC3E,eAAO,MAAM,MAAM,uDAAuD,CAAC;AAE3E,KAAK,SAAS,GAAG,CAAC,IAAI,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,GAAG,CAAC;IAAC,OAAO,CAAC,EAAE,GAAG,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,KAAK,MAAM,CAAC;AACxF,eAAO,MAAM,SAAS,EAAE,SAWvB,CAAC;AAEF,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAM1E"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/fixtures/index.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,OAAO,2uBACstB,CAAC;AAG3uB,eAAO,MAAM,cAAc,2uBAC+sB,CAAC;AAE3uB,eAAO,MAAM,uBAAuB,quBACgsB,CAAC;AAEruB,eAAO,MAAM,gBAAgB,+cACib,CAAC;AAK/c,eAAO,MAAM,aAAa;;;;CAIzB,CAAC;AAEF,eAAO,MAAM,cAAc;;;;;;;;CAQ1B,CAAC;AAEF,eAAO,MAAM,8BAA8B;;;;;;;;;;;CAU1C,CAAC;AAEF,eAAO,MAAM,aAAa,oCAAoC,CAAC;AAE/D,eAAO,MAAM,UAAU;;;;;;;CAOtB,CAAC;AAEF,eAAO,MAAM,QAAQ;;;;;;;;;CAEpB,CAAC;AAEF,eAAO,MAAM,UAAU,6YACqX,CAAC;AAE7Y,eAAO,MAAM,UAAU;;;;;;CAMtB,CAAC;AAEF,eAAO,MAAM,aAAa,QASE,CAAC;AAE7B,eAAO,MAAM,iBAAiB,usDA2BJ,CAAC;AAE3B,eAAO,MAAM,mBAAmB,+cAQP,CAAC;AAE1B,eAAO,MAAM,kBAAkB,+cAQN,CAAC;AAG1B,eAAO,MAAM,WAAW;;;;;;;;;;;;;CAavB,CAAC;AAEF,eAAO,MAAM,UAAU;;;;;;;CAOtB,CAAC;AAGF,eAAO,MAAM,SAAS,2uBACotB,CAAC;AAE3uB,eAAO,MAAM,MAAM,uDAAuD,CAAC;AAC3E,eAAO,MAAM,MAAM,uDAAuD,CAAC;AAE3E,KAAK,SAAS,GAAG,CAAC,IAAI,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,GAAG,CAAC;IAAC,OAAO,CAAC,EAAE,GAAG,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,KAAK,MAAM,CAAC;AACxF,eAAO,MAAM,SAAS,EAAE,SAWvB,CAAC;AAEF,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAM1E"}
|
|
@@ -67,4 +67,6 @@ export declare const mockMachineAuthResponses: {
|
|
|
67
67
|
readonly errorMessage: "Machine token not found";
|
|
68
68
|
};
|
|
69
69
|
};
|
|
70
|
+
export declare const mockSignedOAuthAccessTokenJwt = "eyJhbGciOiJSUzI1NiIsImtpZCI6Imluc18yR0lvUWhiVXB5MGhYN0IyY1ZrdVRNaW5Yb0QiLCJ0eXAiOiJhdCtqd3QifQ.eyJhenAiOiJodHRwczovL2FjY291bnRzLmluc3BpcmVkLnB1bWEtNzQubGNsLmRldiIsImV4cCI6MTY2NjY0ODU1MCwiaWF0IjoxNjY2NjQ4MjUwLCJpc3MiOiJodHRwczovL2NsZXJrLm9hdXRoLmV4YW1wbGUudGVzdCIsIm5iZiI6MTY2NjY0ODI0MCwic2lkIjoic2Vzc18yR2JEQjRlbk5kQ2E1dlMxenBDM1h6Zzl0SzkiLCJzdWIiOiJ1c2VyXzJ2WVZ0ZXN0VEVTVHRlc3RURVNUdGVzdFRFU1R0ZXN0IiwiY2xpZW50X2lkIjoiY2xpZW50XzJWVFdVenZHQzVVaGRKQ054NnhHMUQ5OGVkYyIsInNjb3BlIjoicmVhZDpmb28gd3JpdGU6YmFyIiwianRpIjoib2F0XzJ4S2E5Qmd2N054TVJERnlRdzhMcFozY1RtVTF2SGpFIn0.Wgw5L2u0nGkxF9Y-5Dje414UEkxq2Fu3_VePeh1-GehCugi0eIXV-QyiXp1ba4pxWWbCfIC_hihzKjwnVb5wrhzqyw8FJpvnvtrHEjt-zSijpS7WlO7ScJDY-PE8zgH-CICnS2CKYSkP3Rbzka9XY_Z6ieUzmBSFdA_0K8pQOdDHv70y04dnL1CjL6XToncnvezioL388Y1UTqlhll8b2Pm4EI7rGdHVKzLcKnKoYpgsBPZLmO7qGPJ5BkHvmg3gOSkmIiziFaEZkoXvjbvEUAt5qEqzaADSaFP6QhRYNtr1s4OD9uj0SK6QaoZTj69XYFuNMNnm7zN_WxvPBMTq9g";
|
|
71
|
+
export declare const mockSignedOAuthAccessTokenJwtApplicationTyp = "eyJhbGciOiJSUzI1NiIsImtpZCI6Imluc18yR0lvUWhiVXB5MGhYN0IyY1ZrdVRNaW5Yb0QiLCJ0eXAiOiJhcHBsaWNhdGlvbi9hdCtqd3QifQ.eyJhenAiOiJodHRwczovL2FjY291bnRzLmluc3BpcmVkLnB1bWEtNzQubGNsLmRldiIsImV4cCI6MTY2NjY0ODU1MCwiaWF0IjoxNjY2NjQ4MjUwLCJpc3MiOiJodHRwczovL2NsZXJrLm9hdXRoLmV4YW1wbGUudGVzdCIsIm5iZiI6MTY2NjY0ODI0MCwic2lkIjoic2Vzc18yR2JEQjRlbk5kQ2E1dlMxenBDM1h6Zzl0SzkiLCJzdWIiOiJ1c2VyXzJ2WVZ0ZXN0VEVTVHRlc3RURVNUdGVzdFRFU1R0ZXN0IiwiY2xpZW50X2lkIjoiY2xpZW50XzJWVFdVenZHQzVVaGRKQ054NnhHMUQ5OGVkYyIsInNjb3BlIjoicmVhZDpmb28gd3JpdGU6YmFyIiwianRpIjoib2F0XzJ4S2E5Qmd2N054TVJERnlRdzhMcFozY1RtVTF2SGpFIn0.GPTvB4doScjzQD0kRMhMebVDREjwcrMWK73OP_kFc3pl0gST29BlWrKMBi8wRxoSJBc2ukO10BPhGxnh15PxCNLyk6xQFWhFBA7XpVxY4T_VHPDU5FEOocPQuqcqZ4cA1GDJST-BH511fxoJnv4kfha46IvQiUMvWCacIj_w12qfZigeb208mTDIeoJQtlYb-sD9u__CVvB4uZOqGb0lIL5-cCbhMPFg-6GQ2DhZ-Eq5tw7oyO6lPrsAaFN9u-59SLvips364ieYNpgcr9Dbo5PDvUSltqxoIXTDFo4esWw6XwUjnGfqCh34LYAhv_2QF2U0-GASBEn4GK-Wfv3wXg";
|
|
70
72
|
//# sourceMappingURL=machine.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"machine.d.ts","sourceRoot":"","sources":["../../src/fixtures/machine.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,UAAU;;;;CAIb,CAAC;AAEX,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6CnC,CAAC;AAEF,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;CAa3B,CAAC"}
|
|
1
|
+
{"version":3,"file":"machine.d.ts","sourceRoot":"","sources":["../../src/fixtures/machine.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,UAAU;;;;CAIb,CAAC;AAEX,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6CnC,CAAC;AAEF,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;CAa3B,CAAC;AAMX,eAAO,MAAM,6BAA6B,k5BACu2B,CAAC;AAMl5B,eAAO,MAAM,2CAA2C,k6BACy2B,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -8,6 +8,7 @@ export declare const verifyToken: (token: string, options: {
|
|
|
8
8
|
audience?: string | string[] | undefined;
|
|
9
9
|
authorizedParties?: string[] | undefined;
|
|
10
10
|
clockSkewInMs?: number | undefined;
|
|
11
|
+
headerType?: string | string[] | undefined;
|
|
11
12
|
secretKey?: string | undefined;
|
|
12
13
|
apiUrl?: string | undefined;
|
|
13
14
|
apiVersion?: string | undefined;
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACzE,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,OAAO,KAAK,EAAE,SAAS,EAAE,uBAAuB,EAAE,MAAM,OAAO,CAAC;AAGhE,OAAO,KAAK,EAAE,gCAAgC,EAAE,MAAM,kBAAkB,CAAC;AACzE,OAAO,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAC;AAG7D,eAAO,MAAM,WAAW
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACzE,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,OAAO,KAAK,EAAE,SAAS,EAAE,uBAAuB,EAAE,MAAM,OAAO,CAAC;AAGhE,OAAO,KAAK,EAAE,gCAAgC,EAAE,MAAM,kBAAkB,CAAC;AACzE,OAAO,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAC;AAG7D,eAAO,MAAM,WAAW;;;;;;;;;;;gFAAiC,CAAC;AAE1D,MAAM,MAAM,YAAY,GAAG,IAAI,CAAC,uBAAuB,EAAE,qBAAqB,GAAG,qBAAqB,CAAC,GACrG,OAAO,CACL,IAAI,CACF,gCAAgC,CAAC,SAAS,CAAC,EAC3C,UAAU,GAAG,QAAQ,GAAG,UAAU,GAAG,WAAW,GAAG,gBAAgB,GAAG,QAAQ,GAAG,aAAa,CAC/F,CACF,GAAG;IAAE,WAAW,CAAC,EAAE,WAAW,CAAC;IAAC,SAAS,CAAC,EAAE,IAAI,CAAC,yBAAyB,EAAE,UAAU,GAAG,OAAO,GAAG,cAAc,CAAC,CAAA;CAAE,CAAC;AAIxH,MAAM,MAAM,WAAW,GAAG;IACxB,SAAS,EAAE,kBAAkB,CAAC;CAC/B,GAAG,SAAS,GACX,UAAU,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE/C,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,GAAG,WAAW,CAiBpE;AAED;;GAEG;AACH,YAAY,EAAE,0BAA0B,EAAE,MAAM,iBAAiB,CAAC;AAClE,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC1D;;GAEG;AACH,YAAY,EACV,cAAc,EACd,0BAA0B,EAC1B,iBAAiB,EACjB,SAAS,EACT,uBAAuB,EACvB,uBAAuB,EACvB,UAAU,EACV,eAAe,EACf,UAAU,EACV,SAAS,EACT,gBAAgB,EAChB,mBAAmB,EACnB,sBAAsB,EACtB,YAAY,EACZ,wBAAwB,EACxB,oBAAoB,EACpB,cAAc,EACd,eAAe,EACf,oBAAoB,EACpB,oBAAoB,EACpB,gBAAgB,EAChB,sBAAsB,EACtB,kCAAkC,EAClC,0BAA0B,EAC1B,wBAAwB,EACxB,0BAA0B,EAC1B,0BAA0B,EAC1B,wCAAwC,EACxC,eAAe,EACf,cAAc,EACd,eAAe,EACf,WAAW,EACX,UAAU,EACV,eAAe,EACf,UAAU,EACV,sBAAsB,EACtB,uBAAuB,EACvB,cAAc,EACd,QAAQ,EACR,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,cAAc,EACd,iBAAiB,EACjB,qBAAqB,EACrB,gBAAgB,EAChB,gBAAgB,EAChB,eAAe,EACf,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,sBAAsB,CAAC;AAE9B;;GAEG;AACH,YAAY,EACV,MAAM,EACN,UAAU,EACV,sBAAsB,EACtB,mBAAmB,EACnB,mBAAmB,EACnB,MAAM,EACN,WAAW,EACX,MAAM,EACN,YAAY,EACZ,eAAe,EACf,OAAO,EACP,QAAQ,EACR,oBAAoB,EACpB,gBAAgB,EAChB,UAAU,EACV,WAAW,EACX,OAAO,EACP,QAAQ,EACR,gBAAgB,EAChB,gBAAgB,EAChB,YAAY,EACZ,kBAAkB,EAClB,8BAA8B,EAC9B,sBAAsB,EACtB,sBAAsB,EACtB,oCAAoC,EACpC,oBAAoB,EACpB,WAAW,EACX,cAAc,EACd,OAAO,EACP,WAAW,EACX,aAAa,EACb,UAAU,EACV,KAAK,EACL,IAAI,EACJ,YAAY,EACZ,aAAa,EACb,WAAW,EACX,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,iBAAiB,CAAC;AAEzB;;GAEG;AACH,YAAY,EACV,iBAAiB,EACjB,wBAAwB,EACxB,8BAA8B,EAC9B,kCAAkC,EAClC,kCAAkC,EAClC,gBAAgB,EAChB,sBAAsB,EACtB,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,yBAAyB,EACzB,YAAY,EACZ,gBAAgB,EAChB,iCAAiC,EACjC,+BAA+B,EAC/B,mCAAmC,GACpC,MAAM,0BAA0B,CAAC;AAElC;;GAEG;AACH,YAAY,EAAE,UAAU,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAC/E,YAAY,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -1668,7 +1668,7 @@ var snakecase_keys_default = snakecaseKeys;
|
|
|
1668
1668
|
// src/constants.ts
|
|
1669
1669
|
var API_URL = "https://api.clerk.com";
|
|
1670
1670
|
var API_VERSION = "v1";
|
|
1671
|
-
var USER_AGENT = `${"@clerk/backend"}@${"3.0.0-snapshot.
|
|
1671
|
+
var USER_AGENT = `${"@clerk/backend"}@${"3.0.0-snapshot.v20251208202852"}`;
|
|
1672
1672
|
var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
|
|
1673
1673
|
var SUPPORTED_BAPI_VERSION = "2025-11-10";
|
|
1674
1674
|
var Attributes = {
|
|
@@ -2330,6 +2330,26 @@ var IdPOAuthAccessToken = class _IdPOAuthAccessToken {
|
|
|
2330
2330
|
data.updated_at
|
|
2331
2331
|
);
|
|
2332
2332
|
}
|
|
2333
|
+
/**
|
|
2334
|
+
* Creates an IdPOAuthAccessToken from a JWT payload.
|
|
2335
|
+
* Maps standard JWT claims and OAuth-specific fields to token properties.
|
|
2336
|
+
*/
|
|
2337
|
+
static fromJwtPayload(payload, clockSkewInMs = 5e3) {
|
|
2338
|
+
const oauthPayload = payload;
|
|
2339
|
+
return new _IdPOAuthAccessToken(
|
|
2340
|
+
oauthPayload.jti ?? "",
|
|
2341
|
+
oauthPayload.client_id ?? "",
|
|
2342
|
+
"oauth_token",
|
|
2343
|
+
payload.sub,
|
|
2344
|
+
oauthPayload.scp ?? oauthPayload.scope?.split(" ") ?? [],
|
|
2345
|
+
false,
|
|
2346
|
+
null,
|
|
2347
|
+
payload.exp * 1e3 <= Date.now() - clockSkewInMs,
|
|
2348
|
+
payload.exp,
|
|
2349
|
+
payload.iat,
|
|
2350
|
+
payload.iat
|
|
2351
|
+
);
|
|
2352
|
+
}
|
|
2333
2353
|
};
|
|
2334
2354
|
|
|
2335
2355
|
// src/api/resources/Instance.ts
|
|
@@ -3625,17 +3645,24 @@ var TokenVerificationError = class _TokenVerificationError extends Error {
|
|
|
3625
3645
|
var MachineTokenVerificationErrorCode = {
|
|
3626
3646
|
TokenInvalid: "token-invalid",
|
|
3627
3647
|
InvalidSecretKey: "secret-key-invalid",
|
|
3628
|
-
UnexpectedError: "unexpected-error"
|
|
3648
|
+
UnexpectedError: "unexpected-error",
|
|
3649
|
+
TokenVerificationFailed: "token-verification-failed"
|
|
3629
3650
|
};
|
|
3630
3651
|
var MachineTokenVerificationError = class _MachineTokenVerificationError extends Error {
|
|
3631
|
-
constructor({
|
|
3652
|
+
constructor({
|
|
3653
|
+
message,
|
|
3654
|
+
code,
|
|
3655
|
+
status,
|
|
3656
|
+
action
|
|
3657
|
+
}) {
|
|
3632
3658
|
super(message);
|
|
3633
3659
|
Object.setPrototypeOf(this, _MachineTokenVerificationError.prototype);
|
|
3634
3660
|
this.code = code;
|
|
3635
3661
|
this.status = status;
|
|
3662
|
+
this.action = action;
|
|
3636
3663
|
}
|
|
3637
3664
|
getFullMessage() {
|
|
3638
|
-
return `${this.message} (code=${this.code}, status=${this.status})`;
|
|
3665
|
+
return `${this.message} (code=${this.code}, status=${this.status || "n/a"})`;
|
|
3639
3666
|
}
|
|
3640
3667
|
};
|
|
3641
3668
|
|
|
@@ -3773,15 +3800,16 @@ var assertAudienceClaim = (aud, audience) => {
|
|
|
3773
3800
|
}
|
|
3774
3801
|
}
|
|
3775
3802
|
};
|
|
3776
|
-
var assertHeaderType = (typ) => {
|
|
3803
|
+
var assertHeaderType = (typ, allowedTypes = "JWT") => {
|
|
3777
3804
|
if (typeof typ === "undefined") {
|
|
3778
3805
|
return;
|
|
3779
3806
|
}
|
|
3780
|
-
|
|
3807
|
+
const allowed = Array.isArray(allowedTypes) ? allowedTypes : [allowedTypes];
|
|
3808
|
+
if (!allowed.includes(typ)) {
|
|
3781
3809
|
throw new TokenVerificationError({
|
|
3782
3810
|
action: TokenVerificationErrorAction.EnsureClerkJWT,
|
|
3783
3811
|
reason: TokenVerificationErrorReason.TokenInvalid,
|
|
3784
|
-
message: `Invalid JWT type ${JSON.stringify(typ)}. Expected "
|
|
3812
|
+
message: `Invalid JWT type ${JSON.stringify(typ)}. Expected "${allowed.join(", ")}".`
|
|
3785
3813
|
});
|
|
3786
3814
|
}
|
|
3787
3815
|
};
|
|
@@ -3952,7 +3980,7 @@ function decodeJwt(token) {
|
|
|
3952
3980
|
return { data };
|
|
3953
3981
|
}
|
|
3954
3982
|
async function verifyJwt(token, options) {
|
|
3955
|
-
const { audience, authorizedParties, clockSkewInMs, key } = options;
|
|
3983
|
+
const { audience, authorizedParties, clockSkewInMs, key, headerType } = options;
|
|
3956
3984
|
const clockSkew = clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
|
|
3957
3985
|
const { data: decoded, errors } = decodeJwt(token);
|
|
3958
3986
|
if (errors) {
|
|
@@ -3961,7 +3989,7 @@ async function verifyJwt(token, options) {
|
|
|
3961
3989
|
const { header, payload } = decoded;
|
|
3962
3990
|
try {
|
|
3963
3991
|
const { typ, alg } = header;
|
|
3964
|
-
assertHeaderType(typ);
|
|
3992
|
+
assertHeaderType(typ, headerType);
|
|
3965
3993
|
assertHeaderAlgorithm(alg);
|
|
3966
3994
|
const { azp, sub, aud, iat, exp, nbf } = payload;
|
|
3967
3995
|
assertSubClaim(sub);
|
|
@@ -4431,14 +4459,33 @@ var M2M_TOKEN_PREFIX = "mt_";
|
|
|
4431
4459
|
var OAUTH_TOKEN_PREFIX = "oat_";
|
|
4432
4460
|
var API_KEY_PREFIX = "ak_";
|
|
4433
4461
|
var MACHINE_TOKEN_PREFIXES = [M2M_TOKEN_PREFIX, OAUTH_TOKEN_PREFIX, API_KEY_PREFIX];
|
|
4462
|
+
var JwtFormatRegExp = /^[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+$/;
|
|
4463
|
+
function isJwtFormat(token) {
|
|
4464
|
+
return JwtFormatRegExp.test(token);
|
|
4465
|
+
}
|
|
4466
|
+
var OAUTH_ACCESS_TOKEN_TYPES = ["at+jwt", "application/at+jwt"];
|
|
4467
|
+
function isOAuthJwt(token) {
|
|
4468
|
+
if (!isJwtFormat(token)) {
|
|
4469
|
+
return false;
|
|
4470
|
+
}
|
|
4471
|
+
try {
|
|
4472
|
+
const { data, errors } = decodeJwt(token);
|
|
4473
|
+
return !errors && !!data && OAUTH_ACCESS_TOKEN_TYPES.includes(data.header.typ);
|
|
4474
|
+
} catch {
|
|
4475
|
+
return false;
|
|
4476
|
+
}
|
|
4477
|
+
}
|
|
4434
4478
|
function isMachineTokenByPrefix(token) {
|
|
4435
4479
|
return MACHINE_TOKEN_PREFIXES.some((prefix) => token.startsWith(prefix));
|
|
4436
4480
|
}
|
|
4481
|
+
function isMachineToken(token) {
|
|
4482
|
+
return isMachineTokenByPrefix(token) || isOAuthJwt(token);
|
|
4483
|
+
}
|
|
4437
4484
|
function getMachineTokenType(token) {
|
|
4438
4485
|
if (token.startsWith(M2M_TOKEN_PREFIX)) {
|
|
4439
4486
|
return TokenType.M2MToken;
|
|
4440
4487
|
}
|
|
4441
|
-
if (token.startsWith(OAUTH_TOKEN_PREFIX)) {
|
|
4488
|
+
if (token.startsWith(OAUTH_TOKEN_PREFIX) || isOAuthJwt(token)) {
|
|
4442
4489
|
return TokenType.OAuthToken;
|
|
4443
4490
|
}
|
|
4444
4491
|
if (token.startsWith(API_KEY_PREFIX)) {
|
|
@@ -4537,7 +4584,91 @@ async function verifyM2MToken(token, options) {
|
|
|
4537
4584
|
return handleClerkAPIError(TokenType.M2MToken, err, "Machine token not found");
|
|
4538
4585
|
}
|
|
4539
4586
|
}
|
|
4587
|
+
async function verifyJwtOAuthToken(accessToken, options) {
|
|
4588
|
+
let decoded;
|
|
4589
|
+
try {
|
|
4590
|
+
decoded = decodeJwt(accessToken);
|
|
4591
|
+
} catch (e) {
|
|
4592
|
+
return {
|
|
4593
|
+
data: void 0,
|
|
4594
|
+
tokenType: TokenType.OAuthToken,
|
|
4595
|
+
errors: [
|
|
4596
|
+
new MachineTokenVerificationError({
|
|
4597
|
+
code: MachineTokenVerificationErrorCode.TokenInvalid,
|
|
4598
|
+
message: e.message
|
|
4599
|
+
})
|
|
4600
|
+
]
|
|
4601
|
+
};
|
|
4602
|
+
}
|
|
4603
|
+
const { data: decodedResult, errors } = decoded;
|
|
4604
|
+
if (errors) {
|
|
4605
|
+
return {
|
|
4606
|
+
data: void 0,
|
|
4607
|
+
tokenType: TokenType.OAuthToken,
|
|
4608
|
+
errors: [
|
|
4609
|
+
new MachineTokenVerificationError({
|
|
4610
|
+
code: MachineTokenVerificationErrorCode.TokenInvalid,
|
|
4611
|
+
message: errors[0].message
|
|
4612
|
+
})
|
|
4613
|
+
]
|
|
4614
|
+
};
|
|
4615
|
+
}
|
|
4616
|
+
const { header } = decodedResult;
|
|
4617
|
+
const { kid } = header;
|
|
4618
|
+
let key;
|
|
4619
|
+
try {
|
|
4620
|
+
if (options.jwtKey) {
|
|
4621
|
+
key = loadClerkJwkFromPem({ kid, pem: options.jwtKey });
|
|
4622
|
+
} else if (options.secretKey) {
|
|
4623
|
+
key = await loadClerkJWKFromRemote({ ...options, kid });
|
|
4624
|
+
} else {
|
|
4625
|
+
return {
|
|
4626
|
+
data: void 0,
|
|
4627
|
+
tokenType: TokenType.OAuthToken,
|
|
4628
|
+
errors: [
|
|
4629
|
+
new MachineTokenVerificationError({
|
|
4630
|
+
action: TokenVerificationErrorAction.SetClerkJWTKey,
|
|
4631
|
+
message: "Failed to resolve JWK during verification.",
|
|
4632
|
+
code: MachineTokenVerificationErrorCode.TokenVerificationFailed
|
|
4633
|
+
})
|
|
4634
|
+
]
|
|
4635
|
+
};
|
|
4636
|
+
}
|
|
4637
|
+
const { data: payload, errors: verifyErrors } = await verifyJwt(accessToken, {
|
|
4638
|
+
...options,
|
|
4639
|
+
key,
|
|
4640
|
+
headerType: OAUTH_ACCESS_TOKEN_TYPES
|
|
4641
|
+
});
|
|
4642
|
+
if (verifyErrors) {
|
|
4643
|
+
return {
|
|
4644
|
+
data: void 0,
|
|
4645
|
+
tokenType: TokenType.OAuthToken,
|
|
4646
|
+
errors: [
|
|
4647
|
+
new MachineTokenVerificationError({
|
|
4648
|
+
code: MachineTokenVerificationErrorCode.TokenVerificationFailed,
|
|
4649
|
+
message: verifyErrors[0].message
|
|
4650
|
+
})
|
|
4651
|
+
]
|
|
4652
|
+
};
|
|
4653
|
+
}
|
|
4654
|
+
const token = IdPOAuthAccessToken.fromJwtPayload(payload, options.clockSkewInMs);
|
|
4655
|
+
return { data: token, tokenType: TokenType.OAuthToken, errors: void 0 };
|
|
4656
|
+
} catch (error) {
|
|
4657
|
+
return {
|
|
4658
|
+
tokenType: TokenType.OAuthToken,
|
|
4659
|
+
errors: [
|
|
4660
|
+
new MachineTokenVerificationError({
|
|
4661
|
+
code: MachineTokenVerificationErrorCode.TokenVerificationFailed,
|
|
4662
|
+
message: error.message
|
|
4663
|
+
})
|
|
4664
|
+
]
|
|
4665
|
+
};
|
|
4666
|
+
}
|
|
4667
|
+
}
|
|
4540
4668
|
async function verifyOAuthToken(accessToken, options) {
|
|
4669
|
+
if (isJwtFormat(accessToken)) {
|
|
4670
|
+
return verifyJwtOAuthToken(accessToken, options);
|
|
4671
|
+
}
|
|
4541
4672
|
try {
|
|
4542
4673
|
const client = createBackendApiClient(options);
|
|
4543
4674
|
const verifiedToken = await client.idPOAuthAccessToken.verify(accessToken);
|
|
@@ -4559,7 +4690,7 @@ async function verifyMachineAuthToken(token, options) {
|
|
|
4559
4690
|
if (token.startsWith(M2M_TOKEN_PREFIX)) {
|
|
4560
4691
|
return verifyM2MToken(token, options);
|
|
4561
4692
|
}
|
|
4562
|
-
if (token.startsWith(OAUTH_TOKEN_PREFIX)) {
|
|
4693
|
+
if (token.startsWith(OAUTH_TOKEN_PREFIX) || isJwtFormat(token)) {
|
|
4563
4694
|
return verifyOAuthToken(token, options);
|
|
4564
4695
|
}
|
|
4565
4696
|
if (token.startsWith(API_KEY_PREFIX)) {
|
|
@@ -5287,7 +5418,7 @@ function isTokenTypeInAcceptedArray(acceptsToken, authenticateContext) {
|
|
|
5287
5418
|
let parsedTokenType = null;
|
|
5288
5419
|
const { tokenInHeader } = authenticateContext;
|
|
5289
5420
|
if (tokenInHeader) {
|
|
5290
|
-
if (
|
|
5421
|
+
if (isMachineToken(tokenInHeader)) {
|
|
5291
5422
|
parsedTokenType = getMachineTokenType(tokenInHeader);
|
|
5292
5423
|
} else {
|
|
5293
5424
|
parsedTokenType = TokenType.SessionToken;
|
|
@@ -5697,7 +5828,7 @@ var authenticateRequest = (async (request, options) => {
|
|
|
5697
5828
|
if (!tokenInHeader) {
|
|
5698
5829
|
return handleSessionTokenError(new Error("Missing token in header"), "header");
|
|
5699
5830
|
}
|
|
5700
|
-
if (!
|
|
5831
|
+
if (!isMachineToken(tokenInHeader)) {
|
|
5701
5832
|
return signedOut({
|
|
5702
5833
|
tokenType: acceptsToken,
|
|
5703
5834
|
authenticateContext,
|
|
@@ -5726,7 +5857,7 @@ var authenticateRequest = (async (request, options) => {
|
|
|
5726
5857
|
if (!tokenInHeader) {
|
|
5727
5858
|
return handleSessionTokenError(new Error("Missing token in header"), "header");
|
|
5728
5859
|
}
|
|
5729
|
-
if (
|
|
5860
|
+
if (isMachineToken(tokenInHeader)) {
|
|
5730
5861
|
const parsedTokenType = getMachineTokenType(tokenInHeader);
|
|
5731
5862
|
const mismatchState = checkTokenTypeMismatch(parsedTokenType, acceptsToken, authenticateContext);
|
|
5732
5863
|
if (mismatchState) {
|