@clerk/backend 3.0.0-snapshot.v20251204175016 → 3.0.0-snapshot.v20251208202852

package/dist/index.mjs

@@ -2,13 +2,13 @@ import {
   createAuthenticateRequest,
   createBackendApiClient,
   verifyToken
-} from "./chunk-777XG3PJ.mjs";
+} from "./chunk-XZ7V2XHT.mjs";
 import "./chunk-YBVFDYDR.mjs";
 import {
   withLegacyReturn
 } from "./chunk-P263NW7Z.mjs";
-import "./chunk-QYKVFAML.mjs";
-import "./chunk-HNJNM32R.mjs";
+import "./chunk-SNA7AD3D.mjs";
+import "./chunk-TCIXZLLW.mjs";
 import "./chunk-RPS7XK5K.mjs";
 
 // src/index.ts

package/dist/internal.js

@@ -56,7 +56,7 @@ module.exports = __toCommonJS(internal_exports);
 // src/constants.ts
 var API_URL = "https://api.clerk.com";
 var API_VERSION = "v1";
-var USER_AGENT = `${"@clerk/backend"}@${"3.0.0-snapshot.v20251204175016"}`;
+var USER_AGENT = `${"@clerk/backend"}@${"3.0.0-snapshot.v20251208202852"}`;
 var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
 var SUPPORTED_BAPI_VERSION = "2025-11-10";
 var Attributes = {
@@ -281,17 +281,24 @@ var TokenVerificationError = class _TokenVerificationError extends Error {
 var MachineTokenVerificationErrorCode = {
   TokenInvalid: "token-invalid",
   InvalidSecretKey: "secret-key-invalid",
-  UnexpectedError: "unexpected-error"
+  UnexpectedError: "unexpected-error",
+  TokenVerificationFailed: "token-verification-failed"
 };
 var MachineTokenVerificationError = class _MachineTokenVerificationError extends Error {
-  constructor({ message, code, status }) {
+  constructor({
+    message,
+    code,
+    status,
+    action
+  }) {
     super(message);
     Object.setPrototypeOf(this, _MachineTokenVerificationError.prototype);
     this.code = code;
     this.status = status;
+    this.action = action;
   }
   getFullMessage() {
-    return `${this.message} (code=${this.code}, status=${this.status})`;
+    return `${this.message} (code=${this.code}, status=${this.status || "n/a"})`;
   }
 };
 
@@ -445,15 +452,16 @@ var assertAudienceClaim = (aud, audience) => {
     }
   }
 };
-var assertHeaderType = (typ) => {
+var assertHeaderType = (typ, allowedTypes = "JWT") => {
   if (typeof typ === "undefined") {
     return;
   }
-  if (typ !== "JWT") {
+  const allowed = Array.isArray(allowedTypes) ? allowedTypes : [allowedTypes];
+  if (!allowed.includes(typ)) {
     throw new TokenVerificationError({
       action: TokenVerificationErrorAction.EnsureClerkJWT,
       reason: TokenVerificationErrorReason.TokenInvalid,
-      message: `Invalid JWT type ${JSON.stringify(typ)}. Expected "JWT".`
+      message: `Invalid JWT type ${JSON.stringify(typ)}. Expected "${allowed.join(", ")}".`
     });
   }
 };
@@ -624,7 +632,7 @@ function decodeJwt(token) {
   return { data };
 }
 async function verifyJwt(token, options) {
-  const { audience, authorizedParties, clockSkewInMs, key } = options;
+  const { audience, authorizedParties, clockSkewInMs, key, headerType } = options;
   const clockSkew = clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
   const { data: decoded, errors } = decodeJwt(token);
   if (errors) {
@@ -633,7 +641,7 @@ async function verifyJwt(token, options) {
   const { header, payload } = decoded;
   try {
     const { typ, alg } = header;
-    assertHeaderType(typ);
+    assertHeaderType(typ, headerType);
     assertHeaderAlgorithm(alg);
     const { azp, sub, aud, iat, exp, nbf } = payload;
     assertSubClaim(sub);
@@ -3098,6 +3106,26 @@ var IdPOAuthAccessToken = class _IdPOAuthAccessToken {
       data.updated_at
     );
   }
+  /**
+   * Creates an IdPOAuthAccessToken from a JWT payload.
+   * Maps standard JWT claims and OAuth-specific fields to token properties.
+   */
+  static fromJwtPayload(payload, clockSkewInMs = 5e3) {
+    const oauthPayload = payload;
+    return new _IdPOAuthAccessToken(
+      oauthPayload.jti ?? "",
+      oauthPayload.client_id ?? "",
+      "oauth_token",
+      payload.sub,
+      oauthPayload.scp ?? oauthPayload.scope?.split(" ") ?? [],
+      false,
+      null,
+      payload.exp * 1e3 <= Date.now() - clockSkewInMs,
+      payload.exp,
+      payload.iat,
+      payload.iat
+    );
+  }
 };
 
 // src/api/resources/Instance.ts
@@ -4330,14 +4358,33 @@ var M2M_TOKEN_PREFIX = "mt_";
 var OAUTH_TOKEN_PREFIX = "oat_";
 var API_KEY_PREFIX = "ak_";
 var MACHINE_TOKEN_PREFIXES = [M2M_TOKEN_PREFIX, OAUTH_TOKEN_PREFIX, API_KEY_PREFIX];
+var JwtFormatRegExp = /^[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+$/;
+function isJwtFormat(token) {
+  return JwtFormatRegExp.test(token);
+}
+var OAUTH_ACCESS_TOKEN_TYPES = ["at+jwt", "application/at+jwt"];
+function isOAuthJwt(token) {
+  if (!isJwtFormat(token)) {
+    return false;
+  }
+  try {
+    const { data, errors } = decodeJwt(token);
+    return !errors && !!data && OAUTH_ACCESS_TOKEN_TYPES.includes(data.header.typ);
+  } catch {
+    return false;
+  }
+}
 function isMachineTokenByPrefix(token) {
   return MACHINE_TOKEN_PREFIXES.some((prefix) => token.startsWith(prefix));
 }
+function isMachineToken(token) {
+  return isMachineTokenByPrefix(token) || isOAuthJwt(token);
+}
 function getMachineTokenType(token) {
   if (token.startsWith(M2M_TOKEN_PREFIX)) {
     return TokenType.M2MToken;
   }
-  if (token.startsWith(OAUTH_TOKEN_PREFIX)) {
+  if (token.startsWith(OAUTH_TOKEN_PREFIX) || isOAuthJwt(token)) {
     return TokenType.OAuthToken;
   }
   if (token.startsWith(API_KEY_PREFIX)) {
@@ -4993,7 +5040,91 @@ async function verifyM2MToken(token, options) {
     return handleClerkAPIError(TokenType.M2MToken, err, "Machine token not found");
   }
 }
+async function verifyJwtOAuthToken(accessToken, options) {
+  let decoded;
+  try {
+    decoded = decodeJwt(accessToken);
+  } catch (e) {
+    return {
+      data: void 0,
+      tokenType: TokenType.OAuthToken,
+      errors: [
+        new MachineTokenVerificationError({
+          code: MachineTokenVerificationErrorCode.TokenInvalid,
+          message: e.message
+        })
+      ]
+    };
+  }
+  const { data: decodedResult, errors } = decoded;
+  if (errors) {
+    return {
+      data: void 0,
+      tokenType: TokenType.OAuthToken,
+      errors: [
+        new MachineTokenVerificationError({
+          code: MachineTokenVerificationErrorCode.TokenInvalid,
+          message: errors[0].message
+        })
+      ]
+    };
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  let key;
+  try {
+    if (options.jwtKey) {
+      key = loadClerkJwkFromPem({ kid, pem: options.jwtKey });
+    } else if (options.secretKey) {
+      key = await loadClerkJWKFromRemote({ ...options, kid });
+    } else {
+      return {
+        data: void 0,
+        tokenType: TokenType.OAuthToken,
+        errors: [
+          new MachineTokenVerificationError({
+            action: TokenVerificationErrorAction.SetClerkJWTKey,
+            message: "Failed to resolve JWK during verification.",
+            code: MachineTokenVerificationErrorCode.TokenVerificationFailed
+          })
+        ]
+      };
+    }
+    const { data: payload, errors: verifyErrors } = await verifyJwt(accessToken, {
+      ...options,
+      key,
+      headerType: OAUTH_ACCESS_TOKEN_TYPES
+    });
+    if (verifyErrors) {
+      return {
+        data: void 0,
+        tokenType: TokenType.OAuthToken,
+        errors: [
+          new MachineTokenVerificationError({
+            code: MachineTokenVerificationErrorCode.TokenVerificationFailed,
+            message: verifyErrors[0].message
+          })
+        ]
+      };
+    }
+    const token = IdPOAuthAccessToken.fromJwtPayload(payload, options.clockSkewInMs);
+    return { data: token, tokenType: TokenType.OAuthToken, errors: void 0 };
+  } catch (error) {
+    return {
+      tokenType: TokenType.OAuthToken,
+      errors: [
+        new MachineTokenVerificationError({
+          code: MachineTokenVerificationErrorCode.TokenVerificationFailed,
+          message: error.message
+        })
+      ]
+    };
+  }
+}
 async function verifyOAuthToken(accessToken, options) {
+  if (isJwtFormat(accessToken)) {
+    return verifyJwtOAuthToken(accessToken, options);
+  }
   try {
     const client = createBackendApiClient(options);
     const verifiedToken = await client.idPOAuthAccessToken.verify(accessToken);
@@ -5015,7 +5146,7 @@ async function verifyMachineAuthToken(token, options) {
   if (token.startsWith(M2M_TOKEN_PREFIX)) {
     return verifyM2MToken(token, options);
   }
-  if (token.startsWith(OAUTH_TOKEN_PREFIX)) {
+  if (token.startsWith(OAUTH_TOKEN_PREFIX) || isJwtFormat(token)) {
     return verifyOAuthToken(token, options);
   }
   if (token.startsWith(API_KEY_PREFIX)) {
@@ -5408,7 +5539,7 @@ function isTokenTypeInAcceptedArray(acceptsToken, authenticateContext) {
   let parsedTokenType = null;
   const { tokenInHeader } = authenticateContext;
   if (tokenInHeader) {
-    if (isMachineTokenByPrefix(tokenInHeader)) {
+    if (isMachineToken(tokenInHeader)) {
       parsedTokenType = getMachineTokenType(tokenInHeader);
     } else {
       parsedTokenType = TokenType.SessionToken;
@@ -5818,7 +5949,7 @@ var authenticateRequest = (async (request, options) => {
     if (!tokenInHeader) {
       return handleSessionTokenError(new Error("Missing token in header"), "header");
     }
-    if (!isMachineTokenByPrefix(tokenInHeader)) {
+    if (!isMachineToken(tokenInHeader)) {
       return signedOut({
         tokenType: acceptsToken,
         authenticateContext,
@@ -5847,7 +5978,7 @@ var authenticateRequest = (async (request, options) => {
     if (!tokenInHeader) {
       return handleSessionTokenError(new Error("Missing token in header"), "header");
     }
-    if (isMachineTokenByPrefix(tokenInHeader)) {
+    if (isMachineToken(tokenInHeader)) {
       const parsedTokenType = getMachineTokenType(tokenInHeader);
       const mismatchState = checkTokenTypeMismatch(parsedTokenType, acceptsToken, authenticateContext);
       if (mismatchState) {