@clerk/express 2.0.5-snapshot.v20260311230607 → 2.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/{chunk-KWII7CE3.mjs → chunk-KINUXEVN.mjs} +2 -2
  2. package/dist/index.js +2 -2
  3. package/dist/index.js.map +1 -1
  4. package/dist/index.mjs +2 -2
  5. package/dist/index.mjs.map +1 -1
  6. package/dist/webhooks.mjs +1 -1
  7. package/package.json +3 -3
  8. /package/dist/{chunk-KWII7CE3.mjs.map → chunk-KINUXEVN.mjs.map} +0 -0
package/dist/{chunk-KWII7CE3.mjs → chunk-KINUXEVN.mjs} RENAMED
@@ -27,7 +27,7 @@ var loadApiEnv = () => {
27
27
  jwtKey: process.env.CLERK_JWT_KEY || "",
28
28
  sdkMetadata: {
29
29
  name: "@clerk/express",
30
- version: "2.0.5-snapshot.v20260311230607",
30
+ version: "2.0.5",
31
31
  environment: process.env.NODE_ENV
32
32
  },
33
33
  telemetry: {
@@ -72,4 +72,4 @@ export {
72
72
  incomingMessageToRequest,
73
73
  requestToProxyRequest
74
74
  };
75
- //# sourceMappingURL=chunk-KWII7CE3.mjs.map
75
+ //# sourceMappingURL=chunk-KINUXEVN.mjs.map
package/dist/index.js CHANGED
@@ -62,7 +62,7 @@ var loadApiEnv = () => {
62
62
  jwtKey: process.env.CLERK_JWT_KEY || "",
63
63
  sdkMetadata: {
64
64
  name: "@clerk/express",
65
- version: "2.0.5-snapshot.v20260311230607",
65
+ version: "2.0.5",
66
66
  environment: process.env.NODE_ENV
67
67
  },
68
68
  telemetry: {
@@ -108,7 +108,7 @@ var clerkClient = new Proxy(clerkClientSingleton, {
108
108
  return clerkClientSingleton[property];
109
109
  }
110
110
  const env = { ...loadApiEnv(), ...loadClientEnv() };
111
- const client = (0, import_backend.createClerkClient)({ ...env, userAgent: `${"@clerk/express"}@${"2.0.5-snapshot.v20260311230607"}` });
111
+ const client = (0, import_backend.createClerkClient)({ ...env, userAgent: `${"@clerk/express"}@${"2.0.5"}` });
112
112
  if (env.secretKey) {
113
113
  clerkClientSingleton = client;
114
114
  }
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/utils.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import { isTruthy } from '@clerk/shared/underscore';\nimport type { Request as ExpressRequest } from 'express';\nimport { Readable } from 'stream';\n\nimport type { ExpressRequestWithAuth } from './types';\n\nexport const requestHasAuthObject = (req: ExpressRequest): req is ExpressRequestWithAuth => {\n return 'auth' in req;\n};\n\nexport const loadClientEnv = () => {\n return {\n publishableKey: process.env.CLERK_PUBLISHABLE_KEY || '',\n __internal_clerkJSUrl: process.env.CLERK_JS || process.env.CLERK_JS_URL || '',\n __internal_clerkJSVersion: process.env.CLERK_JS_VERSION || '',\n __internal_clerkUIUrl: process.env.CLERK_UI_URL || '',\n __internal_clerkUIVersion: process.env.CLERK_UI_VERSION || '',\n prefetchUI: process.env.CLERK_PREFETCH_UI === 'false' ? false : undefined,\n };\n};\n\nexport const loadApiEnv = () => {\n return {\n secretKey: process.env.CLERK_SECRET_KEY || '',\n machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY || '',\n apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.com',\n apiVersion: process.env.CLERK_API_VERSION || 'v1',\n domain: process.env.CLERK_DOMAIN || '',\n proxyUrl: process.env.CLERK_PROXY_URL || '',\n signInUrl: process.env.CLERK_SIGN_IN_URL || '',\n isSatellite: isTruthy(process.env.CLERK_IS_SATELLITE),\n jwtKey: process.env.CLERK_JWT_KEY || '',\n sdkMetadata: {\n name: PACKAGE_NAME,\n version: PACKAGE_VERSION,\n environment: process.env.NODE_ENV,\n },\n telemetry: {\n disabled: isTruthy(process.env.CLERK_TELEMETRY_DISABLED),\n debug: isTruthy(process.env.CLERK_TELEMETRY_DEBUG),\n },\n };\n};\n\nexport const incomingMessageToRequest = (req: ExpressRequest): Request => {\n const headers = Object.keys(req.headers).reduce((acc, key) => Object.assign(acc, { [key]: req?.headers[key] }), {});\n // @ts-ignore Optimistic attempt to get the protocol in case\n // req extends IncomingMessage in a useful way. No guarantee\n // it'll work.\n const protocol = req.connection?.encrypted ? 'https' : 'http';\n const dummyOriginReqUrl = new URL(req.originalUrl || req.url || '', `${protocol}://clerk-dummy`);\n return new Request(dummyOriginReqUrl, {\n method: req.method,\n headers: new Headers(headers),\n });\n};\n\n/**\n * Converts an Express request to a Fetch API Request with body streaming support.\n * This is used for proxying requests where the body needs to be forwarded.\n */\nexport const requestToProxyRequest = (req: ExpressRequest): Request => {\n const headers = new Headers();\n Object.entries(req.headers).forEach(([key, value]) => {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value);\n }\n });\n\n const protocol = req.protocol || (req.secure ? 'https' : 'http');\n const host = req.get('host') || 'localhost';\n const url = new URL(req.originalUrl || req.url, `${protocol}://${host}`);\n\n const hasBody = ['POST', 'PUT', 'PATCH'].includes(req.method);\n\n return new Request(url.toString(), {\n method: req.method,\n headers,\n body: hasBody ? (Readable.toWeb(req) as ReadableStream) : undefined,\n // @ts-expect-error - duplex required for streaming bodies but not in all TS definitions\n duplex: hasBody ? 'half' : undefined,\n });\n};\n","import type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\nimport { incomingMessageToRequest, loadApiEnv, loadClientEnv, requestToProxyRequest } from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n const { jwtKey, authorizedParties, audience, acceptsToken } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = options?.secretKey || env.secretKey;\n const machineSecretKey = options?.machineSecretKey || env.machineSecretKey;\n const publishableKey = options?.publishableKey || env.publishableKey;\n\n const isSatellite = handleValueOrFn(options?.isSatellite, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(options?.domain, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = options?.signInUrl || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(options?.proxyUrl, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n audience,\n secretKey,\n machineSecretKey,\n publishableKey,\n jwtKey,\n authorizedParties,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n acceptsToken,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || defaultClerkClient;\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n if ((request as ExpressRequestWithAuth).auth) {\n return next();\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = (opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts);\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n */\nexport const clerkMiddleware = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retriving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @example\n * // Basic usage\n * import { requireAuth } from '@clerk/express'\n *\n * router.use(requireAuth())\n * //or\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // Customizing the sign-in path\n * router.use(requireAuth({ signInUrl: '/sign-in' }))\n *\n * @example\n * // Combining with permission check\n * import { getAuth, requireAuth } from '@clerk/express'\n *\n * const hasPermission = (req, res, next) => {\n * const auth = getAuth(req)\n * if (!auth.has({ permission: 'permission' })) {\n * return res.status(403).send('Forbidden')\n * }\n * return next()\n * }\n * router.get('/path', requireAuth(), hasPermission, getHandler)\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAc,2BAAd;;;ACCA,qBAAkC;;;ACDlC,wBAAyB;AAEzB,oBAAyB;AAIlB,IAAM,uBAAuB,CAAC,QAAuD;AAC1F,SAAO,UAAU;AACnB;AAEO,IAAM,gBAAgB,MAAM;AACjC,SAAO;AAAA,IACL,gBAAgB,QAAQ,IAAI,yBAAyB;AAAA,IACrD,uBAAuB,QAAQ,IAAI,YAAY,QAAQ,IAAI,gBAAgB;AAAA,IAC3E,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA,IACnD,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,YAAY,QAAQ,IAAI,sBAAsB,UAAU,QAAQ;AAAA,EAClE;AACF;AAEO,IAAM,aAAa,MAAM;AAC9B,SAAO;AAAA,IACL,WAAW,QAAQ,IAAI,oBAAoB;AAAA,IAC3C,kBAAkB,QAAQ,IAAI,4BAA4B;AAAA,IAC1D,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,YAAY,QAAQ,IAAI,qBAAqB;AAAA,IAC7C,QAAQ,QAAQ,IAAI,gBAAgB;AAAA,IACpC,UAAU,QAAQ,IAAI,mBAAmB;AAAA,IACzC,WAAW,QAAQ,IAAI,qBAAqB;AAAA,IAC5C,iBAAa,4BAAS,QAAQ,IAAI,kBAAkB;AAAA,IACpD,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,aAAa;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,aAAa,QAAQ,IAAI;AAAA,IAC3B;AAAA,IACA,WAAW;AAAA,MACT,cAAU,4BAAS,QAAQ,IAAI,wBAAwB;AAAA,MACvD,WAAO,4BAAS,QAAQ,IAAI,qBAAqB;AAAA,IACnD;AAAA,EACF;AACF;AAEO,IAAM,2BAA2B,CAAC,QAAiC;AACxE,QAAM,UAAU,OAAO,KAAK,IAAI,OAAO,EAAE,OAAO,CAAC,KAAK,QAAQ,OAAO,OAAO,KAAK,EAAE,CAAC,GAAG,GAAG,KAAK,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;AAIlH,QAAM,WAAW,IAAI,YAAY,YAAY,UAAU;AACvD,QAAM,oBAAoB,IAAI,IAAI,IAAI,eAAe,IAAI,OAAO,IAAI,GAAG,QAAQ,gBAAgB;AAC/F,SAAO,IAAI,QAAQ,mBAAmB;AAAA,IACpC,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI,QAAQ,OAAO;AAAA,EAC9B,CAAC;AACH;AAMO,IAAM,wBAAwB,CAAC,QAAiC;AACrE,QAAM,UAAU,IAAI,QAAQ;AAC5B,SAAO,QAAQ,IAAI,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AACpD,QAAI,OAAO;AACT,cAAQ,IAAI,KAAK,MAAM,QAAQ,KAAK,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK;AAAA,IAClE;AAAA,EACF,CAAC;AAED,QAAM,WAAW,IAAI,aAAa,IAAI,SAAS,UAAU;AACzD,QAAM,OAAO,IAAI,IAAI,MAAM,KAAK;AAChC,QAAM,MAAM,IAAI,IAAI,IAAI,eAAe,IAAI,KAAK,GAAG,QAAQ,MAAM,IAAI,EAAE;AAEvE,QAAM,UAAU,CAAC,QAAQ,OAAO,OAAO,EAAE,SAAS,IAAI,MAAM;AAE5D,SAAO,IAAI,QAAQ,IAAI,SAAS,GAAG;AAAA,IACjC,QAAQ,IAAI;AAAA,IACZ;AAAA,IACA,MAAM,UAAW,uBAAS,MAAM,GAAG,IAAuB;AAAA;AAAA,IAE1D,QAAQ,UAAU,SAAS;AAAA,EAC7B,CAAC;AACH;;;AD7EA,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,aAAS,kCAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,gCAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AE1BD,sBAA+C;AAC/C,mBAAgF;AAChF,kBAA2C;AAC3C,IAAAA,gBAAmE;AACnE,IAAAC,gBAAgC;AAEhC,IAAAC,iBAAyB;;;ACPzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADGrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAC,cAAa,SAAS,QAAQ,IAAI;AAC1C,QAAM,EAAE,QAAQ,mBAAmB,UAAU,aAAa,IAAI,WAAW,CAAC;AAE1E,QAAM,mBAAe,oCAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,SAAS,aAAa,IAAI;AAC5C,QAAM,mBAAmB,SAAS,oBAAoB,IAAI;AAC1D,QAAM,iBAAiB,SAAS,kBAAkB,IAAI;AAEtD,QAAM,kBAAc,+BAAgB,SAAS,aAAa,aAAa,UAAU,IAAI,WAAW;AAChG,QAAM,aAAS,+BAAgB,SAAS,QAAQ,aAAa,QAAQ,KAAK,IAAI;AAC9E,QAAM,YAAY,SAAS,aAAa,IAAI;AAC5C,QAAM,WAAW;AAAA,QACf,+BAAgB,SAAS,UAAU,aAAa,UAAU,IAAI,QAAQ;AAAA,IACtE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,KAAC,6BAAc,SAAS,SAAK,wCAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,2BAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,KAAC,+BAAgB,qBAAqB,KAAK,KAAC,kCAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMA,eAAc,QAAQ,eAAe;AAG3C,QAAM,mBAAmB,QAAQ;AACjC,QAAM,gBAAY,mCAAqB,kBAAkB,QAAQ,+BAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AACpE,QAAK,QAAmC,MAAM;AAC5C,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,UAAM,oCAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,wBAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,CAAC,SAAoD,aAAa,OAAO,IAAI;AAE1F,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AE1LO,IAAM,kBAAkB,CAAC,UAAkC,CAAC,MAAsB;AACvF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC,mBAAe,SAAS,UAAU,IAAI;AAAA,EACxC;AACF;;;AC5BA,IAAAC,mBAA8C;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,aAAO,gDAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACYO,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["import_proxy","import_utils","import_stream","clerkClient","import_internal"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/utils.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import { isTruthy } from '@clerk/shared/underscore';\nimport type { Request as ExpressRequest } from 'express';\nimport { Readable } from 'stream';\n\nimport type { ExpressRequestWithAuth } from './types';\n\nexport const requestHasAuthObject = (req: ExpressRequest): req is ExpressRequestWithAuth => {\n return 'auth' in req;\n};\n\nexport const loadClientEnv = () => {\n return {\n publishableKey: process.env.CLERK_PUBLISHABLE_KEY || '',\n __internal_clerkJSUrl: process.env.CLERK_JS || process.env.CLERK_JS_URL || '',\n __internal_clerkJSVersion: process.env.CLERK_JS_VERSION || '',\n __internal_clerkUIUrl: process.env.CLERK_UI_URL || '',\n __internal_clerkUIVersion: process.env.CLERK_UI_VERSION || '',\n prefetchUI: process.env.CLERK_PREFETCH_UI === 'false' ? false : undefined,\n };\n};\n\nexport const loadApiEnv = () => {\n return {\n secretKey: process.env.CLERK_SECRET_KEY || '',\n machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY || '',\n apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.com',\n apiVersion: process.env.CLERK_API_VERSION || 'v1',\n domain: process.env.CLERK_DOMAIN || '',\n proxyUrl: process.env.CLERK_PROXY_URL || '',\n signInUrl: process.env.CLERK_SIGN_IN_URL || '',\n isSatellite: isTruthy(process.env.CLERK_IS_SATELLITE),\n jwtKey: process.env.CLERK_JWT_KEY || '',\n sdkMetadata: {\n name: PACKAGE_NAME,\n version: PACKAGE_VERSION,\n environment: process.env.NODE_ENV,\n },\n telemetry: {\n disabled: isTruthy(process.env.CLERK_TELEMETRY_DISABLED),\n debug: isTruthy(process.env.CLERK_TELEMETRY_DEBUG),\n },\n };\n};\n\nexport const incomingMessageToRequest = (req: ExpressRequest): Request => {\n const headers = Object.keys(req.headers).reduce((acc, key) => Object.assign(acc, { [key]: req?.headers[key] }), {});\n // @ts-ignore Optimistic attempt to get the protocol in case\n // req extends IncomingMessage in a useful way. No guarantee\n // it'll work.\n const protocol = req.connection?.encrypted ? 'https' : 'http';\n const dummyOriginReqUrl = new URL(req.originalUrl || req.url || '', `${protocol}://clerk-dummy`);\n return new Request(dummyOriginReqUrl, {\n method: req.method,\n headers: new Headers(headers),\n });\n};\n\n/**\n * Converts an Express request to a Fetch API Request with body streaming support.\n * This is used for proxying requests where the body needs to be forwarded.\n */\nexport const requestToProxyRequest = (req: ExpressRequest): Request => {\n const headers = new Headers();\n Object.entries(req.headers).forEach(([key, value]) => {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value);\n }\n });\n\n const protocol = req.protocol || (req.secure ? 'https' : 'http');\n const host = req.get('host') || 'localhost';\n const url = new URL(req.originalUrl || req.url, `${protocol}://${host}`);\n\n const hasBody = ['POST', 'PUT', 'PATCH'].includes(req.method);\n\n return new Request(url.toString(), {\n method: req.method,\n headers,\n body: hasBody ? (Readable.toWeb(req) as ReadableStream) : undefined,\n // @ts-expect-error - duplex required for streaming bodies but not in all TS definitions\n duplex: hasBody ? 'half' : undefined,\n });\n};\n","import type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\nimport { incomingMessageToRequest, loadApiEnv, loadClientEnv, requestToProxyRequest } from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n const { jwtKey, authorizedParties, audience, acceptsToken } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = options?.secretKey || env.secretKey;\n const machineSecretKey = options?.machineSecretKey || env.machineSecretKey;\n const publishableKey = options?.publishableKey || env.publishableKey;\n\n const isSatellite = handleValueOrFn(options?.isSatellite, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(options?.domain, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = options?.signInUrl || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(options?.proxyUrl, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n audience,\n secretKey,\n machineSecretKey,\n publishableKey,\n jwtKey,\n authorizedParties,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n acceptsToken,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || defaultClerkClient;\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n if ((request as ExpressRequestWithAuth).auth) {\n return next();\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = (opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts);\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n */\nexport const clerkMiddleware = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retriving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @example\n * // Basic usage\n * import { requireAuth } from '@clerk/express'\n *\n * router.use(requireAuth())\n * //or\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // Customizing the sign-in path\n * router.use(requireAuth({ signInUrl: '/sign-in' }))\n *\n * @example\n * // Combining with permission check\n * import { getAuth, requireAuth } from '@clerk/express'\n *\n * const hasPermission = (req, res, next) => {\n * const auth = getAuth(req)\n * if (!auth.has({ permission: 'permission' })) {\n * return res.status(403).send('Forbidden')\n * }\n * return next()\n * }\n * router.get('/path', requireAuth(), hasPermission, getHandler)\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAc,2BAAd;;;ACCA,qBAAkC;;;ACDlC,wBAAyB;AAEzB,oBAAyB;AAIlB,IAAM,uBAAuB,CAAC,QAAuD;AAC1F,SAAO,UAAU;AACnB;AAEO,IAAM,gBAAgB,MAAM;AACjC,SAAO;AAAA,IACL,gBAAgB,QAAQ,IAAI,yBAAyB;AAAA,IACrD,uBAAuB,QAAQ,IAAI,YAAY,QAAQ,IAAI,gBAAgB;AAAA,IAC3E,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA,IACnD,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,YAAY,QAAQ,IAAI,sBAAsB,UAAU,QAAQ;AAAA,EAClE;AACF;AAEO,IAAM,aAAa,MAAM;AAC9B,SAAO;AAAA,IACL,WAAW,QAAQ,IAAI,oBAAoB;AAAA,IAC3C,kBAAkB,QAAQ,IAAI,4BAA4B;AAAA,IAC1D,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,YAAY,QAAQ,IAAI,qBAAqB;AAAA,IAC7C,QAAQ,QAAQ,IAAI,gBAAgB;AAAA,IACpC,UAAU,QAAQ,IAAI,mBAAmB;AAAA,IACzC,WAAW,QAAQ,IAAI,qBAAqB;AAAA,IAC5C,iBAAa,4BAAS,QAAQ,IAAI,kBAAkB;AAAA,IACpD,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,aAAa;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,aAAa,QAAQ,IAAI;AAAA,IAC3B;AAAA,IACA,WAAW;AAAA,MACT,cAAU,4BAAS,QAAQ,IAAI,wBAAwB;AAAA,MACvD,WAAO,4BAAS,QAAQ,IAAI,qBAAqB;AAAA,IACnD;AAAA,EACF;AACF;AAEO,IAAM,2BAA2B,CAAC,QAAiC;AACxE,QAAM,UAAU,OAAO,KAAK,IAAI,OAAO,EAAE,OAAO,CAAC,KAAK,QAAQ,OAAO,OAAO,KAAK,EAAE,CAAC,GAAG,GAAG,KAAK,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;AAIlH,QAAM,WAAW,IAAI,YAAY,YAAY,UAAU;AACvD,QAAM,oBAAoB,IAAI,IAAI,IAAI,eAAe,IAAI,OAAO,IAAI,GAAG,QAAQ,gBAAgB;AAC/F,SAAO,IAAI,QAAQ,mBAAmB;AAAA,IACpC,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI,QAAQ,OAAO;AAAA,EAC9B,CAAC;AACH;AAMO,IAAM,wBAAwB,CAAC,QAAiC;AACrE,QAAM,UAAU,IAAI,QAAQ;AAC5B,SAAO,QAAQ,IAAI,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AACpD,QAAI,OAAO;AACT,cAAQ,IAAI,KAAK,MAAM,QAAQ,KAAK,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK;AAAA,IAClE;AAAA,EACF,CAAC;AAED,QAAM,WAAW,IAAI,aAAa,IAAI,SAAS,UAAU;AACzD,QAAM,OAAO,IAAI,IAAI,MAAM,KAAK;AAChC,QAAM,MAAM,IAAI,IAAI,IAAI,eAAe,IAAI,KAAK,GAAG,QAAQ,MAAM,IAAI,EAAE;AAEvE,QAAM,UAAU,CAAC,QAAQ,OAAO,OAAO,EAAE,SAAS,IAAI,MAAM;AAE5D,SAAO,IAAI,QAAQ,IAAI,SAAS,GAAG;AAAA,IACjC,QAAQ,IAAI;AAAA,IACZ;AAAA,IACA,MAAM,UAAW,uBAAS,MAAM,GAAG,IAAuB;AAAA;AAAA,IAE1D,QAAQ,UAAU,SAAS;AAAA,EAC7B,CAAC;AACH;;;AD7EA,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,aAAS,kCAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,OAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AE1BD,sBAA+C;AAC/C,mBAAgF;AAChF,kBAA2C;AAC3C,IAAAA,gBAAmE;AACnE,IAAAC,gBAAgC;AAEhC,IAAAC,iBAAyB;;;ACPzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADGrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAC,cAAa,SAAS,QAAQ,IAAI;AAC1C,QAAM,EAAE,QAAQ,mBAAmB,UAAU,aAAa,IAAI,WAAW,CAAC;AAE1E,QAAM,mBAAe,oCAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,SAAS,aAAa,IAAI;AAC5C,QAAM,mBAAmB,SAAS,oBAAoB,IAAI;AAC1D,QAAM,iBAAiB,SAAS,kBAAkB,IAAI;AAEtD,QAAM,kBAAc,+BAAgB,SAAS,aAAa,aAAa,UAAU,IAAI,WAAW;AAChG,QAAM,aAAS,+BAAgB,SAAS,QAAQ,aAAa,QAAQ,KAAK,IAAI;AAC9E,QAAM,YAAY,SAAS,aAAa,IAAI;AAC5C,QAAM,WAAW;AAAA,QACf,+BAAgB,SAAS,UAAU,aAAa,UAAU,IAAI,QAAQ;AAAA,IACtE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,KAAC,6BAAc,SAAS,SAAK,wCAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,2BAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,KAAC,+BAAgB,qBAAqB,KAAK,KAAC,kCAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMA,eAAc,QAAQ,eAAe;AAG3C,QAAM,mBAAmB,QAAQ;AACjC,QAAM,gBAAY,mCAAqB,kBAAkB,QAAQ,+BAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AACpE,QAAK,QAAmC,MAAM;AAC5C,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,UAAM,oCAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,wBAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,CAAC,SAAoD,aAAa,OAAO,IAAI;AAE1F,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AE1LO,IAAM,kBAAkB,CAAC,UAAkC,CAAC,MAAsB;AACvF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC,mBAAe,SAAS,UAAU,IAAI;AAAA,EACxC;AACF;;;AC5BA,IAAAC,mBAA8C;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,aAAO,gDAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACYO,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["import_proxy","import_utils","import_stream","clerkClient","import_internal"]}
package/dist/index.mjs CHANGED
@@ -4,7 +4,7 @@ import {
4
4
  loadClientEnv,
5
5
  requestHasAuthObject,
6
6
  requestToProxyRequest
7
- } from "./chunk-KWII7CE3.mjs";
7
+ } from "./chunk-KINUXEVN.mjs";
8
8
 
9
9
  // src/index.ts
10
10
  export * from "@clerk/backend";
@@ -18,7 +18,7 @@ var clerkClient = new Proxy(clerkClientSingleton, {
18
18
  return clerkClientSingleton[property];
19
19
  }
20
20
  const env = { ...loadApiEnv(), ...loadClientEnv() };
21
- const client = createClerkClient({ ...env, userAgent: `${"@clerk/express"}@${"2.0.5-snapshot.v20260311230607"}` });
21
+ const client = createClerkClient({ ...env, userAgent: `${"@clerk/express"}@${"2.0.5"}` });
22
22
  if (env.secretKey) {
23
23
  clerkClientSingleton = client;
24
24
  }
package/dist/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\nimport { incomingMessageToRequest, loadApiEnv, loadClientEnv, requestToProxyRequest } from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n const { jwtKey, authorizedParties, audience, acceptsToken } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = options?.secretKey || env.secretKey;\n const machineSecretKey = options?.machineSecretKey || env.machineSecretKey;\n const publishableKey = options?.publishableKey || env.publishableKey;\n\n const isSatellite = handleValueOrFn(options?.isSatellite, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(options?.domain, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = options?.signInUrl || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(options?.proxyUrl, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n audience,\n secretKey,\n machineSecretKey,\n publishableKey,\n jwtKey,\n authorizedParties,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n acceptsToken,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || defaultClerkClient;\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n if ((request as ExpressRequestWithAuth).auth) {\n return next();\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = (opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts);\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n */\nexport const clerkMiddleware = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retriving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @example\n * // Basic usage\n * import { requireAuth } from '@clerk/express'\n *\n * router.use(requireAuth())\n * //or\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // Customizing the sign-in path\n * router.use(requireAuth({ signInUrl: '/sign-in' }))\n *\n * @example\n * // Combining with permission check\n * import { getAuth, requireAuth } from '@clerk/express'\n *\n * const hasPermission = (req, res, next) => {\n * const auth = getAuth(req)\n * if (!auth.has({ permission: 'permission' })) {\n * return res.status(403).send('Forbidden')\n * }\n * return next()\n * }\n * router.get('/path', requireAuth(), hasPermission, getHandler)\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;AAAA,cAAc;;;ACCd,SAAS,yBAAyB;AAIlC,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,SAAS,kBAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,gCAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AC1BD,SAAS,YAAY,0BAA0B;AAC/C,SAAS,uBAAuB,oBAAoB,4BAA4B;AAChF,SAAS,kCAAkC;AAC3C,SAAS,eAAe,oBAAoB,uBAAuB;AACnE,SAAS,uBAAuB;AAEhC,SAAS,gBAAgB;;;ACPzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADGrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAA,cAAa,SAAS,QAAQ,IAAI;AAC1C,QAAM,EAAE,QAAQ,mBAAmB,UAAU,aAAa,IAAI,WAAW,CAAC;AAE1E,QAAM,eAAe,mBAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,SAAS,aAAa,IAAI;AAC5C,QAAM,mBAAmB,SAAS,oBAAoB,IAAI;AAC1D,QAAM,iBAAiB,SAAS,kBAAkB,IAAI;AAEtD,QAAM,cAAc,gBAAgB,SAAS,aAAa,aAAa,UAAU,IAAI,WAAW;AAChG,QAAM,SAAS,gBAAgB,SAAS,QAAQ,aAAa,QAAQ,KAAK,IAAI;AAC9E,QAAM,YAAY,SAAS,aAAa,IAAI;AAC5C,QAAM,WAAW;AAAA,IACf,gBAAgB,SAAS,UAAU,aAAa,UAAU,IAAI,QAAQ;AAAA,IACtE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,CAAC,cAAc,SAAS,KAAK,2BAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,WAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,CAAC,gBAAgB,qBAAqB,KAAK,CAAC,mBAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMA,eAAc,QAAQ,eAAe;AAG3C,QAAM,mBAAmB,QAAQ;AACjC,QAAM,YAAY,qBAAqB,kBAAkB,QAAQ,kBAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AACpE,QAAK,QAAmC,MAAM;AAC5C,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,MAAM,sBAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,SAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,CAAC,SAAoD,aAAa,OAAO,IAAI;AAE1F,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AE1LO,IAAM,kBAAkB,CAAC,UAAkC,CAAC,MAAsB;AACvF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC,mBAAe,SAAS,UAAU,IAAI;AAAA,EACxC;AACF;;;AC5BA,SAAS,qCAAqC;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,SAAO,8BAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACYO,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["clerkClient"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\nimport { incomingMessageToRequest, loadApiEnv, loadClientEnv, requestToProxyRequest } from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n const { jwtKey, authorizedParties, audience, acceptsToken } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = options?.secretKey || env.secretKey;\n const machineSecretKey = options?.machineSecretKey || env.machineSecretKey;\n const publishableKey = options?.publishableKey || env.publishableKey;\n\n const isSatellite = handleValueOrFn(options?.isSatellite, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(options?.domain, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = options?.signInUrl || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(options?.proxyUrl, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n audience,\n secretKey,\n machineSecretKey,\n publishableKey,\n jwtKey,\n authorizedParties,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n acceptsToken,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || defaultClerkClient;\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n if ((request as ExpressRequestWithAuth).auth) {\n return next();\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = (opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts);\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n */\nexport const clerkMiddleware = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retriving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @example\n * // Basic usage\n * import { requireAuth } from '@clerk/express'\n *\n * router.use(requireAuth())\n * //or\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // Customizing the sign-in path\n * router.use(requireAuth({ signInUrl: '/sign-in' }))\n *\n * @example\n * // Combining with permission check\n * import { getAuth, requireAuth } from '@clerk/express'\n *\n * const hasPermission = (req, res, next) => {\n * const auth = getAuth(req)\n * if (!auth.has({ permission: 'permission' })) {\n * return res.status(403).send('Forbidden')\n * }\n * return next()\n * }\n * router.get('/path', requireAuth(), hasPermission, getHandler)\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;AAAA,cAAc;;;ACCd,SAAS,yBAAyB;AAIlC,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,SAAS,kBAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,OAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AC1BD,SAAS,YAAY,0BAA0B;AAC/C,SAAS,uBAAuB,oBAAoB,4BAA4B;AAChF,SAAS,kCAAkC;AAC3C,SAAS,eAAe,oBAAoB,uBAAuB;AACnE,SAAS,uBAAuB;AAEhC,SAAS,gBAAgB;;;ACPzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADGrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAA,cAAa,SAAS,QAAQ,IAAI;AAC1C,QAAM,EAAE,QAAQ,mBAAmB,UAAU,aAAa,IAAI,WAAW,CAAC;AAE1E,QAAM,eAAe,mBAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,SAAS,aAAa,IAAI;AAC5C,QAAM,mBAAmB,SAAS,oBAAoB,IAAI;AAC1D,QAAM,iBAAiB,SAAS,kBAAkB,IAAI;AAEtD,QAAM,cAAc,gBAAgB,SAAS,aAAa,aAAa,UAAU,IAAI,WAAW;AAChG,QAAM,SAAS,gBAAgB,SAAS,QAAQ,aAAa,QAAQ,KAAK,IAAI;AAC9E,QAAM,YAAY,SAAS,aAAa,IAAI;AAC5C,QAAM,WAAW;AAAA,IACf,gBAAgB,SAAS,UAAU,aAAa,UAAU,IAAI,QAAQ;AAAA,IACtE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,CAAC,cAAc,SAAS,KAAK,2BAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,WAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,CAAC,gBAAgB,qBAAqB,KAAK,CAAC,mBAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMA,eAAc,QAAQ,eAAe;AAG3C,QAAM,mBAAmB,QAAQ;AACjC,QAAM,YAAY,qBAAqB,kBAAkB,QAAQ,kBAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AACpE,QAAK,QAAmC,MAAM;AAC5C,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,MAAM,sBAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,SAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,CAAC,SAAoD,aAAa,OAAO,IAAI;AAE1F,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AE1LO,IAAM,kBAAkB,CAAC,UAAkC,CAAC,MAAsB;AACvF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC,mBAAe,SAAS,UAAU,IAAI;AAAA,EACxC;AACF;;;AC5BA,SAAS,qCAAqC;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,SAAO,8BAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACYO,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["clerkClient"]}
package/dist/webhooks.mjs CHANGED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  incomingMessageToRequest
3
- } from "./chunk-KWII7CE3.mjs";
3
+ } from "./chunk-KINUXEVN.mjs";
4
4
 
5
5
  // src/webhooks.ts
6
6
  import { verifyWebhook as verifyWebhookBase } from "@clerk/backend/webhooks";
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@clerk/express",
3
- "version": "2.0.5-snapshot.v20260311230607",
3
+ "version": "2.0.5",
4
4
  "description": "Clerk server SDK for usage with Express",
5
5
  "keywords": [
6
6
  "clerk",
@@ -62,8 +62,8 @@
62
62
  ],
63
63
  "dependencies": {
64
64
  "tslib": "2.8.1",
65
- "@clerk/backend": "3.2.1-snapshot.v20260311230607",
66
- "@clerk/shared": "4.3.1-snapshot.v20260311230607"
65
+ "@clerk/backend": "^3.2.1",
66
+ "@clerk/shared": "^4.3.1"
67
67
  },
68
68
  "devDependencies": {
69
69
  "@types/express": "^4.17.23",