@clerk/express 2.1.25-canary.v20260610174202 → 2.1.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/dist/{chunk-7BKTWMMH.mjs → chunk-L77JF5KH.mjs} +7 -3
  2. package/dist/chunk-L77JF5KH.mjs.map +1 -0
  3. package/dist/index.js +15 -6
  4. package/dist/index.js.map +1 -1
  5. package/dist/index.mjs +12 -5
  6. package/dist/index.mjs.map +1 -1
  7. package/dist/webhooks.js.map +1 -1
  8. package/dist/webhooks.mjs +1 -1
  9. package/package.json +3 -3
  10. package/dist/chunk-7BKTWMMH.mjs.map +0 -1
package/dist/{chunk-7BKTWMMH.mjs → chunk-L77JF5KH.mjs} RENAMED
@@ -1,8 +1,11 @@
1
1
  // src/utils.ts
2
2
  import { isTruthy } from "@clerk/shared/underscore";
3
3
  import { Readable } from "stream";
4
+ var clerkAuthBrand = /* @__PURE__ */ Symbol.for("@clerk/express.auth");
5
+ var brandRequestAuth = (authHandler) => Object.assign(authHandler, { [clerkAuthBrand]: true });
4
6
  var requestHasAuthObject = (req) => {
5
- return "auth" in req;
7
+ const auth = req.auth;
8
+ return typeof auth === "function" && auth[clerkAuthBrand] === true;
6
9
  };
7
10
  var loadClientEnv = () => {
8
11
  return {
@@ -27,7 +30,7 @@ var loadApiEnv = () => {
27
30
  jwtKey: process.env.CLERK_JWT_KEY || "",
28
31
  sdkMetadata: {
29
32
  name: "@clerk/express",
30
- version: "2.1.25-canary.v20260610174202",
33
+ version: "2.1.25",
31
34
  environment: process.env.NODE_ENV
32
35
  },
33
36
  telemetry: {
@@ -66,10 +69,11 @@ var requestToProxyRequest = (req) => {
66
69
  };
67
70
 
68
71
  export {
72
+ brandRequestAuth,
69
73
  requestHasAuthObject,
70
74
  loadClientEnv,
71
75
  loadApiEnv,
72
76
  incomingMessageToRequest,
73
77
  requestToProxyRequest
74
78
  };
75
- //# sourceMappingURL=chunk-7BKTWMMH.mjs.map
79
+ //# sourceMappingURL=chunk-L77JF5KH.mjs.map
package/dist/chunk-L77JF5KH.mjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/utils.ts"],"sourcesContent":["import { isTruthy } from '@clerk/shared/underscore';\nimport type { Request as ExpressRequest } from 'express';\nimport { Readable } from 'stream';\n\nimport type { ExpressRequestWithAuth } from './types';\n\n/**\n * Brand attached to the `req.auth` handler installed by Clerk middleware.\n * `req.auth` is a property name shared with other auth libraries (express-jwt,\n * passport, express-openid-connect), so its mere presence proves nothing about\n * whether Clerk authenticated the request. `Symbol.for` registers the brand\n * globally so it stays stable across multiple copies of this package loaded in\n * the same process.\n */\nconst clerkAuthBrand = Symbol.for('@clerk/express.auth');\n\nexport const brandRequestAuth = <T extends (...args: never[]) => unknown>(authHandler: T): T =>\n Object.assign(authHandler, { [clerkAuthBrand]: true });\n\nexport const requestHasAuthObject = (req: ExpressRequest): req is ExpressRequestWithAuth => {\n const auth = (req as Partial<ExpressRequestWithAuth>).auth;\n return typeof auth === 'function' && (auth as unknown as Record<symbol, unknown>)[clerkAuthBrand] === true;\n};\n\nexport const loadClientEnv = () => {\n return {\n publishableKey: process.env.CLERK_PUBLISHABLE_KEY || '',\n __internal_clerkJSUrl: process.env.CLERK_JS || process.env.CLERK_JS_URL || '',\n __internal_clerkJSVersion: process.env.CLERK_JS_VERSION || '',\n __internal_clerkUIUrl: process.env.CLERK_UI_URL || '',\n __internal_clerkUIVersion: process.env.CLERK_UI_VERSION || '',\n prefetchUI: process.env.CLERK_PREFETCH_UI === 'false' ? false : undefined,\n };\n};\n\nexport const loadApiEnv = () => {\n return {\n secretKey: process.env.CLERK_SECRET_KEY || '',\n machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY || '',\n apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.com',\n apiVersion: process.env.CLERK_API_VERSION || 'v1',\n domain: process.env.CLERK_DOMAIN || '',\n proxyUrl: process.env.CLERK_PROXY_URL || '',\n signInUrl: process.env.CLERK_SIGN_IN_URL || '',\n isSatellite: isTruthy(process.env.CLERK_IS_SATELLITE),\n jwtKey: process.env.CLERK_JWT_KEY || '',\n sdkMetadata: {\n name: PACKAGE_NAME,\n version: PACKAGE_VERSION,\n environment: process.env.NODE_ENV,\n },\n telemetry: {\n disabled: isTruthy(process.env.CLERK_TELEMETRY_DISABLED),\n debug: isTruthy(process.env.CLERK_TELEMETRY_DEBUG),\n },\n };\n};\n\nexport const incomingMessageToRequest = (req: ExpressRequest): Request => {\n const headers = Object.keys(req.headers).reduce((acc, key) => Object.assign(acc, { [key]: req?.headers[key] }), {});\n // @ts-ignore Optimistic attempt to get the protocol in case\n // req extends IncomingMessage in a useful way. No guarantee\n // it'll work.\n const protocol = req.connection?.encrypted ? 'https' : 'http';\n const dummyOriginReqUrl = new URL(req.originalUrl || req.url || '', `${protocol}://clerk-dummy`);\n return new Request(dummyOriginReqUrl, {\n method: req.method,\n headers: new Headers(headers),\n });\n};\n\n/**\n * Converts an Express request to a Fetch API Request with body streaming support.\n * This is used for proxying requests where the body needs to be forwarded.\n */\nexport const requestToProxyRequest = (req: ExpressRequest): Request => {\n const headers = new Headers();\n Object.entries(req.headers).forEach(([key, value]) => {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value);\n }\n });\n\n const protocol = req.protocol || (req.secure ? 'https' : 'http');\n const host = req.get('host') || 'localhost';\n const url = new URL(req.originalUrl || req.url, `${protocol}://${host}`);\n\n const hasBody = ['POST', 'PUT', 'PATCH'].includes(req.method);\n\n return new Request(url.toString(), {\n method: req.method,\n headers,\n body: hasBody ? (Readable.toWeb(req) as ReadableStream) : undefined,\n // @ts-expect-error - duplex required for streaming bodies but not in all TS definitions\n duplex: hasBody ? 'half' : undefined,\n });\n};\n"],"mappings":";AAAA,SAAS,gBAAgB;AAEzB,SAAS,gBAAgB;AAYzB,IAAM,iBAAiB,uBAAO,IAAI,qBAAqB;AAEhD,IAAM,mBAAmB,CAA0C,gBACxE,OAAO,OAAO,aAAa,EAAE,CAAC,cAAc,GAAG,KAAK,CAAC;AAEhD,IAAM,uBAAuB,CAAC,QAAuD;AAC1F,QAAM,OAAQ,IAAwC;AACtD,SAAO,OAAO,SAAS,cAAe,KAA4C,cAAc,MAAM;AACxG;AAEO,IAAM,gBAAgB,MAAM;AACjC,SAAO;AAAA,IACL,gBAAgB,QAAQ,IAAI,yBAAyB;AAAA,IACrD,uBAAuB,QAAQ,IAAI,YAAY,QAAQ,IAAI,gBAAgB;AAAA,IAC3E,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA,IACnD,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,YAAY,QAAQ,IAAI,sBAAsB,UAAU,QAAQ;AAAA,EAClE;AACF;AAEO,IAAM,aAAa,MAAM;AAC9B,SAAO;AAAA,IACL,WAAW,QAAQ,IAAI,oBAAoB;AAAA,IAC3C,kBAAkB,QAAQ,IAAI,4BAA4B;AAAA,IAC1D,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,YAAY,QAAQ,IAAI,qBAAqB;AAAA,IAC7C,QAAQ,QAAQ,IAAI,gBAAgB;AAAA,IACpC,UAAU,QAAQ,IAAI,mBAAmB;AAAA,IACzC,WAAW,QAAQ,IAAI,qBAAqB;AAAA,IAC5C,aAAa,SAAS,QAAQ,IAAI,kBAAkB;AAAA,IACpD,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,aAAa;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,aAAa,QAAQ,IAAI;AAAA,IAC3B;AAAA,IACA,WAAW;AAAA,MACT,UAAU,SAAS,QAAQ,IAAI,wBAAwB;AAAA,MACvD,OAAO,SAAS,QAAQ,IAAI,qBAAqB;AAAA,IACnD;AAAA,EACF;AACF;AAEO,IAAM,2BAA2B,CAAC,QAAiC;AACxE,QAAM,UAAU,OAAO,KAAK,IAAI,OAAO,EAAE,OAAO,CAAC,KAAK,QAAQ,OAAO,OAAO,KAAK,EAAE,CAAC,GAAG,GAAG,KAAK,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;AAIlH,QAAM,WAAW,IAAI,YAAY,YAAY,UAAU;AACvD,QAAM,oBAAoB,IAAI,IAAI,IAAI,eAAe,IAAI,OAAO,IAAI,GAAG,QAAQ,gBAAgB;AAC/F,SAAO,IAAI,QAAQ,mBAAmB;AAAA,IACpC,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI,QAAQ,OAAO;AAAA,EAC9B,CAAC;AACH;AAMO,IAAM,wBAAwB,CAAC,QAAiC;AACrE,QAAM,UAAU,IAAI,QAAQ;AAC5B,SAAO,QAAQ,IAAI,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AACpD,QAAI,OAAO;AACT,cAAQ,IAAI,KAAK,MAAM,QAAQ,KAAK,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK;AAAA,IAClE;AAAA,EACF,CAAC;AAED,QAAM,WAAW,IAAI,aAAa,IAAI,SAAS,UAAU;AACzD,QAAM,OAAO,IAAI,IAAI,MAAM,KAAK;AAChC,QAAM,MAAM,IAAI,IAAI,IAAI,eAAe,IAAI,KAAK,GAAG,QAAQ,MAAM,IAAI,EAAE;AAEvE,QAAM,UAAU,CAAC,QAAQ,OAAO,OAAO,EAAE,SAAS,IAAI,MAAM;AAE5D,SAAO,IAAI,QAAQ,IAAI,SAAS,GAAG;AAAA,IACjC,QAAQ,IAAI;AAAA,IACZ;AAAA,IACA,MAAM,UAAW,SAAS,MAAM,GAAG,IAAuB;AAAA;AAAA,IAE1D,QAAQ,UAAU,SAAS;AAAA,EAC7B,CAAC;AACH;","names":[]}
package/dist/index.js CHANGED
@@ -36,8 +36,11 @@ var import_backend = require("@clerk/backend");
36
36
  // src/utils.ts
37
37
  var import_underscore = require("@clerk/shared/underscore");
38
38
  var import_stream = require("stream");
39
+ var clerkAuthBrand = /* @__PURE__ */ Symbol.for("@clerk/express.auth");
40
+ var brandRequestAuth = (authHandler) => Object.assign(authHandler, { [clerkAuthBrand]: true });
39
41
  var requestHasAuthObject = (req) => {
40
- return "auth" in req;
42
+ const auth = req.auth;
43
+ return typeof auth === "function" && auth[clerkAuthBrand] === true;
41
44
  };
42
45
  var loadClientEnv = () => {
43
46
  return {
@@ -62,7 +65,7 @@ var loadApiEnv = () => {
62
65
  jwtKey: process.env.CLERK_JWT_KEY || "",
63
66
  sdkMetadata: {
64
67
  name: "@clerk/express",
65
- version: "2.1.25-canary.v20260610174202",
68
+ version: "2.1.25",
66
69
  environment: process.env.NODE_ENV
67
70
  },
68
71
  telemetry: {
@@ -108,7 +111,7 @@ var clerkClient = new Proxy(clerkClientSingleton, {
108
111
  return clerkClientSingleton[property];
109
112
  }
110
113
  const env = { ...loadApiEnv(), ...loadClientEnv() };
111
- const client = (0, import_backend.createClerkClient)({ ...env, userAgent: `${"@clerk/express"}@${"2.1.25-canary.v20260610174202"}` });
114
+ const client = (0, import_backend.createClerkClient)({ ...env, userAgent: `${"@clerk/express"}@${"2.1.25"}` });
112
115
  if (env.secretKey) {
113
116
  clerkClientSingleton = client;
114
117
  }
@@ -124,6 +127,7 @@ var import_backend2 = require("@clerk/backend");
124
127
  var import_internal = require("@clerk/backend/internal");
125
128
  var import_proxy = require("@clerk/backend/proxy");
126
129
  var import_keys = require("@clerk/shared/keys");
130
+ var import_logger = require("@clerk/shared/logger");
127
131
  var import_proxy2 = require("@clerk/shared/proxy");
128
132
  var import_utils2 = require("@clerk/shared/utils");
129
133
  var import_stream2 = require("stream");
@@ -227,7 +231,7 @@ var resolveDefaultClerkClient = (options) => {
227
231
  ...env,
228
232
  ...options.apiUrl ? { apiUrl: options.apiUrl } : {},
229
233
  ...options.apiVersion ? { apiVersion: options.apiVersion } : {},
230
- userAgent: `${"@clerk/express"}@${"2.1.25-canary.v20260610174202"}`
234
+ userAgent: `${"@clerk/express"}@${"2.1.25"}`
231
235
  });
232
236
  };
233
237
  var authenticateAndDecorateRequest = (options = {}) => {
@@ -235,9 +239,14 @@ var authenticateAndDecorateRequest = (options = {}) => {
235
239
  const frontendApiProxy = options.frontendApiProxy;
236
240
  const proxyPath = (0, import_proxy.stripTrailingSlashes)(frontendApiProxy?.path ?? import_proxy.DEFAULT_PROXY_PATH) || import_proxy.DEFAULT_PROXY_PATH;
237
241
  const middleware = async (request, response, next) => {
238
- if (request.auth) {
242
+ if (requestHasAuthObject(request)) {
239
243
  return next();
240
244
  }
245
+ if ("auth" in request) {
246
+ import_logger.logger.warnOnce(
247
+ "Clerk: another middleware has already set `req.auth` on this request. Clerk authentication will run anyway and overwrite it. To use another auth library alongside Clerk, configure it to store its state on a different request property."
248
+ );
249
+ }
241
250
  const env = { ...loadApiEnv(), ...loadClientEnv() };
242
251
  const publishableKey = options.publishableKey || env.publishableKey;
243
252
  const secretKey = options.secretKey || env.secretKey;
@@ -299,7 +308,7 @@ var authenticateAndDecorateRequest = (options = {}) => {
299
308
  if (response.writableEnded) {
300
309
  return;
301
310
  }
302
- const auth = (opts) => requestState.toAuth(opts);
311
+ const auth = brandRequestAuth((opts) => requestState.toAuth(opts));
303
312
  Object.assign(request, { auth });
304
313
  next();
305
314
  } catch (err) {
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/utils.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback, ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import { isTruthy } from '@clerk/shared/underscore';\nimport type { Request as ExpressRequest } from 'express';\nimport { Readable } from 'stream';\n\nimport type { ExpressRequestWithAuth } from './types';\n\nexport const requestHasAuthObject = (req: ExpressRequest): req is ExpressRequestWithAuth => {\n return 'auth' in req;\n};\n\nexport const loadClientEnv = () => {\n return {\n publishableKey: process.env.CLERK_PUBLISHABLE_KEY || '',\n __internal_clerkJSUrl: process.env.CLERK_JS || process.env.CLERK_JS_URL || '',\n __internal_clerkJSVersion: process.env.CLERK_JS_VERSION || '',\n __internal_clerkUIUrl: process.env.CLERK_UI_URL || '',\n __internal_clerkUIVersion: process.env.CLERK_UI_VERSION || '',\n prefetchUI: process.env.CLERK_PREFETCH_UI === 'false' ? false : undefined,\n };\n};\n\nexport const loadApiEnv = () => {\n return {\n secretKey: process.env.CLERK_SECRET_KEY || '',\n machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY || '',\n apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.com',\n apiVersion: process.env.CLERK_API_VERSION || 'v1',\n domain: process.env.CLERK_DOMAIN || '',\n proxyUrl: process.env.CLERK_PROXY_URL || '',\n signInUrl: process.env.CLERK_SIGN_IN_URL || '',\n isSatellite: isTruthy(process.env.CLERK_IS_SATELLITE),\n jwtKey: process.env.CLERK_JWT_KEY || '',\n sdkMetadata: {\n name: PACKAGE_NAME,\n version: PACKAGE_VERSION,\n environment: process.env.NODE_ENV,\n },\n telemetry: {\n disabled: isTruthy(process.env.CLERK_TELEMETRY_DISABLED),\n debug: isTruthy(process.env.CLERK_TELEMETRY_DEBUG),\n },\n };\n};\n\nexport const incomingMessageToRequest = (req: ExpressRequest): Request => {\n const headers = Object.keys(req.headers).reduce((acc, key) => Object.assign(acc, { [key]: req?.headers[key] }), {});\n // @ts-ignore Optimistic attempt to get the protocol in case\n // req extends IncomingMessage in a useful way. No guarantee\n // it'll work.\n const protocol = req.connection?.encrypted ? 'https' : 'http';\n const dummyOriginReqUrl = new URL(req.originalUrl || req.url || '', `${protocol}://clerk-dummy`);\n return new Request(dummyOriginReqUrl, {\n method: req.method,\n headers: new Headers(headers),\n });\n};\n\n/**\n * Converts an Express request to a Fetch API Request with body streaming support.\n * This is used for proxying requests where the body needs to be forwarded.\n */\nexport const requestToProxyRequest = (req: ExpressRequest): Request => {\n const headers = new Headers();\n Object.entries(req.headers).forEach(([key, value]) => {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value);\n }\n });\n\n const protocol = req.protocol || (req.secure ? 'https' : 'http');\n const host = req.get('host') || 'localhost';\n const url = new URL(req.originalUrl || req.url, `${protocol}://${host}`);\n\n const hasBody = ['POST', 'PUT', 'PATCH'].includes(req.method);\n\n return new Request(url.toString(), {\n method: req.method,\n headers,\n body: hasBody ? (Readable.toWeb(req) as ReadableStream) : undefined,\n // @ts-expect-error - duplex required for streaming bodies but not in all TS definitions\n duplex: hasBody ? 'half' : undefined,\n });\n};\n","import { createClerkClient } from '@clerk/backend';\nimport type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\nimport { incomingMessageToRequest, loadApiEnv, loadClientEnv, requestToProxyRequest } from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n // Peel off middleware-only keys and the few options that need middleware-side\n // resolution (env fallbacks, URL normalization). Everything else is spread\n // straight through, so new AuthenticateRequestOptions/VerifyTokenOptions\n // fields flow to the backend without another code change here.\n const {\n clerkClient: _clerkClient,\n debug: _debug,\n frontendApiProxy: _frontendApiProxy,\n isSatellite: isSatelliteInput,\n domain: domainInput,\n signInUrl: signInUrlInput,\n proxyUrl: proxyUrlInput,\n secretKey: secretKeyInput,\n machineSecretKey: machineSecretKeyInput,\n publishableKey: publishableKeyInput,\n ...restOptions\n } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = secretKeyInput || env.secretKey;\n const machineSecretKey = machineSecretKeyInput || env.machineSecretKey;\n const publishableKey = publishableKeyInput || env.publishableKey;\n\n const isSatellite = handleValueOrFn(isSatelliteInput, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(domainInput, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = signInUrlInput || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(proxyUrlInput, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n ...restOptions,\n secretKey,\n machineSecretKey,\n publishableKey,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\n// `apiUrl` and `apiVersion` are pinned at client construction time inside\n// `@clerk/backend`'s `createAuthenticateRequest` factory (build-time values\n// override runtime ones). The default singleton in `./clerkClient` is built\n// from env only, so passing these via `clerkMiddleware()` would be silently\n// ignored. When the caller hasn't supplied their own `clerkClient` but did\n// pass `apiUrl`/`apiVersion`, build a per-middleware client with those values.\nconst resolveDefaultClerkClient = (options: ClerkMiddlewareOptions) => {\n if (!options.apiUrl && !options.apiVersion) {\n return defaultClerkClient;\n }\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n return createClerkClient({\n ...env,\n ...(options.apiUrl ? { apiUrl: options.apiUrl } : {}),\n ...(options.apiVersion ? { apiVersion: options.apiVersion } : {}),\n userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}`,\n });\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || resolveDefaultClerkClient(options);\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n if ((request as ExpressRequestWithAuth).auth) {\n return next();\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = (opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts);\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * Accepts either a static options object or a callback that receives the request\n * and returns options. The callback form is useful for multi-domain setups where\n * the publishable key differs per domain.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n *\n * @example\n * // Dynamic keys per domain\n * app.use(clerkMiddleware((req) => ({\n * publishableKey: req.hostname === 'example.com' ? PK_A : PK_B,\n * })));\n */\nexport const clerkMiddleware = (\n options: ClerkMiddlewareOptions | ClerkMiddlewareOptionsCallback = {},\n): RequestHandler => {\n if (typeof options !== 'function') {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n }\n\n return async (request, response, next) => {\n try {\n const resolvedOptions = await options(request);\n const handler = authenticateAndDecorateRequest({\n ...resolvedOptions,\n acceptsToken: 'any',\n });\n handler(request, response, next);\n } catch (err) {\n next(err);\n }\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retrieving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import { deprecated } from '@clerk/shared/deprecated';\nimport type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @deprecated Use `clerkMiddleware()` with `getAuth()` instead.\n * `requireAuth` will be removed in the next major version.\n *\n * @example\n * // Before (deprecated)\n * import { requireAuth } from '@clerk/express'\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // After (recommended)\n * import { clerkMiddleware, getAuth } from '@clerk/express'\n *\n * app.use(clerkMiddleware())\n *\n * app.get('/api/protected', (req, res) => {\n * const { userId } = getAuth(req);\n * if (!userId) {\n * return res.status(401).json({ error: 'Unauthorized' });\n * }\n * // handle authenticated request\n * })\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n deprecated(\n 'requireAuth',\n 'Use `clerkMiddleware()` with `getAuth()` instead. `requireAuth` will be removed in the next major version.',\n );\n\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAc,2BAAd;;;ACCA,qBAAkC;;;ACDlC,wBAAyB;AAEzB,oBAAyB;AAIlB,IAAM,uBAAuB,CAAC,QAAuD;AAC1F,SAAO,UAAU;AACnB;AAEO,IAAM,gBAAgB,MAAM;AACjC,SAAO;AAAA,IACL,gBAAgB,QAAQ,IAAI,yBAAyB;AAAA,IACrD,uBAAuB,QAAQ,IAAI,YAAY,QAAQ,IAAI,gBAAgB;AAAA,IAC3E,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA,IACnD,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,YAAY,QAAQ,IAAI,sBAAsB,UAAU,QAAQ;AAAA,EAClE;AACF;AAEO,IAAM,aAAa,MAAM;AAC9B,SAAO;AAAA,IACL,WAAW,QAAQ,IAAI,oBAAoB;AAAA,IAC3C,kBAAkB,QAAQ,IAAI,4BAA4B;AAAA,IAC1D,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,YAAY,QAAQ,IAAI,qBAAqB;AAAA,IAC7C,QAAQ,QAAQ,IAAI,gBAAgB;AAAA,IACpC,UAAU,QAAQ,IAAI,mBAAmB;AAAA,IACzC,WAAW,QAAQ,IAAI,qBAAqB;AAAA,IAC5C,iBAAa,4BAAS,QAAQ,IAAI,kBAAkB;AAAA,IACpD,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,aAAa;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,aAAa,QAAQ,IAAI;AAAA,IAC3B;AAAA,IACA,WAAW;AAAA,MACT,cAAU,4BAAS,QAAQ,IAAI,wBAAwB;AAAA,MACvD,WAAO,4BAAS,QAAQ,IAAI,qBAAqB;AAAA,IACnD;AAAA,EACF;AACF;AAEO,IAAM,2BAA2B,CAAC,QAAiC;AACxE,QAAM,UAAU,OAAO,KAAK,IAAI,OAAO,EAAE,OAAO,CAAC,KAAK,QAAQ,OAAO,OAAO,KAAK,EAAE,CAAC,GAAG,GAAG,KAAK,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;AAIlH,QAAM,WAAW,IAAI,YAAY,YAAY,UAAU;AACvD,QAAM,oBAAoB,IAAI,IAAI,IAAI,eAAe,IAAI,OAAO,IAAI,GAAG,QAAQ,gBAAgB;AAC/F,SAAO,IAAI,QAAQ,mBAAmB;AAAA,IACpC,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI,QAAQ,OAAO;AAAA,EAC9B,CAAC;AACH;AAMO,IAAM,wBAAwB,CAAC,QAAiC;AACrE,QAAM,UAAU,IAAI,QAAQ;AAC5B,SAAO,QAAQ,IAAI,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AACpD,QAAI,OAAO;AACT,cAAQ,IAAI,KAAK,MAAM,QAAQ,KAAK,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK;AAAA,IAClE;AAAA,EACF,CAAC;AAED,QAAM,WAAW,IAAI,aAAa,IAAI,SAAS,UAAU;AACzD,QAAM,OAAO,IAAI,IAAI,MAAM,KAAK;AAChC,QAAM,MAAM,IAAI,IAAI,IAAI,eAAe,IAAI,KAAK,GAAG,QAAQ,MAAM,IAAI,EAAE;AAEvE,QAAM,UAAU,CAAC,QAAQ,OAAO,OAAO,EAAE,SAAS,IAAI,MAAM;AAE5D,SAAO,IAAI,QAAQ,IAAI,SAAS,GAAG;AAAA,IACjC,QAAQ,IAAI;AAAA,IACZ;AAAA,IACA,MAAM,UAAW,uBAAS,MAAM,GAAG,IAAuB;AAAA;AAAA,IAE1D,QAAQ,UAAU,SAAS;AAAA,EAC7B,CAAC;AACH;;;AD7EA,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,aAAS,kCAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,+BAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AE3BD,IAAAA,kBAAkC;AAElC,sBAA+C;AAC/C,mBAAgF;AAChF,kBAA2C;AAC3C,IAAAC,gBAAmE;AACnE,IAAAC,gBAAgC;AAEhC,IAAAC,iBAAyB;;;ACRzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADIrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAC,cAAa,SAAS,QAAQ,IAAI;AAK1C,QAAM;AAAA,IACJ,aAAa;AAAA,IACb,OAAO;AAAA,IACP,kBAAkB;AAAA,IAClB,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,WAAW;AAAA,IACX,UAAU;AAAA,IACV,WAAW;AAAA,IACX,kBAAkB;AAAA,IAClB,gBAAgB;AAAA,IAChB,GAAG;AAAA,EACL,IAAI,WAAW,CAAC;AAEhB,QAAM,mBAAe,oCAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,mBAAmB,yBAAyB,IAAI;AACtD,QAAM,iBAAiB,uBAAuB,IAAI;AAElD,QAAM,kBAAc,+BAAgB,kBAAkB,aAAa,UAAU,IAAI,WAAW;AAC5F,QAAM,aAAS,+BAAgB,aAAa,aAAa,QAAQ,KAAK,IAAI;AAC1E,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,WAAW;AAAA,QACf,+BAAgB,eAAe,aAAa,UAAU,IAAI,QAAQ;AAAA,IAClE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,KAAC,6BAAc,SAAS,SAAK,wCAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD,GAAG;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,2BAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,KAAC,+BAAgB,qBAAqB,KAAK,KAAC,kCAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAQA,IAAM,4BAA4B,CAAC,YAAoC;AACrE,MAAI,CAAC,QAAQ,UAAU,CAAC,QAAQ,YAAY;AAC1C,WAAO;AAAA,EACT;AACA,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,aAAO,mCAAkB;AAAA,IACvB,GAAG;AAAA,IACH,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACnD,GAAI,QAAQ,aAAa,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,IAC/D,WAAW,GAAG,gBAAY,IAAI,+BAAe;AAAA,EAC/C,CAAC;AACH;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMA,eAAc,QAAQ,eAAe,0BAA0B,OAAO;AAG5E,QAAM,mBAAmB,QAAQ;AACjC,QAAM,gBAAY,mCAAqB,kBAAkB,QAAQ,+BAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AACpE,QAAK,QAAmC,MAAM;AAC5C,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,UAAM,oCAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,wBAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,CAAC,SAAoD,aAAa,OAAO,IAAI;AAE1F,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AEjNO,IAAM,kBAAkB,CAC7B,UAAmE,CAAC,MACjD;AACnB,MAAI,OAAO,YAAY,YAAY;AACjC,UAAM,iBAAiB,+BAA+B;AAAA,MACpD,GAAG;AAAA,MACH,cAAc;AAAA,IAChB,CAAC;AACD,WAAO,CAAC,SAAS,UAAU,SAAS;AAClC,qBAAe,SAAS,UAAU,IAAI;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,OAAO,SAAS,UAAU,SAAS;AACxC,QAAI;AACF,YAAM,kBAAkB,MAAM,QAAQ,OAAO;AAC7C,YAAM,UAAU,+BAA+B;AAAA,QAC7C,GAAG;AAAA,QACH,cAAc;AAAA,MAChB,CAAC;AACD,cAAQ,SAAS,UAAU,IAAI;AAAA,IACjC,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AACF;;;ACtDA,IAAAC,mBAA8C;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,aAAO,gDAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACtBA,wBAA2B;AAgCpB,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEA,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["import_backend","import_proxy","import_utils","import_stream","clerkClient","import_internal"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/utils.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback, ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import { isTruthy } from '@clerk/shared/underscore';\nimport type { Request as ExpressRequest } from 'express';\nimport { Readable } from 'stream';\n\nimport type { ExpressRequestWithAuth } from './types';\n\n/**\n * Brand attached to the `req.auth` handler installed by Clerk middleware.\n * `req.auth` is a property name shared with other auth libraries (express-jwt,\n * passport, express-openid-connect), so its mere presence proves nothing about\n * whether Clerk authenticated the request. `Symbol.for` registers the brand\n * globally so it stays stable across multiple copies of this package loaded in\n * the same process.\n */\nconst clerkAuthBrand = Symbol.for('@clerk/express.auth');\n\nexport const brandRequestAuth = <T extends (...args: never[]) => unknown>(authHandler: T): T =>\n Object.assign(authHandler, { [clerkAuthBrand]: true });\n\nexport const requestHasAuthObject = (req: ExpressRequest): req is ExpressRequestWithAuth => {\n const auth = (req as Partial<ExpressRequestWithAuth>).auth;\n return typeof auth === 'function' && (auth as unknown as Record<symbol, unknown>)[clerkAuthBrand] === true;\n};\n\nexport const loadClientEnv = () => {\n return {\n publishableKey: process.env.CLERK_PUBLISHABLE_KEY || '',\n __internal_clerkJSUrl: process.env.CLERK_JS || process.env.CLERK_JS_URL || '',\n __internal_clerkJSVersion: process.env.CLERK_JS_VERSION || '',\n __internal_clerkUIUrl: process.env.CLERK_UI_URL || '',\n __internal_clerkUIVersion: process.env.CLERK_UI_VERSION || '',\n prefetchUI: process.env.CLERK_PREFETCH_UI === 'false' ? false : undefined,\n };\n};\n\nexport const loadApiEnv = () => {\n return {\n secretKey: process.env.CLERK_SECRET_KEY || '',\n machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY || '',\n apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.com',\n apiVersion: process.env.CLERK_API_VERSION || 'v1',\n domain: process.env.CLERK_DOMAIN || '',\n proxyUrl: process.env.CLERK_PROXY_URL || '',\n signInUrl: process.env.CLERK_SIGN_IN_URL || '',\n isSatellite: isTruthy(process.env.CLERK_IS_SATELLITE),\n jwtKey: process.env.CLERK_JWT_KEY || '',\n sdkMetadata: {\n name: PACKAGE_NAME,\n version: PACKAGE_VERSION,\n environment: process.env.NODE_ENV,\n },\n telemetry: {\n disabled: isTruthy(process.env.CLERK_TELEMETRY_DISABLED),\n debug: isTruthy(process.env.CLERK_TELEMETRY_DEBUG),\n },\n };\n};\n\nexport const incomingMessageToRequest = (req: ExpressRequest): Request => {\n const headers = Object.keys(req.headers).reduce((acc, key) => Object.assign(acc, { [key]: req?.headers[key] }), {});\n // @ts-ignore Optimistic attempt to get the protocol in case\n // req extends IncomingMessage in a useful way. No guarantee\n // it'll work.\n const protocol = req.connection?.encrypted ? 'https' : 'http';\n const dummyOriginReqUrl = new URL(req.originalUrl || req.url || '', `${protocol}://clerk-dummy`);\n return new Request(dummyOriginReqUrl, {\n method: req.method,\n headers: new Headers(headers),\n });\n};\n\n/**\n * Converts an Express request to a Fetch API Request with body streaming support.\n * This is used for proxying requests where the body needs to be forwarded.\n */\nexport const requestToProxyRequest = (req: ExpressRequest): Request => {\n const headers = new Headers();\n Object.entries(req.headers).forEach(([key, value]) => {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value);\n }\n });\n\n const protocol = req.protocol || (req.secure ? 'https' : 'http');\n const host = req.get('host') || 'localhost';\n const url = new URL(req.originalUrl || req.url, `${protocol}://${host}`);\n\n const hasBody = ['POST', 'PUT', 'PATCH'].includes(req.method);\n\n return new Request(url.toString(), {\n method: req.method,\n headers,\n body: hasBody ? (Readable.toWeb(req) as ReadableStream) : undefined,\n // @ts-expect-error - duplex required for streaming bodies but not in all TS definitions\n duplex: hasBody ? 'half' : undefined,\n });\n};\n","import { createClerkClient } from '@clerk/backend';\nimport type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { logger } from '@clerk/shared/logger';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions } from './types';\nimport {\n brandRequestAuth,\n incomingMessageToRequest,\n loadApiEnv,\n loadClientEnv,\n requestHasAuthObject,\n requestToProxyRequest,\n} from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n // Peel off middleware-only keys and the few options that need middleware-side\n // resolution (env fallbacks, URL normalization). Everything else is spread\n // straight through, so new AuthenticateRequestOptions/VerifyTokenOptions\n // fields flow to the backend without another code change here.\n const {\n clerkClient: _clerkClient,\n debug: _debug,\n frontendApiProxy: _frontendApiProxy,\n isSatellite: isSatelliteInput,\n domain: domainInput,\n signInUrl: signInUrlInput,\n proxyUrl: proxyUrlInput,\n secretKey: secretKeyInput,\n machineSecretKey: machineSecretKeyInput,\n publishableKey: publishableKeyInput,\n ...restOptions\n } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = secretKeyInput || env.secretKey;\n const machineSecretKey = machineSecretKeyInput || env.machineSecretKey;\n const publishableKey = publishableKeyInput || env.publishableKey;\n\n const isSatellite = handleValueOrFn(isSatelliteInput, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(domainInput, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = signInUrlInput || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(proxyUrlInput, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n ...restOptions,\n secretKey,\n machineSecretKey,\n publishableKey,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\n// `apiUrl` and `apiVersion` are pinned at client construction time inside\n// `@clerk/backend`'s `createAuthenticateRequest` factory (build-time values\n// override runtime ones). The default singleton in `./clerkClient` is built\n// from env only, so passing these via `clerkMiddleware()` would be silently\n// ignored. When the caller hasn't supplied their own `clerkClient` but did\n// pass `apiUrl`/`apiVersion`, build a per-middleware client with those values.\nconst resolveDefaultClerkClient = (options: ClerkMiddlewareOptions) => {\n if (!options.apiUrl && !options.apiVersion) {\n return defaultClerkClient;\n }\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n return createClerkClient({\n ...env,\n ...(options.apiUrl ? { apiUrl: options.apiUrl } : {}),\n ...(options.apiVersion ? { apiVersion: options.apiVersion } : {}),\n userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}`,\n });\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || resolveDefaultClerkClient(options);\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n // Skip authentication only when a Clerk middleware has already processed\n // this request. The brand check matters: a truthy `req.auth` is not proof\n // of that, since express-jwt, passport and other libraries set the same\n // property, and treating their value as ours would silently disable Clerk\n // authentication.\n if (requestHasAuthObject(request)) {\n return next();\n }\n\n if ('auth' in request) {\n logger.warnOnce(\n 'Clerk: another middleware has already set `req.auth` on this request. Clerk authentication will run anyway and overwrite it. To use another auth library alongside Clerk, configure it to store its state on a different request property.',\n );\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = brandRequestAuth((opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts));\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * Accepts either a static options object or a callback that receives the request\n * and returns options. The callback form is useful for multi-domain setups where\n * the publishable key differs per domain.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n *\n * @example\n * // Dynamic keys per domain\n * app.use(clerkMiddleware((req) => ({\n * publishableKey: req.hostname === 'example.com' ? PK_A : PK_B,\n * })));\n */\nexport const clerkMiddleware = (\n options: ClerkMiddlewareOptions | ClerkMiddlewareOptionsCallback = {},\n): RequestHandler => {\n if (typeof options !== 'function') {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n }\n\n return async (request, response, next) => {\n try {\n const resolvedOptions = await options(request);\n const handler = authenticateAndDecorateRequest({\n ...resolvedOptions,\n acceptsToken: 'any',\n });\n handler(request, response, next);\n } catch (err) {\n next(err);\n }\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retrieving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import { deprecated } from '@clerk/shared/deprecated';\nimport type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @deprecated Use `clerkMiddleware()` with `getAuth()` instead.\n * `requireAuth` will be removed in the next major version.\n *\n * @example\n * // Before (deprecated)\n * import { requireAuth } from '@clerk/express'\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // After (recommended)\n * import { clerkMiddleware, getAuth } from '@clerk/express'\n *\n * app.use(clerkMiddleware())\n *\n * app.get('/api/protected', (req, res) => {\n * const { userId } = getAuth(req);\n * if (!userId) {\n * return res.status(401).json({ error: 'Unauthorized' });\n * }\n * // handle authenticated request\n * })\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n deprecated(\n 'requireAuth',\n 'Use `clerkMiddleware()` with `getAuth()` instead. `requireAuth` will be removed in the next major version.',\n );\n\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAc,2BAAd;;;ACCA,qBAAkC;;;ACDlC,wBAAyB;AAEzB,oBAAyB;AAYzB,IAAM,iBAAiB,uBAAO,IAAI,qBAAqB;AAEhD,IAAM,mBAAmB,CAA0C,gBACxE,OAAO,OAAO,aAAa,EAAE,CAAC,cAAc,GAAG,KAAK,CAAC;AAEhD,IAAM,uBAAuB,CAAC,QAAuD;AAC1F,QAAM,OAAQ,IAAwC;AACtD,SAAO,OAAO,SAAS,cAAe,KAA4C,cAAc,MAAM;AACxG;AAEO,IAAM,gBAAgB,MAAM;AACjC,SAAO;AAAA,IACL,gBAAgB,QAAQ,IAAI,yBAAyB;AAAA,IACrD,uBAAuB,QAAQ,IAAI,YAAY,QAAQ,IAAI,gBAAgB;AAAA,IAC3E,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA,IACnD,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,YAAY,QAAQ,IAAI,sBAAsB,UAAU,QAAQ;AAAA,EAClE;AACF;AAEO,IAAM,aAAa,MAAM;AAC9B,SAAO;AAAA,IACL,WAAW,QAAQ,IAAI,oBAAoB;AAAA,IAC3C,kBAAkB,QAAQ,IAAI,4BAA4B;AAAA,IAC1D,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,YAAY,QAAQ,IAAI,qBAAqB;AAAA,IAC7C,QAAQ,QAAQ,IAAI,gBAAgB;AAAA,IACpC,UAAU,QAAQ,IAAI,mBAAmB;AAAA,IACzC,WAAW,QAAQ,IAAI,qBAAqB;AAAA,IAC5C,iBAAa,4BAAS,QAAQ,IAAI,kBAAkB;AAAA,IACpD,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,aAAa;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,aAAa,QAAQ,IAAI;AAAA,IAC3B;AAAA,IACA,WAAW;AAAA,MACT,cAAU,4BAAS,QAAQ,IAAI,wBAAwB;AAAA,MACvD,WAAO,4BAAS,QAAQ,IAAI,qBAAqB;AAAA,IACnD;AAAA,EACF;AACF;AAEO,IAAM,2BAA2B,CAAC,QAAiC;AACxE,QAAM,UAAU,OAAO,KAAK,IAAI,OAAO,EAAE,OAAO,CAAC,KAAK,QAAQ,OAAO,OAAO,KAAK,EAAE,CAAC,GAAG,GAAG,KAAK,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;AAIlH,QAAM,WAAW,IAAI,YAAY,YAAY,UAAU;AACvD,QAAM,oBAAoB,IAAI,IAAI,IAAI,eAAe,IAAI,OAAO,IAAI,GAAG,QAAQ,gBAAgB;AAC/F,SAAO,IAAI,QAAQ,mBAAmB;AAAA,IACpC,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI,QAAQ,OAAO;AAAA,EAC9B,CAAC;AACH;AAMO,IAAM,wBAAwB,CAAC,QAAiC;AACrE,QAAM,UAAU,IAAI,QAAQ;AAC5B,SAAO,QAAQ,IAAI,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AACpD,QAAI,OAAO;AACT,cAAQ,IAAI,KAAK,MAAM,QAAQ,KAAK,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK;AAAA,IAClE;AAAA,EACF,CAAC;AAED,QAAM,WAAW,IAAI,aAAa,IAAI,SAAS,UAAU;AACzD,QAAM,OAAO,IAAI,IAAI,MAAM,KAAK;AAChC,QAAM,MAAM,IAAI,IAAI,IAAI,eAAe,IAAI,KAAK,GAAG,QAAQ,MAAM,IAAI,EAAE;AAEvE,QAAM,UAAU,CAAC,QAAQ,OAAO,OAAO,EAAE,SAAS,IAAI,MAAM;AAE5D,SAAO,IAAI,QAAQ,IAAI,SAAS,GAAG;AAAA,IACjC,QAAQ,IAAI;AAAA,IACZ;AAAA,IACA,MAAM,UAAW,uBAAS,MAAM,GAAG,IAAuB;AAAA;AAAA,IAE1D,QAAQ,UAAU,SAAS;AAAA,EAC7B,CAAC;AACH;;;AD3FA,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,aAAS,kCAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,QAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AE3BD,IAAAA,kBAAkC;AAElC,sBAA+C;AAC/C,mBAAgF;AAChF,kBAA2C;AAC3C,oBAAuB;AACvB,IAAAC,gBAAmE;AACnE,IAAAC,gBAAgC;AAEhC,IAAAC,iBAAyB;;;ACTzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADYrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAC,cAAa,SAAS,QAAQ,IAAI;AAK1C,QAAM;AAAA,IACJ,aAAa;AAAA,IACb,OAAO;AAAA,IACP,kBAAkB;AAAA,IAClB,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,WAAW;AAAA,IACX,UAAU;AAAA,IACV,WAAW;AAAA,IACX,kBAAkB;AAAA,IAClB,gBAAgB;AAAA,IAChB,GAAG;AAAA,EACL,IAAI,WAAW,CAAC;AAEhB,QAAM,mBAAe,oCAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,mBAAmB,yBAAyB,IAAI;AACtD,QAAM,iBAAiB,uBAAuB,IAAI;AAElD,QAAM,kBAAc,+BAAgB,kBAAkB,aAAa,UAAU,IAAI,WAAW;AAC5F,QAAM,aAAS,+BAAgB,aAAa,aAAa,QAAQ,KAAK,IAAI;AAC1E,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,WAAW;AAAA,QACf,+BAAgB,eAAe,aAAa,UAAU,IAAI,QAAQ;AAAA,IAClE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,KAAC,6BAAc,SAAS,SAAK,wCAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD,GAAG;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,2BAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,KAAC,+BAAgB,qBAAqB,KAAK,KAAC,kCAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAQA,IAAM,4BAA4B,CAAC,YAAoC;AACrE,MAAI,CAAC,QAAQ,UAAU,CAAC,QAAQ,YAAY;AAC1C,WAAO;AAAA,EACT;AACA,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,aAAO,mCAAkB;AAAA,IACvB,GAAG;AAAA,IACH,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACnD,GAAI,QAAQ,aAAa,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,IAC/D,WAAW,GAAG,gBAAY,IAAI,QAAe;AAAA,EAC/C,CAAC;AACH;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMA,eAAc,QAAQ,eAAe,0BAA0B,OAAO;AAG5E,QAAM,mBAAmB,QAAQ;AACjC,QAAM,gBAAY,mCAAqB,kBAAkB,QAAQ,+BAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AAMpE,QAAI,qBAAqB,OAAO,GAAG;AACjC,aAAO,KAAK;AAAA,IACd;AAEA,QAAI,UAAU,SAAS;AACrB,2BAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,UAAM,oCAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,wBAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,iBAAiB,CAAC,SAAoD,aAAa,OAAO,IAAI,CAAC;AAE5G,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AEpOO,IAAM,kBAAkB,CAC7B,UAAmE,CAAC,MACjD;AACnB,MAAI,OAAO,YAAY,YAAY;AACjC,UAAM,iBAAiB,+BAA+B;AAAA,MACpD,GAAG;AAAA,MACH,cAAc;AAAA,IAChB,CAAC;AACD,WAAO,CAAC,SAAS,UAAU,SAAS;AAClC,qBAAe,SAAS,UAAU,IAAI;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,OAAO,SAAS,UAAU,SAAS;AACxC,QAAI;AACF,YAAM,kBAAkB,MAAM,QAAQ,OAAO;AAC7C,YAAM,UAAU,+BAA+B;AAAA,QAC7C,GAAG;AAAA,QACH,cAAc;AAAA,MAChB,CAAC;AACD,cAAQ,SAAS,UAAU,IAAI;AAAA,IACjC,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AACF;;;ACtDA,IAAAC,mBAA8C;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,aAAO,gDAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACtBA,wBAA2B;AAgCpB,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEA,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["import_backend","import_proxy","import_utils","import_stream","clerkClient","import_internal"]}
package/dist/index.mjs CHANGED
@@ -1,10 +1,11 @@
1
1
  import {
2
+ brandRequestAuth,
2
3
  incomingMessageToRequest,
3
4
  loadApiEnv,
4
5
  loadClientEnv,
5
6
  requestHasAuthObject,
6
7
  requestToProxyRequest
7
- } from "./chunk-7BKTWMMH.mjs";
8
+ } from "./chunk-L77JF5KH.mjs";
8
9
 
9
10
  // src/index.ts
10
11
  export * from "@clerk/backend";
@@ -18,7 +19,7 @@ var clerkClient = new Proxy(clerkClientSingleton, {
18
19
  return clerkClientSingleton[property];
19
20
  }
20
21
  const env = { ...loadApiEnv(), ...loadClientEnv() };
21
- const client = createClerkClient({ ...env, userAgent: `${"@clerk/express"}@${"2.1.25-canary.v20260610174202"}` });
22
+ const client = createClerkClient({ ...env, userAgent: `${"@clerk/express"}@${"2.1.25"}` });
22
23
  if (env.secretKey) {
23
24
  clerkClientSingleton = client;
24
25
  }
@@ -34,6 +35,7 @@ import { createClerkClient as createClerkClient2 } from "@clerk/backend";
34
35
  import { AuthStatus, createClerkRequest } from "@clerk/backend/internal";
35
36
  import { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from "@clerk/backend/proxy";
36
37
  import { isDevelopmentFromSecretKey } from "@clerk/shared/keys";
38
+ import { logger } from "@clerk/shared/logger";
37
39
  import { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from "@clerk/shared/proxy";
38
40
  import { handleValueOrFn } from "@clerk/shared/utils";
39
41
  import { Readable } from "stream";
@@ -137,7 +139,7 @@ var resolveDefaultClerkClient = (options) => {
137
139
  ...env,
138
140
  ...options.apiUrl ? { apiUrl: options.apiUrl } : {},
139
141
  ...options.apiVersion ? { apiVersion: options.apiVersion } : {},
140
- userAgent: `${"@clerk/express"}@${"2.1.25-canary.v20260610174202"}`
142
+ userAgent: `${"@clerk/express"}@${"2.1.25"}`
141
143
  });
142
144
  };
143
145
  var authenticateAndDecorateRequest = (options = {}) => {
@@ -145,9 +147,14 @@ var authenticateAndDecorateRequest = (options = {}) => {
145
147
  const frontendApiProxy = options.frontendApiProxy;
146
148
  const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;
147
149
  const middleware = async (request, response, next) => {
148
- if (request.auth) {
150
+ if (requestHasAuthObject(request)) {
149
151
  return next();
150
152
  }
153
+ if ("auth" in request) {
154
+ logger.warnOnce(
155
+ "Clerk: another middleware has already set `req.auth` on this request. Clerk authentication will run anyway and overwrite it. To use another auth library alongside Clerk, configure it to store its state on a different request property."
156
+ );
157
+ }
151
158
  const env = { ...loadApiEnv(), ...loadClientEnv() };
152
159
  const publishableKey = options.publishableKey || env.publishableKey;
153
160
  const secretKey = options.secretKey || env.secretKey;
@@ -209,7 +216,7 @@ var authenticateAndDecorateRequest = (options = {}) => {
209
216
  if (response.writableEnded) {
210
217
  return;
211
218
  }
212
- const auth = (opts) => requestState.toAuth(opts);
219
+ const auth = brandRequestAuth((opts) => requestState.toAuth(opts));
213
220
  Object.assign(request, { auth });
214
221
  next();
215
222
  } catch (err) {
package/dist/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback, ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import { createClerkClient } from '@clerk/backend';\nimport type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\nimport { incomingMessageToRequest, loadApiEnv, loadClientEnv, requestToProxyRequest } from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n // Peel off middleware-only keys and the few options that need middleware-side\n // resolution (env fallbacks, URL normalization). Everything else is spread\n // straight through, so new AuthenticateRequestOptions/VerifyTokenOptions\n // fields flow to the backend without another code change here.\n const {\n clerkClient: _clerkClient,\n debug: _debug,\n frontendApiProxy: _frontendApiProxy,\n isSatellite: isSatelliteInput,\n domain: domainInput,\n signInUrl: signInUrlInput,\n proxyUrl: proxyUrlInput,\n secretKey: secretKeyInput,\n machineSecretKey: machineSecretKeyInput,\n publishableKey: publishableKeyInput,\n ...restOptions\n } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = secretKeyInput || env.secretKey;\n const machineSecretKey = machineSecretKeyInput || env.machineSecretKey;\n const publishableKey = publishableKeyInput || env.publishableKey;\n\n const isSatellite = handleValueOrFn(isSatelliteInput, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(domainInput, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = signInUrlInput || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(proxyUrlInput, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n ...restOptions,\n secretKey,\n machineSecretKey,\n publishableKey,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\n// `apiUrl` and `apiVersion` are pinned at client construction time inside\n// `@clerk/backend`'s `createAuthenticateRequest` factory (build-time values\n// override runtime ones). The default singleton in `./clerkClient` is built\n// from env only, so passing these via `clerkMiddleware()` would be silently\n// ignored. When the caller hasn't supplied their own `clerkClient` but did\n// pass `apiUrl`/`apiVersion`, build a per-middleware client with those values.\nconst resolveDefaultClerkClient = (options: ClerkMiddlewareOptions) => {\n if (!options.apiUrl && !options.apiVersion) {\n return defaultClerkClient;\n }\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n return createClerkClient({\n ...env,\n ...(options.apiUrl ? { apiUrl: options.apiUrl } : {}),\n ...(options.apiVersion ? { apiVersion: options.apiVersion } : {}),\n userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}`,\n });\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || resolveDefaultClerkClient(options);\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n if ((request as ExpressRequestWithAuth).auth) {\n return next();\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = (opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts);\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * Accepts either a static options object or a callback that receives the request\n * and returns options. The callback form is useful for multi-domain setups where\n * the publishable key differs per domain.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n *\n * @example\n * // Dynamic keys per domain\n * app.use(clerkMiddleware((req) => ({\n * publishableKey: req.hostname === 'example.com' ? PK_A : PK_B,\n * })));\n */\nexport const clerkMiddleware = (\n options: ClerkMiddlewareOptions | ClerkMiddlewareOptionsCallback = {},\n): RequestHandler => {\n if (typeof options !== 'function') {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n }\n\n return async (request, response, next) => {\n try {\n const resolvedOptions = await options(request);\n const handler = authenticateAndDecorateRequest({\n ...resolvedOptions,\n acceptsToken: 'any',\n });\n handler(request, response, next);\n } catch (err) {\n next(err);\n }\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retrieving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import { deprecated } from '@clerk/shared/deprecated';\nimport type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @deprecated Use `clerkMiddleware()` with `getAuth()` instead.\n * `requireAuth` will be removed in the next major version.\n *\n * @example\n * // Before (deprecated)\n * import { requireAuth } from '@clerk/express'\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // After (recommended)\n * import { clerkMiddleware, getAuth } from '@clerk/express'\n *\n * app.use(clerkMiddleware())\n *\n * app.get('/api/protected', (req, res) => {\n * const { userId } = getAuth(req);\n * if (!userId) {\n * return res.status(401).json({ error: 'Unauthorized' });\n * }\n * // handle authenticated request\n * })\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n deprecated(\n 'requireAuth',\n 'Use `clerkMiddleware()` with `getAuth()` instead. `requireAuth` will be removed in the next major version.',\n );\n\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;AAAA,cAAc;;;ACCd,SAAS,yBAAyB;AAIlC,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,SAAS,kBAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,+BAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AC3BD,SAAS,qBAAAA,0BAAyB;AAElC,SAAS,YAAY,0BAA0B;AAC/C,SAAS,uBAAuB,oBAAoB,4BAA4B;AAChF,SAAS,kCAAkC;AAC3C,SAAS,eAAe,oBAAoB,uBAAuB;AACnE,SAAS,uBAAuB;AAEhC,SAAS,gBAAgB;;;ACRzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADIrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAC,cAAa,SAAS,QAAQ,IAAI;AAK1C,QAAM;AAAA,IACJ,aAAa;AAAA,IACb,OAAO;AAAA,IACP,kBAAkB;AAAA,IAClB,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,WAAW;AAAA,IACX,UAAU;AAAA,IACV,WAAW;AAAA,IACX,kBAAkB;AAAA,IAClB,gBAAgB;AAAA,IAChB,GAAG;AAAA,EACL,IAAI,WAAW,CAAC;AAEhB,QAAM,eAAe,mBAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,mBAAmB,yBAAyB,IAAI;AACtD,QAAM,iBAAiB,uBAAuB,IAAI;AAElD,QAAM,cAAc,gBAAgB,kBAAkB,aAAa,UAAU,IAAI,WAAW;AAC5F,QAAM,SAAS,gBAAgB,aAAa,aAAa,QAAQ,KAAK,IAAI;AAC1E,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,WAAW;AAAA,IACf,gBAAgB,eAAe,aAAa,UAAU,IAAI,QAAQ;AAAA,IAClE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,CAAC,cAAc,SAAS,KAAK,2BAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD,GAAG;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,WAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,CAAC,gBAAgB,qBAAqB,KAAK,CAAC,mBAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAQA,IAAM,4BAA4B,CAAC,YAAoC;AACrE,MAAI,CAAC,QAAQ,UAAU,CAAC,QAAQ,YAAY;AAC1C,WAAO;AAAA,EACT;AACA,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,SAAOC,mBAAkB;AAAA,IACvB,GAAG;AAAA,IACH,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACnD,GAAI,QAAQ,aAAa,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,IAC/D,WAAW,GAAG,gBAAY,IAAI,+BAAe;AAAA,EAC/C,CAAC;AACH;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMD,eAAc,QAAQ,eAAe,0BAA0B,OAAO;AAG5E,QAAM,mBAAmB,QAAQ;AACjC,QAAM,YAAY,qBAAqB,kBAAkB,QAAQ,kBAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AACpE,QAAK,QAAmC,MAAM;AAC5C,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,MAAM,sBAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,SAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,CAAC,SAAoD,aAAa,OAAO,IAAI;AAE1F,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AEjNO,IAAM,kBAAkB,CAC7B,UAAmE,CAAC,MACjD;AACnB,MAAI,OAAO,YAAY,YAAY;AACjC,UAAM,iBAAiB,+BAA+B;AAAA,MACpD,GAAG;AAAA,MACH,cAAc;AAAA,IAChB,CAAC;AACD,WAAO,CAAC,SAAS,UAAU,SAAS;AAClC,qBAAe,SAAS,UAAU,IAAI;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,OAAO,SAAS,UAAU,SAAS;AACxC,QAAI;AACF,YAAM,kBAAkB,MAAM,QAAQ,OAAO;AAC7C,YAAM,UAAU,+BAA+B;AAAA,QAC7C,GAAG;AAAA,QACH,cAAc;AAAA,MAChB,CAAC;AACD,cAAQ,SAAS,UAAU,IAAI;AAAA,IACjC,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AACF;;;ACtDA,SAAS,qCAAqC;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,SAAO,8BAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACtBA,SAAS,kBAAkB;AAgCpB,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEA,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["createClerkClient","clerkClient","createClerkClient"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback, ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import { createClerkClient } from '@clerk/backend';\nimport type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { logger } from '@clerk/shared/logger';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions } from './types';\nimport {\n brandRequestAuth,\n incomingMessageToRequest,\n loadApiEnv,\n loadClientEnv,\n requestHasAuthObject,\n requestToProxyRequest,\n} from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n // Peel off middleware-only keys and the few options that need middleware-side\n // resolution (env fallbacks, URL normalization). Everything else is spread\n // straight through, so new AuthenticateRequestOptions/VerifyTokenOptions\n // fields flow to the backend without another code change here.\n const {\n clerkClient: _clerkClient,\n debug: _debug,\n frontendApiProxy: _frontendApiProxy,\n isSatellite: isSatelliteInput,\n domain: domainInput,\n signInUrl: signInUrlInput,\n proxyUrl: proxyUrlInput,\n secretKey: secretKeyInput,\n machineSecretKey: machineSecretKeyInput,\n publishableKey: publishableKeyInput,\n ...restOptions\n } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = secretKeyInput || env.secretKey;\n const machineSecretKey = machineSecretKeyInput || env.machineSecretKey;\n const publishableKey = publishableKeyInput || env.publishableKey;\n\n const isSatellite = handleValueOrFn(isSatelliteInput, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(domainInput, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = signInUrlInput || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(proxyUrlInput, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n ...restOptions,\n secretKey,\n machineSecretKey,\n publishableKey,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\n// `apiUrl` and `apiVersion` are pinned at client construction time inside\n// `@clerk/backend`'s `createAuthenticateRequest` factory (build-time values\n// override runtime ones). The default singleton in `./clerkClient` is built\n// from env only, so passing these via `clerkMiddleware()` would be silently\n// ignored. When the caller hasn't supplied their own `clerkClient` but did\n// pass `apiUrl`/`apiVersion`, build a per-middleware client with those values.\nconst resolveDefaultClerkClient = (options: ClerkMiddlewareOptions) => {\n if (!options.apiUrl && !options.apiVersion) {\n return defaultClerkClient;\n }\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n return createClerkClient({\n ...env,\n ...(options.apiUrl ? { apiUrl: options.apiUrl } : {}),\n ...(options.apiVersion ? { apiVersion: options.apiVersion } : {}),\n userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}`,\n });\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || resolveDefaultClerkClient(options);\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n // Skip authentication only when a Clerk middleware has already processed\n // this request. The brand check matters: a truthy `req.auth` is not proof\n // of that, since express-jwt, passport and other libraries set the same\n // property, and treating their value as ours would silently disable Clerk\n // authentication.\n if (requestHasAuthObject(request)) {\n return next();\n }\n\n if ('auth' in request) {\n logger.warnOnce(\n 'Clerk: another middleware has already set `req.auth` on this request. Clerk authentication will run anyway and overwrite it. To use another auth library alongside Clerk, configure it to store its state on a different request property.',\n );\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = brandRequestAuth((opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts));\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * Accepts either a static options object or a callback that receives the request\n * and returns options. The callback form is useful for multi-domain setups where\n * the publishable key differs per domain.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n *\n * @example\n * // Dynamic keys per domain\n * app.use(clerkMiddleware((req) => ({\n * publishableKey: req.hostname === 'example.com' ? PK_A : PK_B,\n * })));\n */\nexport const clerkMiddleware = (\n options: ClerkMiddlewareOptions | ClerkMiddlewareOptionsCallback = {},\n): RequestHandler => {\n if (typeof options !== 'function') {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n }\n\n return async (request, response, next) => {\n try {\n const resolvedOptions = await options(request);\n const handler = authenticateAndDecorateRequest({\n ...resolvedOptions,\n acceptsToken: 'any',\n });\n handler(request, response, next);\n } catch (err) {\n next(err);\n }\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retrieving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import { deprecated } from '@clerk/shared/deprecated';\nimport type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @deprecated Use `clerkMiddleware()` with `getAuth()` instead.\n * `requireAuth` will be removed in the next major version.\n *\n * @example\n * // Before (deprecated)\n * import { requireAuth } from '@clerk/express'\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // After (recommended)\n * import { clerkMiddleware, getAuth } from '@clerk/express'\n *\n * app.use(clerkMiddleware())\n *\n * app.get('/api/protected', (req, res) => {\n * const { userId } = getAuth(req);\n * if (!userId) {\n * return res.status(401).json({ error: 'Unauthorized' });\n * }\n * // handle authenticated request\n * })\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n deprecated(\n 'requireAuth',\n 'Use `clerkMiddleware()` with `getAuth()` instead. `requireAuth` will be removed in the next major version.',\n );\n\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;;AAAA,cAAc;;;ACCd,SAAS,yBAAyB;AAIlC,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,SAAS,kBAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,QAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AC3BD,SAAS,qBAAAA,0BAAyB;AAElC,SAAS,YAAY,0BAA0B;AAC/C,SAAS,uBAAuB,oBAAoB,4BAA4B;AAChF,SAAS,kCAAkC;AAC3C,SAAS,cAAc;AACvB,SAAS,eAAe,oBAAoB,uBAAuB;AACnE,SAAS,uBAAuB;AAEhC,SAAS,gBAAgB;;;ACTzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADYrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAC,cAAa,SAAS,QAAQ,IAAI;AAK1C,QAAM;AAAA,IACJ,aAAa;AAAA,IACb,OAAO;AAAA,IACP,kBAAkB;AAAA,IAClB,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,WAAW;AAAA,IACX,UAAU;AAAA,IACV,WAAW;AAAA,IACX,kBAAkB;AAAA,IAClB,gBAAgB;AAAA,IAChB,GAAG;AAAA,EACL,IAAI,WAAW,CAAC;AAEhB,QAAM,eAAe,mBAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,mBAAmB,yBAAyB,IAAI;AACtD,QAAM,iBAAiB,uBAAuB,IAAI;AAElD,QAAM,cAAc,gBAAgB,kBAAkB,aAAa,UAAU,IAAI,WAAW;AAC5F,QAAM,SAAS,gBAAgB,aAAa,aAAa,QAAQ,KAAK,IAAI;AAC1E,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,WAAW;AAAA,IACf,gBAAgB,eAAe,aAAa,UAAU,IAAI,QAAQ;AAAA,IAClE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,CAAC,cAAc,SAAS,KAAK,2BAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD,GAAG;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,WAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,CAAC,gBAAgB,qBAAqB,KAAK,CAAC,mBAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAQA,IAAM,4BAA4B,CAAC,YAAoC;AACrE,MAAI,CAAC,QAAQ,UAAU,CAAC,QAAQ,YAAY;AAC1C,WAAO;AAAA,EACT;AACA,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,SAAOC,mBAAkB;AAAA,IACvB,GAAG;AAAA,IACH,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACnD,GAAI,QAAQ,aAAa,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,IAC/D,WAAW,GAAG,gBAAY,IAAI,QAAe;AAAA,EAC/C,CAAC;AACH;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMD,eAAc,QAAQ,eAAe,0BAA0B,OAAO;AAG5E,QAAM,mBAAmB,QAAQ;AACjC,QAAM,YAAY,qBAAqB,kBAAkB,QAAQ,kBAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AAMpE,QAAI,qBAAqB,OAAO,GAAG;AACjC,aAAO,KAAK;AAAA,IACd;AAEA,QAAI,UAAU,SAAS;AACrB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,MAAM,sBAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,SAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,iBAAiB,CAAC,SAAoD,aAAa,OAAO,IAAI,CAAC;AAE5G,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AEpOO,IAAM,kBAAkB,CAC7B,UAAmE,CAAC,MACjD;AACnB,MAAI,OAAO,YAAY,YAAY;AACjC,UAAM,iBAAiB,+BAA+B;AAAA,MACpD,GAAG;AAAA,MACH,cAAc;AAAA,IAChB,CAAC;AACD,WAAO,CAAC,SAAS,UAAU,SAAS;AAClC,qBAAe,SAAS,UAAU,IAAI;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,OAAO,SAAS,UAAU,SAAS;AACxC,QAAI;AACF,YAAM,kBAAkB,MAAM,QAAQ,OAAO;AAC7C,YAAM,UAAU,+BAA+B;AAAA,QAC7C,GAAG;AAAA,QACH,cAAc;AAAA,MAChB,CAAC;AACD,cAAQ,SAAS,UAAU,IAAI;AAAA,IACjC,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AACF;;;ACtDA,SAAS,qCAAqC;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,SAAO,8BAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACtBA,SAAS,kBAAkB;AAgCpB,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEA,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["createClerkClient","clerkClient","createClerkClient"]}
package/dist/webhooks.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/webhooks.ts","../src/utils.ts"],"sourcesContent":["/* eslint-disable import/export */\nimport type { VerifyWebhookOptions } from '@clerk/backend/webhooks';\nimport { verifyWebhook as verifyWebhookBase } from '@clerk/backend/webhooks';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { incomingMessageToRequest } from './utils';\n\n// Ordering of exports matter here since\n// we're overriding the base verifyWebhook\nexport * from '@clerk/backend/webhooks';\n\n/**\n * Verifies the authenticity of a webhook request using Svix.\n *\n * @param request - The incoming webhook Express Request object\n * @param options - Optional configuration object\n * @param options.signingSecret - Custom signing secret. If not provided, falls back to CLERK_WEBHOOK_SIGNING_SECRET env variable\n * @throws Will throw an error if the webhook signature verification fails\n * @returns A promise that resolves to the verified webhook event data\n *\n * @example\n * ```typescript\n * import { verifyWebhook } from '@clerk/express/webhooks';\n *\n * app.post('/api/webhooks', async (req, res) => {\n * try {\n * const evt = await verifyWebhook(req);\n * // handle event\n * res.send('Webhook received');\n * } catch (err) {\n * res.status(400).send('Webhook verification failed');\n * }\n * });\n * ```\n *\n * @see {@link https://clerk.com/docs/webhooks/sync-data} to learn more about syncing Clerk data to your application using webhooks\n */\nexport async function verifyWebhook(req: ExpressRequest, options?: VerifyWebhookOptions) {\n const webRequest = incomingMessageToRequest(req);\n // Cloning instead of implementing the body inside incomingMessageToRequest\n // to make it more predictable\n // we must pass in body as string not as an Object or Buffer\n let serializedBody: string;\n if (typeof req.body === 'string') {\n serializedBody = req.body;\n } else if (Buffer.isBuffer(req.body)) {\n serializedBody = req.body.toString('utf8');\n } else if (req.body === undefined || req.body === null) {\n serializedBody = '';\n } else {\n try {\n serializedBody = JSON.stringify(req.body);\n } catch (error) {\n throw new Error(`Failed to serialize request body: ${error instanceof Error ? error.message : 'Unknown error'}`);\n }\n }\n const clonedRequest = new Request(webRequest, {\n body: serializedBody,\n });\n return verifyWebhookBase(clonedRequest, options);\n}\n","import { isTruthy } from '@clerk/shared/underscore';\nimport type { Request as ExpressRequest } from 'express';\nimport { Readable } from 'stream';\n\nimport type { ExpressRequestWithAuth } from './types';\n\nexport const requestHasAuthObject = (req: ExpressRequest): req is ExpressRequestWithAuth => {\n return 'auth' in req;\n};\n\nexport const loadClientEnv = () => {\n return {\n publishableKey: process.env.CLERK_PUBLISHABLE_KEY || '',\n __internal_clerkJSUrl: process.env.CLERK_JS || process.env.CLERK_JS_URL || '',\n __internal_clerkJSVersion: process.env.CLERK_JS_VERSION || '',\n __internal_clerkUIUrl: process.env.CLERK_UI_URL || '',\n __internal_clerkUIVersion: process.env.CLERK_UI_VERSION || '',\n prefetchUI: process.env.CLERK_PREFETCH_UI === 'false' ? false : undefined,\n };\n};\n\nexport const loadApiEnv = () => {\n return {\n secretKey: process.env.CLERK_SECRET_KEY || '',\n machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY || '',\n apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.com',\n apiVersion: process.env.CLERK_API_VERSION || 'v1',\n domain: process.env.CLERK_DOMAIN || '',\n proxyUrl: process.env.CLERK_PROXY_URL || '',\n signInUrl: process.env.CLERK_SIGN_IN_URL || '',\n isSatellite: isTruthy(process.env.CLERK_IS_SATELLITE),\n jwtKey: process.env.CLERK_JWT_KEY || '',\n sdkMetadata: {\n name: PACKAGE_NAME,\n version: PACKAGE_VERSION,\n environment: process.env.NODE_ENV,\n },\n telemetry: {\n disabled: isTruthy(process.env.CLERK_TELEMETRY_DISABLED),\n debug: isTruthy(process.env.CLERK_TELEMETRY_DEBUG),\n },\n };\n};\n\nexport const incomingMessageToRequest = (req: ExpressRequest): Request => {\n const headers = Object.keys(req.headers).reduce((acc, key) => Object.assign(acc, { [key]: req?.headers[key] }), {});\n // @ts-ignore Optimistic attempt to get the protocol in case\n // req extends IncomingMessage in a useful way. No guarantee\n // it'll work.\n const protocol = req.connection?.encrypted ? 'https' : 'http';\n const dummyOriginReqUrl = new URL(req.originalUrl || req.url || '', `${protocol}://clerk-dummy`);\n return new Request(dummyOriginReqUrl, {\n method: req.method,\n headers: new Headers(headers),\n });\n};\n\n/**\n * Converts an Express request to a Fetch API Request with body streaming support.\n * This is used for proxying requests where the body needs to be forwarded.\n */\nexport const requestToProxyRequest = (req: ExpressRequest): Request => {\n const headers = new Headers();\n Object.entries(req.headers).forEach(([key, value]) => {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value);\n }\n });\n\n const protocol = req.protocol || (req.secure ? 'https' : 'http');\n const host = req.get('host') || 'localhost';\n const url = new URL(req.originalUrl || req.url, `${protocol}://${host}`);\n\n const hasBody = ['POST', 'PUT', 'PATCH'].includes(req.method);\n\n return new Request(url.toString(), {\n method: req.method,\n headers,\n body: hasBody ? (Readable.toWeb(req) as ReadableStream) : undefined,\n // @ts-expect-error - duplex required for streaming bodies but not in all TS definitions\n duplex: hasBody ? 'half' : undefined,\n });\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,sBAAmD;;;ACFnD,wBAAyB;AA4ClB,IAAM,2BAA2B,CAAC,QAAiC;AACxE,QAAM,UAAU,OAAO,KAAK,IAAI,OAAO,EAAE,OAAO,CAAC,KAAK,QAAQ,OAAO,OAAO,KAAK,EAAE,CAAC,GAAG,GAAG,KAAK,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;AAIlH,QAAM,WAAW,IAAI,YAAY,YAAY,UAAU;AACvD,QAAM,oBAAoB,IAAI,IAAI,IAAI,eAAe,IAAI,OAAO,IAAI,GAAG,QAAQ,gBAAgB;AAC/F,SAAO,IAAI,QAAQ,mBAAmB;AAAA,IACpC,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI,QAAQ,OAAO;AAAA,EAC9B,CAAC;AACH;;;AD9CA,6BAAc,oCATd;AAqCA,eAAsB,cAAc,KAAqB,SAAgC;AACvF,QAAM,aAAa,yBAAyB,GAAG;AAI/C,MAAI;AACJ,MAAI,OAAO,IAAI,SAAS,UAAU;AAChC,qBAAiB,IAAI;AAAA,EACvB,WAAW,OAAO,SAAS,IAAI,IAAI,GAAG;AACpC,qBAAiB,IAAI,KAAK,SAAS,MAAM;AAAA,EAC3C,WAAW,IAAI,SAAS,UAAa,IAAI,SAAS,MAAM;AACtD,qBAAiB;AAAA,EACnB,OAAO;AACL,QAAI;AACF,uBAAiB,KAAK,UAAU,IAAI,IAAI;AAAA,IAC1C,SAAS,OAAO;AACd,YAAM,IAAI,MAAM,qCAAqC,iBAAiB,QAAQ,MAAM,UAAU,eAAe,EAAE;AAAA,IACjH;AAAA,EACF;AACA,QAAM,gBAAgB,IAAI,QAAQ,YAAY;AAAA,IAC5C,MAAM;AAAA,EACR,CAAC;AACD,aAAO,gBAAAA,eAAkB,eAAe,OAAO;AACjD;","names":["verifyWebhookBase"]}
1
+ {"version":3,"sources":["../src/webhooks.ts","../src/utils.ts"],"sourcesContent":["/* eslint-disable import/export */\nimport type { VerifyWebhookOptions } from '@clerk/backend/webhooks';\nimport { verifyWebhook as verifyWebhookBase } from '@clerk/backend/webhooks';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { incomingMessageToRequest } from './utils';\n\n// Ordering of exports matter here since\n// we're overriding the base verifyWebhook\nexport * from '@clerk/backend/webhooks';\n\n/**\n * Verifies the authenticity of a webhook request using Svix.\n *\n * @param request - The incoming webhook Express Request object\n * @param options - Optional configuration object\n * @param options.signingSecret - Custom signing secret. If not provided, falls back to CLERK_WEBHOOK_SIGNING_SECRET env variable\n * @throws Will throw an error if the webhook signature verification fails\n * @returns A promise that resolves to the verified webhook event data\n *\n * @example\n * ```typescript\n * import { verifyWebhook } from '@clerk/express/webhooks';\n *\n * app.post('/api/webhooks', async (req, res) => {\n * try {\n * const evt = await verifyWebhook(req);\n * // handle event\n * res.send('Webhook received');\n * } catch (err) {\n * res.status(400).send('Webhook verification failed');\n * }\n * });\n * ```\n *\n * @see {@link https://clerk.com/docs/webhooks/sync-data} to learn more about syncing Clerk data to your application using webhooks\n */\nexport async function verifyWebhook(req: ExpressRequest, options?: VerifyWebhookOptions) {\n const webRequest = incomingMessageToRequest(req);\n // Cloning instead of implementing the body inside incomingMessageToRequest\n // to make it more predictable\n // we must pass in body as string not as an Object or Buffer\n let serializedBody: string;\n if (typeof req.body === 'string') {\n serializedBody = req.body;\n } else if (Buffer.isBuffer(req.body)) {\n serializedBody = req.body.toString('utf8');\n } else if (req.body === undefined || req.body === null) {\n serializedBody = '';\n } else {\n try {\n serializedBody = JSON.stringify(req.body);\n } catch (error) {\n throw new Error(`Failed to serialize request body: ${error instanceof Error ? error.message : 'Unknown error'}`);\n }\n }\n const clonedRequest = new Request(webRequest, {\n body: serializedBody,\n });\n return verifyWebhookBase(clonedRequest, options);\n}\n","import { isTruthy } from '@clerk/shared/underscore';\nimport type { Request as ExpressRequest } from 'express';\nimport { Readable } from 'stream';\n\nimport type { ExpressRequestWithAuth } from './types';\n\n/**\n * Brand attached to the `req.auth` handler installed by Clerk middleware.\n * `req.auth` is a property name shared with other auth libraries (express-jwt,\n * passport, express-openid-connect), so its mere presence proves nothing about\n * whether Clerk authenticated the request. `Symbol.for` registers the brand\n * globally so it stays stable across multiple copies of this package loaded in\n * the same process.\n */\nconst clerkAuthBrand = Symbol.for('@clerk/express.auth');\n\nexport const brandRequestAuth = <T extends (...args: never[]) => unknown>(authHandler: T): T =>\n Object.assign(authHandler, { [clerkAuthBrand]: true });\n\nexport const requestHasAuthObject = (req: ExpressRequest): req is ExpressRequestWithAuth => {\n const auth = (req as Partial<ExpressRequestWithAuth>).auth;\n return typeof auth === 'function' && (auth as unknown as Record<symbol, unknown>)[clerkAuthBrand] === true;\n};\n\nexport const loadClientEnv = () => {\n return {\n publishableKey: process.env.CLERK_PUBLISHABLE_KEY || '',\n __internal_clerkJSUrl: process.env.CLERK_JS || process.env.CLERK_JS_URL || '',\n __internal_clerkJSVersion: process.env.CLERK_JS_VERSION || '',\n __internal_clerkUIUrl: process.env.CLERK_UI_URL || '',\n __internal_clerkUIVersion: process.env.CLERK_UI_VERSION || '',\n prefetchUI: process.env.CLERK_PREFETCH_UI === 'false' ? false : undefined,\n };\n};\n\nexport const loadApiEnv = () => {\n return {\n secretKey: process.env.CLERK_SECRET_KEY || '',\n machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY || '',\n apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.com',\n apiVersion: process.env.CLERK_API_VERSION || 'v1',\n domain: process.env.CLERK_DOMAIN || '',\n proxyUrl: process.env.CLERK_PROXY_URL || '',\n signInUrl: process.env.CLERK_SIGN_IN_URL || '',\n isSatellite: isTruthy(process.env.CLERK_IS_SATELLITE),\n jwtKey: process.env.CLERK_JWT_KEY || '',\n sdkMetadata: {\n name: PACKAGE_NAME,\n version: PACKAGE_VERSION,\n environment: process.env.NODE_ENV,\n },\n telemetry: {\n disabled: isTruthy(process.env.CLERK_TELEMETRY_DISABLED),\n debug: isTruthy(process.env.CLERK_TELEMETRY_DEBUG),\n },\n };\n};\n\nexport const incomingMessageToRequest = (req: ExpressRequest): Request => {\n const headers = Object.keys(req.headers).reduce((acc, key) => Object.assign(acc, { [key]: req?.headers[key] }), {});\n // @ts-ignore Optimistic attempt to get the protocol in case\n // req extends IncomingMessage in a useful way. No guarantee\n // it'll work.\n const protocol = req.connection?.encrypted ? 'https' : 'http';\n const dummyOriginReqUrl = new URL(req.originalUrl || req.url || '', `${protocol}://clerk-dummy`);\n return new Request(dummyOriginReqUrl, {\n method: req.method,\n headers: new Headers(headers),\n });\n};\n\n/**\n * Converts an Express request to a Fetch API Request with body streaming support.\n * This is used for proxying requests where the body needs to be forwarded.\n */\nexport const requestToProxyRequest = (req: ExpressRequest): Request => {\n const headers = new Headers();\n Object.entries(req.headers).forEach(([key, value]) => {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value);\n }\n });\n\n const protocol = req.protocol || (req.secure ? 'https' : 'http');\n const host = req.get('host') || 'localhost';\n const url = new URL(req.originalUrl || req.url, `${protocol}://${host}`);\n\n const hasBody = ['POST', 'PUT', 'PATCH'].includes(req.method);\n\n return new Request(url.toString(), {\n method: req.method,\n headers,\n body: hasBody ? (Readable.toWeb(req) as ReadableStream) : undefined,\n // @ts-expect-error - duplex required for streaming bodies but not in all TS definitions\n duplex: hasBody ? 'half' : undefined,\n });\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,sBAAmD;;;ACFnD,wBAAyB;AA0DlB,IAAM,2BAA2B,CAAC,QAAiC;AACxE,QAAM,UAAU,OAAO,KAAK,IAAI,OAAO,EAAE,OAAO,CAAC,KAAK,QAAQ,OAAO,OAAO,KAAK,EAAE,CAAC,GAAG,GAAG,KAAK,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;AAIlH,QAAM,WAAW,IAAI,YAAY,YAAY,UAAU;AACvD,QAAM,oBAAoB,IAAI,IAAI,IAAI,eAAe,IAAI,OAAO,IAAI,GAAG,QAAQ,gBAAgB;AAC/F,SAAO,IAAI,QAAQ,mBAAmB;AAAA,IACpC,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI,QAAQ,OAAO;AAAA,EAC9B,CAAC;AACH;;;AD5DA,6BAAc,oCATd;AAqCA,eAAsB,cAAc,KAAqB,SAAgC;AACvF,QAAM,aAAa,yBAAyB,GAAG;AAI/C,MAAI;AACJ,MAAI,OAAO,IAAI,SAAS,UAAU;AAChC,qBAAiB,IAAI;AAAA,EACvB,WAAW,OAAO,SAAS,IAAI,IAAI,GAAG;AACpC,qBAAiB,IAAI,KAAK,SAAS,MAAM;AAAA,EAC3C,WAAW,IAAI,SAAS,UAAa,IAAI,SAAS,MAAM;AACtD,qBAAiB;AAAA,EACnB,OAAO;AACL,QAAI;AACF,uBAAiB,KAAK,UAAU,IAAI,IAAI;AAAA,IAC1C,SAAS,OAAO;AACd,YAAM,IAAI,MAAM,qCAAqC,iBAAiB,QAAQ,MAAM,UAAU,eAAe,EAAE;AAAA,IACjH;AAAA,EACF;AACA,QAAM,gBAAgB,IAAI,QAAQ,YAAY;AAAA,IAC5C,MAAM;AAAA,EACR,CAAC;AACD,aAAO,gBAAAA,eAAkB,eAAe,OAAO;AACjD;","names":["verifyWebhookBase"]}
package/dist/webhooks.mjs CHANGED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  incomingMessageToRequest
3
- } from "./chunk-7BKTWMMH.mjs";
3
+ } from "./chunk-L77JF5KH.mjs";
4
4
 
5
5
  // src/webhooks.ts
6
6
  import { verifyWebhook as verifyWebhookBase } from "@clerk/backend/webhooks";
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@clerk/express",
3
- "version": "2.1.25-canary.v20260610174202",
3
+ "version": "2.1.25",
4
4
  "description": "Clerk server SDK for usage with Express",
5
5
  "keywords": [
6
6
  "clerk",
@@ -62,8 +62,8 @@
62
62
  ],
63
63
  "dependencies": {
64
64
  "tslib": "2.8.1",
65
- "@clerk/backend": "3.6.1-canary.v20260610174202",
66
- "@clerk/shared": "4.17.0-canary.v20260610174202"
65
+ "@clerk/backend": "^3.6.1",
66
+ "@clerk/shared": "^4.17.0"
67
67
  },
68
68
  "devDependencies": {
69
69
  "@types/express": "^4.17.25",
package/dist/chunk-7BKTWMMH.mjs.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/utils.ts"],"sourcesContent":["import { isTruthy } from '@clerk/shared/underscore';\nimport type { Request as ExpressRequest } from 'express';\nimport { Readable } from 'stream';\n\nimport type { ExpressRequestWithAuth } from './types';\n\nexport const requestHasAuthObject = (req: ExpressRequest): req is ExpressRequestWithAuth => {\n return 'auth' in req;\n};\n\nexport const loadClientEnv = () => {\n return {\n publishableKey: process.env.CLERK_PUBLISHABLE_KEY || '',\n __internal_clerkJSUrl: process.env.CLERK_JS || process.env.CLERK_JS_URL || '',\n __internal_clerkJSVersion: process.env.CLERK_JS_VERSION || '',\n __internal_clerkUIUrl: process.env.CLERK_UI_URL || '',\n __internal_clerkUIVersion: process.env.CLERK_UI_VERSION || '',\n prefetchUI: process.env.CLERK_PREFETCH_UI === 'false' ? false : undefined,\n };\n};\n\nexport const loadApiEnv = () => {\n return {\n secretKey: process.env.CLERK_SECRET_KEY || '',\n machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY || '',\n apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.com',\n apiVersion: process.env.CLERK_API_VERSION || 'v1',\n domain: process.env.CLERK_DOMAIN || '',\n proxyUrl: process.env.CLERK_PROXY_URL || '',\n signInUrl: process.env.CLERK_SIGN_IN_URL || '',\n isSatellite: isTruthy(process.env.CLERK_IS_SATELLITE),\n jwtKey: process.env.CLERK_JWT_KEY || '',\n sdkMetadata: {\n name: PACKAGE_NAME,\n version: PACKAGE_VERSION,\n environment: process.env.NODE_ENV,\n },\n telemetry: {\n disabled: isTruthy(process.env.CLERK_TELEMETRY_DISABLED),\n debug: isTruthy(process.env.CLERK_TELEMETRY_DEBUG),\n },\n };\n};\n\nexport const incomingMessageToRequest = (req: ExpressRequest): Request => {\n const headers = Object.keys(req.headers).reduce((acc, key) => Object.assign(acc, { [key]: req?.headers[key] }), {});\n // @ts-ignore Optimistic attempt to get the protocol in case\n // req extends IncomingMessage in a useful way. No guarantee\n // it'll work.\n const protocol = req.connection?.encrypted ? 'https' : 'http';\n const dummyOriginReqUrl = new URL(req.originalUrl || req.url || '', `${protocol}://clerk-dummy`);\n return new Request(dummyOriginReqUrl, {\n method: req.method,\n headers: new Headers(headers),\n });\n};\n\n/**\n * Converts an Express request to a Fetch API Request with body streaming support.\n * This is used for proxying requests where the body needs to be forwarded.\n */\nexport const requestToProxyRequest = (req: ExpressRequest): Request => {\n const headers = new Headers();\n Object.entries(req.headers).forEach(([key, value]) => {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value);\n }\n });\n\n const protocol = req.protocol || (req.secure ? 'https' : 'http');\n const host = req.get('host') || 'localhost';\n const url = new URL(req.originalUrl || req.url, `${protocol}://${host}`);\n\n const hasBody = ['POST', 'PUT', 'PATCH'].includes(req.method);\n\n return new Request(url.toString(), {\n method: req.method,\n headers,\n body: hasBody ? (Readable.toWeb(req) as ReadableStream) : undefined,\n // @ts-expect-error - duplex required for streaming bodies but not in all TS definitions\n duplex: hasBody ? 'half' : undefined,\n });\n};\n"],"mappings":";AAAA,SAAS,gBAAgB;AAEzB,SAAS,gBAAgB;AAIlB,IAAM,uBAAuB,CAAC,QAAuD;AAC1F,SAAO,UAAU;AACnB;AAEO,IAAM,gBAAgB,MAAM;AACjC,SAAO;AAAA,IACL,gBAAgB,QAAQ,IAAI,yBAAyB;AAAA,IACrD,uBAAuB,QAAQ,IAAI,YAAY,QAAQ,IAAI,gBAAgB;AAAA,IAC3E,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA,IACnD,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,YAAY,QAAQ,IAAI,sBAAsB,UAAU,QAAQ;AAAA,EAClE;AACF;AAEO,IAAM,aAAa,MAAM;AAC9B,SAAO;AAAA,IACL,WAAW,QAAQ,IAAI,oBAAoB;AAAA,IAC3C,kBAAkB,QAAQ,IAAI,4BAA4B;AAAA,IAC1D,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,YAAY,QAAQ,IAAI,qBAAqB;AAAA,IAC7C,QAAQ,QAAQ,IAAI,gBAAgB;AAAA,IACpC,UAAU,QAAQ,IAAI,mBAAmB;AAAA,IACzC,WAAW,QAAQ,IAAI,qBAAqB;AAAA,IAC5C,aAAa,SAAS,QAAQ,IAAI,kBAAkB;AAAA,IACpD,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,aAAa;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,aAAa,QAAQ,IAAI;AAAA,IAC3B;AAAA,IACA,WAAW;AAAA,MACT,UAAU,SAAS,QAAQ,IAAI,wBAAwB;AAAA,MACvD,OAAO,SAAS,QAAQ,IAAI,qBAAqB;AAAA,IACnD;AAAA,EACF;AACF;AAEO,IAAM,2BAA2B,CAAC,QAAiC;AACxE,QAAM,UAAU,OAAO,KAAK,IAAI,OAAO,EAAE,OAAO,CAAC,KAAK,QAAQ,OAAO,OAAO,KAAK,EAAE,CAAC,GAAG,GAAG,KAAK,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;AAIlH,QAAM,WAAW,IAAI,YAAY,YAAY,UAAU;AACvD,QAAM,oBAAoB,IAAI,IAAI,IAAI,eAAe,IAAI,OAAO,IAAI,GAAG,QAAQ,gBAAgB;AAC/F,SAAO,IAAI,QAAQ,mBAAmB;AAAA,IACpC,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI,QAAQ,OAAO;AAAA,EAC9B,CAAC;AACH;AAMO,IAAM,wBAAwB,CAAC,QAAiC;AACrE,QAAM,UAAU,IAAI,QAAQ;AAC5B,SAAO,QAAQ,IAAI,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AACpD,QAAI,OAAO;AACT,cAAQ,IAAI,KAAK,MAAM,QAAQ,KAAK,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK;AAAA,IAClE;AAAA,EACF,CAAC;AAED,QAAM,WAAW,IAAI,aAAa,IAAI,SAAS,UAAU;AACzD,QAAM,OAAO,IAAI,IAAI,MAAM,KAAK;AAChC,QAAM,MAAM,IAAI,IAAI,IAAI,eAAe,IAAI,KAAK,GAAG,QAAQ,MAAM,IAAI,EAAE;AAEvE,QAAM,UAAU,CAAC,QAAQ,OAAO,OAAO,EAAE,SAAS,IAAI,MAAM;AAE5D,SAAO,IAAI,QAAQ,IAAI,SAAS,GAAG;AAAA,IACjC,QAAQ,IAAI;AAAA,IACZ;AAAA,IACA,MAAM,UAAW,SAAS,MAAM,GAAG,IAAuB;AAAA;AAAA,IAE1D,QAAQ,UAAU,SAAS;AAAA,EAC7B,CAAC;AACH;","names":[]}