@clerk/express 2.1.25 → 2.1.26-canary.v20260610182054

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/{chunk-L77JF5KH.mjs → chunk-GS66UZNJ.mjs} +2 -2
  2. package/dist/index.js +3 -3
  3. package/dist/index.js.map +1 -1
  4. package/dist/index.mjs +3 -3
  5. package/dist/index.mjs.map +1 -1
  6. package/dist/webhooks.mjs +1 -1
  7. package/package.json +3 -3
  8. /package/dist/{chunk-L77JF5KH.mjs.map → chunk-GS66UZNJ.mjs.map} +0 -0
package/dist/{chunk-L77JF5KH.mjs → chunk-GS66UZNJ.mjs} RENAMED
@@ -30,7 +30,7 @@ var loadApiEnv = () => {
30
30
  jwtKey: process.env.CLERK_JWT_KEY || "",
31
31
  sdkMetadata: {
32
32
  name: "@clerk/express",
33
- version: "2.1.25",
33
+ version: "2.1.26-canary.v20260610182054",
34
34
  environment: process.env.NODE_ENV
35
35
  },
36
36
  telemetry: {
@@ -76,4 +76,4 @@ export {
76
76
  incomingMessageToRequest,
77
77
  requestToProxyRequest
78
78
  };
79
- //# sourceMappingURL=chunk-L77JF5KH.mjs.map
79
+ //# sourceMappingURL=chunk-GS66UZNJ.mjs.map
package/dist/index.js CHANGED
@@ -65,7 +65,7 @@ var loadApiEnv = () => {
65
65
  jwtKey: process.env.CLERK_JWT_KEY || "",
66
66
  sdkMetadata: {
67
67
  name: "@clerk/express",
68
- version: "2.1.25",
68
+ version: "2.1.26-canary.v20260610182054",
69
69
  environment: process.env.NODE_ENV
70
70
  },
71
71
  telemetry: {
@@ -111,7 +111,7 @@ var clerkClient = new Proxy(clerkClientSingleton, {
111
111
  return clerkClientSingleton[property];
112
112
  }
113
113
  const env = { ...loadApiEnv(), ...loadClientEnv() };
114
- const client = (0, import_backend.createClerkClient)({ ...env, userAgent: `${"@clerk/express"}@${"2.1.25"}` });
114
+ const client = (0, import_backend.createClerkClient)({ ...env, userAgent: `${"@clerk/express"}@${"2.1.26-canary.v20260610182054"}` });
115
115
  if (env.secretKey) {
116
116
  clerkClientSingleton = client;
117
117
  }
@@ -231,7 +231,7 @@ var resolveDefaultClerkClient = (options) => {
231
231
  ...env,
232
232
  ...options.apiUrl ? { apiUrl: options.apiUrl } : {},
233
233
  ...options.apiVersion ? { apiVersion: options.apiVersion } : {},
234
- userAgent: `${"@clerk/express"}@${"2.1.25"}`
234
+ userAgent: `${"@clerk/express"}@${"2.1.26-canary.v20260610182054"}`
235
235
  });
236
236
  };
237
237
  var authenticateAndDecorateRequest = (options = {}) => {
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/utils.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback, ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import { isTruthy } from '@clerk/shared/underscore';\nimport type { Request as ExpressRequest } from 'express';\nimport { Readable } from 'stream';\n\nimport type { ExpressRequestWithAuth } from './types';\n\n/**\n * Brand attached to the `req.auth` handler installed by Clerk middleware.\n * `req.auth` is a property name shared with other auth libraries (express-jwt,\n * passport, express-openid-connect), so its mere presence proves nothing about\n * whether Clerk authenticated the request. `Symbol.for` registers the brand\n * globally so it stays stable across multiple copies of this package loaded in\n * the same process.\n */\nconst clerkAuthBrand = Symbol.for('@clerk/express.auth');\n\nexport const brandRequestAuth = <T extends (...args: never[]) => unknown>(authHandler: T): T =>\n Object.assign(authHandler, { [clerkAuthBrand]: true });\n\nexport const requestHasAuthObject = (req: ExpressRequest): req is ExpressRequestWithAuth => {\n const auth = (req as Partial<ExpressRequestWithAuth>).auth;\n return typeof auth === 'function' && (auth as unknown as Record<symbol, unknown>)[clerkAuthBrand] === true;\n};\n\nexport const loadClientEnv = () => {\n return {\n publishableKey: process.env.CLERK_PUBLISHABLE_KEY || '',\n __internal_clerkJSUrl: process.env.CLERK_JS || process.env.CLERK_JS_URL || '',\n __internal_clerkJSVersion: process.env.CLERK_JS_VERSION || '',\n __internal_clerkUIUrl: process.env.CLERK_UI_URL || '',\n __internal_clerkUIVersion: process.env.CLERK_UI_VERSION || '',\n prefetchUI: process.env.CLERK_PREFETCH_UI === 'false' ? false : undefined,\n };\n};\n\nexport const loadApiEnv = () => {\n return {\n secretKey: process.env.CLERK_SECRET_KEY || '',\n machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY || '',\n apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.com',\n apiVersion: process.env.CLERK_API_VERSION || 'v1',\n domain: process.env.CLERK_DOMAIN || '',\n proxyUrl: process.env.CLERK_PROXY_URL || '',\n signInUrl: process.env.CLERK_SIGN_IN_URL || '',\n isSatellite: isTruthy(process.env.CLERK_IS_SATELLITE),\n jwtKey: process.env.CLERK_JWT_KEY || '',\n sdkMetadata: {\n name: PACKAGE_NAME,\n version: PACKAGE_VERSION,\n environment: process.env.NODE_ENV,\n },\n telemetry: {\n disabled: isTruthy(process.env.CLERK_TELEMETRY_DISABLED),\n debug: isTruthy(process.env.CLERK_TELEMETRY_DEBUG),\n },\n };\n};\n\nexport const incomingMessageToRequest = (req: ExpressRequest): Request => {\n const headers = Object.keys(req.headers).reduce((acc, key) => Object.assign(acc, { [key]: req?.headers[key] }), {});\n // @ts-ignore Optimistic attempt to get the protocol in case\n // req extends IncomingMessage in a useful way. No guarantee\n // it'll work.\n const protocol = req.connection?.encrypted ? 'https' : 'http';\n const dummyOriginReqUrl = new URL(req.originalUrl || req.url || '', `${protocol}://clerk-dummy`);\n return new Request(dummyOriginReqUrl, {\n method: req.method,\n headers: new Headers(headers),\n });\n};\n\n/**\n * Converts an Express request to a Fetch API Request with body streaming support.\n * This is used for proxying requests where the body needs to be forwarded.\n */\nexport const requestToProxyRequest = (req: ExpressRequest): Request => {\n const headers = new Headers();\n Object.entries(req.headers).forEach(([key, value]) => {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value);\n }\n });\n\n const protocol = req.protocol || (req.secure ? 'https' : 'http');\n const host = req.get('host') || 'localhost';\n const url = new URL(req.originalUrl || req.url, `${protocol}://${host}`);\n\n const hasBody = ['POST', 'PUT', 'PATCH'].includes(req.method);\n\n return new Request(url.toString(), {\n method: req.method,\n headers,\n body: hasBody ? (Readable.toWeb(req) as ReadableStream) : undefined,\n // @ts-expect-error - duplex required for streaming bodies but not in all TS definitions\n duplex: hasBody ? 'half' : undefined,\n });\n};\n","import { createClerkClient } from '@clerk/backend';\nimport type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { logger } from '@clerk/shared/logger';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions } from './types';\nimport {\n brandRequestAuth,\n incomingMessageToRequest,\n loadApiEnv,\n loadClientEnv,\n requestHasAuthObject,\n requestToProxyRequest,\n} from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n // Peel off middleware-only keys and the few options that need middleware-side\n // resolution (env fallbacks, URL normalization). Everything else is spread\n // straight through, so new AuthenticateRequestOptions/VerifyTokenOptions\n // fields flow to the backend without another code change here.\n const {\n clerkClient: _clerkClient,\n debug: _debug,\n frontendApiProxy: _frontendApiProxy,\n isSatellite: isSatelliteInput,\n domain: domainInput,\n signInUrl: signInUrlInput,\n proxyUrl: proxyUrlInput,\n secretKey: secretKeyInput,\n machineSecretKey: machineSecretKeyInput,\n publishableKey: publishableKeyInput,\n ...restOptions\n } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = secretKeyInput || env.secretKey;\n const machineSecretKey = machineSecretKeyInput || env.machineSecretKey;\n const publishableKey = publishableKeyInput || env.publishableKey;\n\n const isSatellite = handleValueOrFn(isSatelliteInput, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(domainInput, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = signInUrlInput || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(proxyUrlInput, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n ...restOptions,\n secretKey,\n machineSecretKey,\n publishableKey,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\n// `apiUrl` and `apiVersion` are pinned at client construction time inside\n// `@clerk/backend`'s `createAuthenticateRequest` factory (build-time values\n// override runtime ones). The default singleton in `./clerkClient` is built\n// from env only, so passing these via `clerkMiddleware()` would be silently\n// ignored. When the caller hasn't supplied their own `clerkClient` but did\n// pass `apiUrl`/`apiVersion`, build a per-middleware client with those values.\nconst resolveDefaultClerkClient = (options: ClerkMiddlewareOptions) => {\n if (!options.apiUrl && !options.apiVersion) {\n return defaultClerkClient;\n }\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n return createClerkClient({\n ...env,\n ...(options.apiUrl ? { apiUrl: options.apiUrl } : {}),\n ...(options.apiVersion ? { apiVersion: options.apiVersion } : {}),\n userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}`,\n });\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || resolveDefaultClerkClient(options);\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n // Skip authentication only when a Clerk middleware has already processed\n // this request. The brand check matters: a truthy `req.auth` is not proof\n // of that, since express-jwt, passport and other libraries set the same\n // property, and treating their value as ours would silently disable Clerk\n // authentication.\n if (requestHasAuthObject(request)) {\n return next();\n }\n\n if ('auth' in request) {\n logger.warnOnce(\n 'Clerk: another middleware has already set `req.auth` on this request. Clerk authentication will run anyway and overwrite it. To use another auth library alongside Clerk, configure it to store its state on a different request property.',\n );\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = brandRequestAuth((opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts));\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * Accepts either a static options object or a callback that receives the request\n * and returns options. The callback form is useful for multi-domain setups where\n * the publishable key differs per domain.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n *\n * @example\n * // Dynamic keys per domain\n * app.use(clerkMiddleware((req) => ({\n * publishableKey: req.hostname === 'example.com' ? PK_A : PK_B,\n * })));\n */\nexport const clerkMiddleware = (\n options: ClerkMiddlewareOptions | ClerkMiddlewareOptionsCallback = {},\n): RequestHandler => {\n if (typeof options !== 'function') {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n }\n\n return async (request, response, next) => {\n try {\n const resolvedOptions = await options(request);\n const handler = authenticateAndDecorateRequest({\n ...resolvedOptions,\n acceptsToken: 'any',\n });\n handler(request, response, next);\n } catch (err) {\n next(err);\n }\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retrieving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import { deprecated } from '@clerk/shared/deprecated';\nimport type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @deprecated Use `clerkMiddleware()` with `getAuth()` instead.\n * `requireAuth` will be removed in the next major version.\n *\n * @example\n * // Before (deprecated)\n * import { requireAuth } from '@clerk/express'\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // After (recommended)\n * import { clerkMiddleware, getAuth } from '@clerk/express'\n *\n * app.use(clerkMiddleware())\n *\n * app.get('/api/protected', (req, res) => {\n * const { userId } = getAuth(req);\n * if (!userId) {\n * return res.status(401).json({ error: 'Unauthorized' });\n * }\n * // handle authenticated request\n * })\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n deprecated(\n 'requireAuth',\n 'Use `clerkMiddleware()` with `getAuth()` instead. `requireAuth` will be removed in the next major version.',\n );\n\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAc,2BAAd;;;ACCA,qBAAkC;;;ACDlC,wBAAyB;AAEzB,oBAAyB;AAYzB,IAAM,iBAAiB,uBAAO,IAAI,qBAAqB;AAEhD,IAAM,mBAAmB,CAA0C,gBACxE,OAAO,OAAO,aAAa,EAAE,CAAC,cAAc,GAAG,KAAK,CAAC;AAEhD,IAAM,uBAAuB,CAAC,QAAuD;AAC1F,QAAM,OAAQ,IAAwC;AACtD,SAAO,OAAO,SAAS,cAAe,KAA4C,cAAc,MAAM;AACxG;AAEO,IAAM,gBAAgB,MAAM;AACjC,SAAO;AAAA,IACL,gBAAgB,QAAQ,IAAI,yBAAyB;AAAA,IACrD,uBAAuB,QAAQ,IAAI,YAAY,QAAQ,IAAI,gBAAgB;AAAA,IAC3E,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA,IACnD,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,YAAY,QAAQ,IAAI,sBAAsB,UAAU,QAAQ;AAAA,EAClE;AACF;AAEO,IAAM,aAAa,MAAM;AAC9B,SAAO;AAAA,IACL,WAAW,QAAQ,IAAI,oBAAoB;AAAA,IAC3C,kBAAkB,QAAQ,IAAI,4BAA4B;AAAA,IAC1D,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,YAAY,QAAQ,IAAI,qBAAqB;AAAA,IAC7C,QAAQ,QAAQ,IAAI,gBAAgB;AAAA,IACpC,UAAU,QAAQ,IAAI,mBAAmB;AAAA,IACzC,WAAW,QAAQ,IAAI,qBAAqB;AAAA,IAC5C,iBAAa,4BAAS,QAAQ,IAAI,kBAAkB;AAAA,IACpD,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,aAAa;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,aAAa,QAAQ,IAAI;AAAA,IAC3B;AAAA,IACA,WAAW;AAAA,MACT,cAAU,4BAAS,QAAQ,IAAI,wBAAwB;AAAA,MACvD,WAAO,4BAAS,QAAQ,IAAI,qBAAqB;AAAA,IACnD;AAAA,EACF;AACF;AAEO,IAAM,2BAA2B,CAAC,QAAiC;AACxE,QAAM,UAAU,OAAO,KAAK,IAAI,OAAO,EAAE,OAAO,CAAC,KAAK,QAAQ,OAAO,OAAO,KAAK,EAAE,CAAC,GAAG,GAAG,KAAK,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;AAIlH,QAAM,WAAW,IAAI,YAAY,YAAY,UAAU;AACvD,QAAM,oBAAoB,IAAI,IAAI,IAAI,eAAe,IAAI,OAAO,IAAI,GAAG,QAAQ,gBAAgB;AAC/F,SAAO,IAAI,QAAQ,mBAAmB;AAAA,IACpC,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI,QAAQ,OAAO;AAAA,EAC9B,CAAC;AACH;AAMO,IAAM,wBAAwB,CAAC,QAAiC;AACrE,QAAM,UAAU,IAAI,QAAQ;AAC5B,SAAO,QAAQ,IAAI,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AACpD,QAAI,OAAO;AACT,cAAQ,IAAI,KAAK,MAAM,QAAQ,KAAK,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK;AAAA,IAClE;AAAA,EACF,CAAC;AAED,QAAM,WAAW,IAAI,aAAa,IAAI,SAAS,UAAU;AACzD,QAAM,OAAO,IAAI,IAAI,MAAM,KAAK;AAChC,QAAM,MAAM,IAAI,IAAI,IAAI,eAAe,IAAI,KAAK,GAAG,QAAQ,MAAM,IAAI,EAAE;AAEvE,QAAM,UAAU,CAAC,QAAQ,OAAO,OAAO,EAAE,SAAS,IAAI,MAAM;AAE5D,SAAO,IAAI,QAAQ,IAAI,SAAS,GAAG;AAAA,IACjC,QAAQ,IAAI;AAAA,IACZ;AAAA,IACA,MAAM,UAAW,uBAAS,MAAM,GAAG,IAAuB;AAAA;AAAA,IAE1D,QAAQ,UAAU,SAAS;AAAA,EAC7B,CAAC;AACH;;;AD3FA,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,aAAS,kCAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,QAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AE3BD,IAAAA,kBAAkC;AAElC,sBAA+C;AAC/C,mBAAgF;AAChF,kBAA2C;AAC3C,oBAAuB;AACvB,IAAAC,gBAAmE;AACnE,IAAAC,gBAAgC;AAEhC,IAAAC,iBAAyB;;;ACTzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADYrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAC,cAAa,SAAS,QAAQ,IAAI;AAK1C,QAAM;AAAA,IACJ,aAAa;AAAA,IACb,OAAO;AAAA,IACP,kBAAkB;AAAA,IAClB,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,WAAW;AAAA,IACX,UAAU;AAAA,IACV,WAAW;AAAA,IACX,kBAAkB;AAAA,IAClB,gBAAgB;AAAA,IAChB,GAAG;AAAA,EACL,IAAI,WAAW,CAAC;AAEhB,QAAM,mBAAe,oCAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,mBAAmB,yBAAyB,IAAI;AACtD,QAAM,iBAAiB,uBAAuB,IAAI;AAElD,QAAM,kBAAc,+BAAgB,kBAAkB,aAAa,UAAU,IAAI,WAAW;AAC5F,QAAM,aAAS,+BAAgB,aAAa,aAAa,QAAQ,KAAK,IAAI;AAC1E,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,WAAW;AAAA,QACf,+BAAgB,eAAe,aAAa,UAAU,IAAI,QAAQ;AAAA,IAClE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,KAAC,6BAAc,SAAS,SAAK,wCAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD,GAAG;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,2BAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,KAAC,+BAAgB,qBAAqB,KAAK,KAAC,kCAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAQA,IAAM,4BAA4B,CAAC,YAAoC;AACrE,MAAI,CAAC,QAAQ,UAAU,CAAC,QAAQ,YAAY;AAC1C,WAAO;AAAA,EACT;AACA,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,aAAO,mCAAkB;AAAA,IACvB,GAAG;AAAA,IACH,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACnD,GAAI,QAAQ,aAAa,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,IAC/D,WAAW,GAAG,gBAAY,IAAI,QAAe;AAAA,EAC/C,CAAC;AACH;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMA,eAAc,QAAQ,eAAe,0BAA0B,OAAO;AAG5E,QAAM,mBAAmB,QAAQ;AACjC,QAAM,gBAAY,mCAAqB,kBAAkB,QAAQ,+BAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AAMpE,QAAI,qBAAqB,OAAO,GAAG;AACjC,aAAO,KAAK;AAAA,IACd;AAEA,QAAI,UAAU,SAAS;AACrB,2BAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,UAAM,oCAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,wBAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,iBAAiB,CAAC,SAAoD,aAAa,OAAO,IAAI,CAAC;AAE5G,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AEpOO,IAAM,kBAAkB,CAC7B,UAAmE,CAAC,MACjD;AACnB,MAAI,OAAO,YAAY,YAAY;AACjC,UAAM,iBAAiB,+BAA+B;AAAA,MACpD,GAAG;AAAA,MACH,cAAc;AAAA,IAChB,CAAC;AACD,WAAO,CAAC,SAAS,UAAU,SAAS;AAClC,qBAAe,SAAS,UAAU,IAAI;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,OAAO,SAAS,UAAU,SAAS;AACxC,QAAI;AACF,YAAM,kBAAkB,MAAM,QAAQ,OAAO;AAC7C,YAAM,UAAU,+BAA+B;AAAA,QAC7C,GAAG;AAAA,QACH,cAAc;AAAA,MAChB,CAAC;AACD,cAAQ,SAAS,UAAU,IAAI;AAAA,IACjC,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AACF;;;ACtDA,IAAAC,mBAA8C;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,aAAO,gDAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACtBA,wBAA2B;AAgCpB,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEA,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["import_backend","import_proxy","import_utils","import_stream","clerkClient","import_internal"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/utils.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback, ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import { isTruthy } from '@clerk/shared/underscore';\nimport type { Request as ExpressRequest } from 'express';\nimport { Readable } from 'stream';\n\nimport type { ExpressRequestWithAuth } from './types';\n\n/**\n * Brand attached to the `req.auth` handler installed by Clerk middleware.\n * `req.auth` is a property name shared with other auth libraries (express-jwt,\n * passport, express-openid-connect), so its mere presence proves nothing about\n * whether Clerk authenticated the request. `Symbol.for` registers the brand\n * globally so it stays stable across multiple copies of this package loaded in\n * the same process.\n */\nconst clerkAuthBrand = Symbol.for('@clerk/express.auth');\n\nexport const brandRequestAuth = <T extends (...args: never[]) => unknown>(authHandler: T): T =>\n Object.assign(authHandler, { [clerkAuthBrand]: true });\n\nexport const requestHasAuthObject = (req: ExpressRequest): req is ExpressRequestWithAuth => {\n const auth = (req as Partial<ExpressRequestWithAuth>).auth;\n return typeof auth === 'function' && (auth as unknown as Record<symbol, unknown>)[clerkAuthBrand] === true;\n};\n\nexport const loadClientEnv = () => {\n return {\n publishableKey: process.env.CLERK_PUBLISHABLE_KEY || '',\n __internal_clerkJSUrl: process.env.CLERK_JS || process.env.CLERK_JS_URL || '',\n __internal_clerkJSVersion: process.env.CLERK_JS_VERSION || '',\n __internal_clerkUIUrl: process.env.CLERK_UI_URL || '',\n __internal_clerkUIVersion: process.env.CLERK_UI_VERSION || '',\n prefetchUI: process.env.CLERK_PREFETCH_UI === 'false' ? false : undefined,\n };\n};\n\nexport const loadApiEnv = () => {\n return {\n secretKey: process.env.CLERK_SECRET_KEY || '',\n machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY || '',\n apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.com',\n apiVersion: process.env.CLERK_API_VERSION || 'v1',\n domain: process.env.CLERK_DOMAIN || '',\n proxyUrl: process.env.CLERK_PROXY_URL || '',\n signInUrl: process.env.CLERK_SIGN_IN_URL || '',\n isSatellite: isTruthy(process.env.CLERK_IS_SATELLITE),\n jwtKey: process.env.CLERK_JWT_KEY || '',\n sdkMetadata: {\n name: PACKAGE_NAME,\n version: PACKAGE_VERSION,\n environment: process.env.NODE_ENV,\n },\n telemetry: {\n disabled: isTruthy(process.env.CLERK_TELEMETRY_DISABLED),\n debug: isTruthy(process.env.CLERK_TELEMETRY_DEBUG),\n },\n };\n};\n\nexport const incomingMessageToRequest = (req: ExpressRequest): Request => {\n const headers = Object.keys(req.headers).reduce((acc, key) => Object.assign(acc, { [key]: req?.headers[key] }), {});\n // @ts-ignore Optimistic attempt to get the protocol in case\n // req extends IncomingMessage in a useful way. No guarantee\n // it'll work.\n const protocol = req.connection?.encrypted ? 'https' : 'http';\n const dummyOriginReqUrl = new URL(req.originalUrl || req.url || '', `${protocol}://clerk-dummy`);\n return new Request(dummyOriginReqUrl, {\n method: req.method,\n headers: new Headers(headers),\n });\n};\n\n/**\n * Converts an Express request to a Fetch API Request with body streaming support.\n * This is used for proxying requests where the body needs to be forwarded.\n */\nexport const requestToProxyRequest = (req: ExpressRequest): Request => {\n const headers = new Headers();\n Object.entries(req.headers).forEach(([key, value]) => {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value);\n }\n });\n\n const protocol = req.protocol || (req.secure ? 'https' : 'http');\n const host = req.get('host') || 'localhost';\n const url = new URL(req.originalUrl || req.url, `${protocol}://${host}`);\n\n const hasBody = ['POST', 'PUT', 'PATCH'].includes(req.method);\n\n return new Request(url.toString(), {\n method: req.method,\n headers,\n body: hasBody ? (Readable.toWeb(req) as ReadableStream) : undefined,\n // @ts-expect-error - duplex required for streaming bodies but not in all TS definitions\n duplex: hasBody ? 'half' : undefined,\n });\n};\n","import { createClerkClient } from '@clerk/backend';\nimport type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { logger } from '@clerk/shared/logger';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions } from './types';\nimport {\n brandRequestAuth,\n incomingMessageToRequest,\n loadApiEnv,\n loadClientEnv,\n requestHasAuthObject,\n requestToProxyRequest,\n} from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n // Peel off middleware-only keys and the few options that need middleware-side\n // resolution (env fallbacks, URL normalization). Everything else is spread\n // straight through, so new AuthenticateRequestOptions/VerifyTokenOptions\n // fields flow to the backend without another code change here.\n const {\n clerkClient: _clerkClient,\n debug: _debug,\n frontendApiProxy: _frontendApiProxy,\n isSatellite: isSatelliteInput,\n domain: domainInput,\n signInUrl: signInUrlInput,\n proxyUrl: proxyUrlInput,\n secretKey: secretKeyInput,\n machineSecretKey: machineSecretKeyInput,\n publishableKey: publishableKeyInput,\n ...restOptions\n } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = secretKeyInput || env.secretKey;\n const machineSecretKey = machineSecretKeyInput || env.machineSecretKey;\n const publishableKey = publishableKeyInput || env.publishableKey;\n\n const isSatellite = handleValueOrFn(isSatelliteInput, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(domainInput, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = signInUrlInput || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(proxyUrlInput, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n ...restOptions,\n secretKey,\n machineSecretKey,\n publishableKey,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\n// `apiUrl` and `apiVersion` are pinned at client construction time inside\n// `@clerk/backend`'s `createAuthenticateRequest` factory (build-time values\n// override runtime ones). The default singleton in `./clerkClient` is built\n// from env only, so passing these via `clerkMiddleware()` would be silently\n// ignored. When the caller hasn't supplied their own `clerkClient` but did\n// pass `apiUrl`/`apiVersion`, build a per-middleware client with those values.\nconst resolveDefaultClerkClient = (options: ClerkMiddlewareOptions) => {\n if (!options.apiUrl && !options.apiVersion) {\n return defaultClerkClient;\n }\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n return createClerkClient({\n ...env,\n ...(options.apiUrl ? { apiUrl: options.apiUrl } : {}),\n ...(options.apiVersion ? { apiVersion: options.apiVersion } : {}),\n userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}`,\n });\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || resolveDefaultClerkClient(options);\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n // Skip authentication only when a Clerk middleware has already processed\n // this request. The brand check matters: a truthy `req.auth` is not proof\n // of that, since express-jwt, passport and other libraries set the same\n // property, and treating their value as ours would silently disable Clerk\n // authentication.\n if (requestHasAuthObject(request)) {\n return next();\n }\n\n if ('auth' in request) {\n logger.warnOnce(\n 'Clerk: another middleware has already set `req.auth` on this request. Clerk authentication will run anyway and overwrite it. To use another auth library alongside Clerk, configure it to store its state on a different request property.',\n );\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = brandRequestAuth((opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts));\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * Accepts either a static options object or a callback that receives the request\n * and returns options. The callback form is useful for multi-domain setups where\n * the publishable key differs per domain.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n *\n * @example\n * // Dynamic keys per domain\n * app.use(clerkMiddleware((req) => ({\n * publishableKey: req.hostname === 'example.com' ? PK_A : PK_B,\n * })));\n */\nexport const clerkMiddleware = (\n options: ClerkMiddlewareOptions | ClerkMiddlewareOptionsCallback = {},\n): RequestHandler => {\n if (typeof options !== 'function') {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n }\n\n return async (request, response, next) => {\n try {\n const resolvedOptions = await options(request);\n const handler = authenticateAndDecorateRequest({\n ...resolvedOptions,\n acceptsToken: 'any',\n });\n handler(request, response, next);\n } catch (err) {\n next(err);\n }\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retrieving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import { deprecated } from '@clerk/shared/deprecated';\nimport type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @deprecated Use `clerkMiddleware()` with `getAuth()` instead.\n * `requireAuth` will be removed in the next major version.\n *\n * @example\n * // Before (deprecated)\n * import { requireAuth } from '@clerk/express'\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // After (recommended)\n * import { clerkMiddleware, getAuth } from '@clerk/express'\n *\n * app.use(clerkMiddleware())\n *\n * app.get('/api/protected', (req, res) => {\n * const { userId } = getAuth(req);\n * if (!userId) {\n * return res.status(401).json({ error: 'Unauthorized' });\n * }\n * // handle authenticated request\n * })\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n deprecated(\n 'requireAuth',\n 'Use `clerkMiddleware()` with `getAuth()` instead. `requireAuth` will be removed in the next major version.',\n );\n\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAc,2BAAd;;;ACCA,qBAAkC;;;ACDlC,wBAAyB;AAEzB,oBAAyB;AAYzB,IAAM,iBAAiB,uBAAO,IAAI,qBAAqB;AAEhD,IAAM,mBAAmB,CAA0C,gBACxE,OAAO,OAAO,aAAa,EAAE,CAAC,cAAc,GAAG,KAAK,CAAC;AAEhD,IAAM,uBAAuB,CAAC,QAAuD;AAC1F,QAAM,OAAQ,IAAwC;AACtD,SAAO,OAAO,SAAS,cAAe,KAA4C,cAAc,MAAM;AACxG;AAEO,IAAM,gBAAgB,MAAM;AACjC,SAAO;AAAA,IACL,gBAAgB,QAAQ,IAAI,yBAAyB;AAAA,IACrD,uBAAuB,QAAQ,IAAI,YAAY,QAAQ,IAAI,gBAAgB;AAAA,IAC3E,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,uBAAuB,QAAQ,IAAI,gBAAgB;AAAA,IACnD,2BAA2B,QAAQ,IAAI,oBAAoB;AAAA,IAC3D,YAAY,QAAQ,IAAI,sBAAsB,UAAU,QAAQ;AAAA,EAClE;AACF;AAEO,IAAM,aAAa,MAAM;AAC9B,SAAO;AAAA,IACL,WAAW,QAAQ,IAAI,oBAAoB;AAAA,IAC3C,kBAAkB,QAAQ,IAAI,4BAA4B;AAAA,IAC1D,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,YAAY,QAAQ,IAAI,qBAAqB;AAAA,IAC7C,QAAQ,QAAQ,IAAI,gBAAgB;AAAA,IACpC,UAAU,QAAQ,IAAI,mBAAmB;AAAA,IACzC,WAAW,QAAQ,IAAI,qBAAqB;AAAA,IAC5C,iBAAa,4BAAS,QAAQ,IAAI,kBAAkB;AAAA,IACpD,QAAQ,QAAQ,IAAI,iBAAiB;AAAA,IACrC,aAAa;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,aAAa,QAAQ,IAAI;AAAA,IAC3B;AAAA,IACA,WAAW;AAAA,MACT,cAAU,4BAAS,QAAQ,IAAI,wBAAwB;AAAA,MACvD,WAAO,4BAAS,QAAQ,IAAI,qBAAqB;AAAA,IACnD;AAAA,EACF;AACF;AAEO,IAAM,2BAA2B,CAAC,QAAiC;AACxE,QAAM,UAAU,OAAO,KAAK,IAAI,OAAO,EAAE,OAAO,CAAC,KAAK,QAAQ,OAAO,OAAO,KAAK,EAAE,CAAC,GAAG,GAAG,KAAK,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;AAIlH,QAAM,WAAW,IAAI,YAAY,YAAY,UAAU;AACvD,QAAM,oBAAoB,IAAI,IAAI,IAAI,eAAe,IAAI,OAAO,IAAI,GAAG,QAAQ,gBAAgB;AAC/F,SAAO,IAAI,QAAQ,mBAAmB;AAAA,IACpC,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI,QAAQ,OAAO;AAAA,EAC9B,CAAC;AACH;AAMO,IAAM,wBAAwB,CAAC,QAAiC;AACrE,QAAM,UAAU,IAAI,QAAQ;AAC5B,SAAO,QAAQ,IAAI,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AACpD,QAAI,OAAO;AACT,cAAQ,IAAI,KAAK,MAAM,QAAQ,KAAK,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK;AAAA,IAClE;AAAA,EACF,CAAC;AAED,QAAM,WAAW,IAAI,aAAa,IAAI,SAAS,UAAU;AACzD,QAAM,OAAO,IAAI,IAAI,MAAM,KAAK;AAChC,QAAM,MAAM,IAAI,IAAI,IAAI,eAAe,IAAI,KAAK,GAAG,QAAQ,MAAM,IAAI,EAAE;AAEvE,QAAM,UAAU,CAAC,QAAQ,OAAO,OAAO,EAAE,SAAS,IAAI,MAAM;AAE5D,SAAO,IAAI,QAAQ,IAAI,SAAS,GAAG;AAAA,IACjC,QAAQ,IAAI;AAAA,IACZ;AAAA,IACA,MAAM,UAAW,uBAAS,MAAM,GAAG,IAAuB;AAAA;AAAA,IAE1D,QAAQ,UAAU,SAAS;AAAA,EAC7B,CAAC;AACH;;;AD3FA,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,aAAS,kCAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,+BAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AE3BD,IAAAA,kBAAkC;AAElC,sBAA+C;AAC/C,mBAAgF;AAChF,kBAA2C;AAC3C,oBAAuB;AACvB,IAAAC,gBAAmE;AACnE,IAAAC,gBAAgC;AAEhC,IAAAC,iBAAyB;;;ACTzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADYrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAC,cAAa,SAAS,QAAQ,IAAI;AAK1C,QAAM;AAAA,IACJ,aAAa;AAAA,IACb,OAAO;AAAA,IACP,kBAAkB;AAAA,IAClB,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,WAAW;AAAA,IACX,UAAU;AAAA,IACV,WAAW;AAAA,IACX,kBAAkB;AAAA,IAClB,gBAAgB;AAAA,IAChB,GAAG;AAAA,EACL,IAAI,WAAW,CAAC;AAEhB,QAAM,mBAAe,oCAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,mBAAmB,yBAAyB,IAAI;AACtD,QAAM,iBAAiB,uBAAuB,IAAI;AAElD,QAAM,kBAAc,+BAAgB,kBAAkB,aAAa,UAAU,IAAI,WAAW;AAC5F,QAAM,aAAS,+BAAgB,aAAa,aAAa,QAAQ,KAAK,IAAI;AAC1E,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,WAAW;AAAA,QACf,+BAAgB,eAAe,aAAa,UAAU,IAAI,QAAQ;AAAA,IAClE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,KAAC,6BAAc,SAAS,SAAK,wCAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD,GAAG;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,2BAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,KAAC,+BAAgB,qBAAqB,KAAK,KAAC,kCAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAQA,IAAM,4BAA4B,CAAC,YAAoC;AACrE,MAAI,CAAC,QAAQ,UAAU,CAAC,QAAQ,YAAY;AAC1C,WAAO;AAAA,EACT;AACA,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,aAAO,mCAAkB;AAAA,IACvB,GAAG;AAAA,IACH,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACnD,GAAI,QAAQ,aAAa,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,IAC/D,WAAW,GAAG,gBAAY,IAAI,+BAAe;AAAA,EAC/C,CAAC;AACH;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMA,eAAc,QAAQ,eAAe,0BAA0B,OAAO;AAG5E,QAAM,mBAAmB,QAAQ;AACjC,QAAM,gBAAY,mCAAqB,kBAAkB,QAAQ,+BAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AAMpE,QAAI,qBAAqB,OAAO,GAAG;AACjC,aAAO,KAAK;AAAA,IACd;AAEA,QAAI,UAAU,SAAS;AACrB,2BAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,UAAM,oCAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,wBAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,iBAAiB,CAAC,SAAoD,aAAa,OAAO,IAAI,CAAC;AAE5G,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AEpOO,IAAM,kBAAkB,CAC7B,UAAmE,CAAC,MACjD;AACnB,MAAI,OAAO,YAAY,YAAY;AACjC,UAAM,iBAAiB,+BAA+B;AAAA,MACpD,GAAG;AAAA,MACH,cAAc;AAAA,IAChB,CAAC;AACD,WAAO,CAAC,SAAS,UAAU,SAAS;AAClC,qBAAe,SAAS,UAAU,IAAI;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,OAAO,SAAS,UAAU,SAAS;AACxC,QAAI;AACF,YAAM,kBAAkB,MAAM,QAAQ,OAAO;AAC7C,YAAM,UAAU,+BAA+B;AAAA,QAC7C,GAAG;AAAA,QACH,cAAc;AAAA,MAChB,CAAC;AACD,cAAQ,SAAS,UAAU,IAAI;AAAA,IACjC,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AACF;;;ACtDA,IAAAC,mBAA8C;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,aAAO,gDAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACtBA,wBAA2B;AAgCpB,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEA,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["import_backend","import_proxy","import_utils","import_stream","clerkClient","import_internal"]}
package/dist/index.mjs CHANGED
@@ -5,7 +5,7 @@ import {
5
5
  loadClientEnv,
6
6
  requestHasAuthObject,
7
7
  requestToProxyRequest
8
- } from "./chunk-L77JF5KH.mjs";
8
+ } from "./chunk-GS66UZNJ.mjs";
9
9
 
10
10
  // src/index.ts
11
11
  export * from "@clerk/backend";
@@ -19,7 +19,7 @@ var clerkClient = new Proxy(clerkClientSingleton, {
19
19
  return clerkClientSingleton[property];
20
20
  }
21
21
  const env = { ...loadApiEnv(), ...loadClientEnv() };
22
- const client = createClerkClient({ ...env, userAgent: `${"@clerk/express"}@${"2.1.25"}` });
22
+ const client = createClerkClient({ ...env, userAgent: `${"@clerk/express"}@${"2.1.26-canary.v20260610182054"}` });
23
23
  if (env.secretKey) {
24
24
  clerkClientSingleton = client;
25
25
  }
@@ -139,7 +139,7 @@ var resolveDefaultClerkClient = (options) => {
139
139
  ...env,
140
140
  ...options.apiUrl ? { apiUrl: options.apiUrl } : {},
141
141
  ...options.apiVersion ? { apiVersion: options.apiVersion } : {},
142
- userAgent: `${"@clerk/express"}@${"2.1.25"}`
142
+ userAgent: `${"@clerk/express"}@${"2.1.26-canary.v20260610182054"}`
143
143
  });
144
144
  };
145
145
  var authenticateAndDecorateRequest = (options = {}) => {
package/dist/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback, ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import { createClerkClient } from '@clerk/backend';\nimport type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { logger } from '@clerk/shared/logger';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions } from './types';\nimport {\n brandRequestAuth,\n incomingMessageToRequest,\n loadApiEnv,\n loadClientEnv,\n requestHasAuthObject,\n requestToProxyRequest,\n} from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n // Peel off middleware-only keys and the few options that need middleware-side\n // resolution (env fallbacks, URL normalization). Everything else is spread\n // straight through, so new AuthenticateRequestOptions/VerifyTokenOptions\n // fields flow to the backend without another code change here.\n const {\n clerkClient: _clerkClient,\n debug: _debug,\n frontendApiProxy: _frontendApiProxy,\n isSatellite: isSatelliteInput,\n domain: domainInput,\n signInUrl: signInUrlInput,\n proxyUrl: proxyUrlInput,\n secretKey: secretKeyInput,\n machineSecretKey: machineSecretKeyInput,\n publishableKey: publishableKeyInput,\n ...restOptions\n } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = secretKeyInput || env.secretKey;\n const machineSecretKey = machineSecretKeyInput || env.machineSecretKey;\n const publishableKey = publishableKeyInput || env.publishableKey;\n\n const isSatellite = handleValueOrFn(isSatelliteInput, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(domainInput, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = signInUrlInput || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(proxyUrlInput, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n ...restOptions,\n secretKey,\n machineSecretKey,\n publishableKey,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\n// `apiUrl` and `apiVersion` are pinned at client construction time inside\n// `@clerk/backend`'s `createAuthenticateRequest` factory (build-time values\n// override runtime ones). The default singleton in `./clerkClient` is built\n// from env only, so passing these via `clerkMiddleware()` would be silently\n// ignored. When the caller hasn't supplied their own `clerkClient` but did\n// pass `apiUrl`/`apiVersion`, build a per-middleware client with those values.\nconst resolveDefaultClerkClient = (options: ClerkMiddlewareOptions) => {\n if (!options.apiUrl && !options.apiVersion) {\n return defaultClerkClient;\n }\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n return createClerkClient({\n ...env,\n ...(options.apiUrl ? { apiUrl: options.apiUrl } : {}),\n ...(options.apiVersion ? { apiVersion: options.apiVersion } : {}),\n userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}`,\n });\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || resolveDefaultClerkClient(options);\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n // Skip authentication only when a Clerk middleware has already processed\n // this request. The brand check matters: a truthy `req.auth` is not proof\n // of that, since express-jwt, passport and other libraries set the same\n // property, and treating their value as ours would silently disable Clerk\n // authentication.\n if (requestHasAuthObject(request)) {\n return next();\n }\n\n if ('auth' in request) {\n logger.warnOnce(\n 'Clerk: another middleware has already set `req.auth` on this request. Clerk authentication will run anyway and overwrite it. To use another auth library alongside Clerk, configure it to store its state on a different request property.',\n );\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = brandRequestAuth((opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts));\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * Accepts either a static options object or a callback that receives the request\n * and returns options. The callback form is useful for multi-domain setups where\n * the publishable key differs per domain.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n *\n * @example\n * // Dynamic keys per domain\n * app.use(clerkMiddleware((req) => ({\n * publishableKey: req.hostname === 'example.com' ? PK_A : PK_B,\n * })));\n */\nexport const clerkMiddleware = (\n options: ClerkMiddlewareOptions | ClerkMiddlewareOptionsCallback = {},\n): RequestHandler => {\n if (typeof options !== 'function') {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n }\n\n return async (request, response, next) => {\n try {\n const resolvedOptions = await options(request);\n const handler = authenticateAndDecorateRequest({\n ...resolvedOptions,\n acceptsToken: 'any',\n });\n handler(request, response, next);\n } catch (err) {\n next(err);\n }\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retrieving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import { deprecated } from '@clerk/shared/deprecated';\nimport type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @deprecated Use `clerkMiddleware()` with `getAuth()` instead.\n * `requireAuth` will be removed in the next major version.\n *\n * @example\n * // Before (deprecated)\n * import { requireAuth } from '@clerk/express'\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // After (recommended)\n * import { clerkMiddleware, getAuth } from '@clerk/express'\n *\n * app.use(clerkMiddleware())\n *\n * app.get('/api/protected', (req, res) => {\n * const { userId } = getAuth(req);\n * if (!userId) {\n * return res.status(401).json({ error: 'Unauthorized' });\n * }\n * // handle authenticated request\n * })\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n deprecated(\n 'requireAuth',\n 'Use `clerkMiddleware()` with `getAuth()` instead. `requireAuth` will be removed in the next major version.',\n );\n\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;;AAAA,cAAc;;;ACCd,SAAS,yBAAyB;AAIlC,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,SAAS,kBAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,QAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AC3BD,SAAS,qBAAAA,0BAAyB;AAElC,SAAS,YAAY,0BAA0B;AAC/C,SAAS,uBAAuB,oBAAoB,4BAA4B;AAChF,SAAS,kCAAkC;AAC3C,SAAS,cAAc;AACvB,SAAS,eAAe,oBAAoB,uBAAuB;AACnE,SAAS,uBAAuB;AAEhC,SAAS,gBAAgB;;;ACTzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADYrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAC,cAAa,SAAS,QAAQ,IAAI;AAK1C,QAAM;AAAA,IACJ,aAAa;AAAA,IACb,OAAO;AAAA,IACP,kBAAkB;AAAA,IAClB,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,WAAW;AAAA,IACX,UAAU;AAAA,IACV,WAAW;AAAA,IACX,kBAAkB;AAAA,IAClB,gBAAgB;AAAA,IAChB,GAAG;AAAA,EACL,IAAI,WAAW,CAAC;AAEhB,QAAM,eAAe,mBAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,mBAAmB,yBAAyB,IAAI;AACtD,QAAM,iBAAiB,uBAAuB,IAAI;AAElD,QAAM,cAAc,gBAAgB,kBAAkB,aAAa,UAAU,IAAI,WAAW;AAC5F,QAAM,SAAS,gBAAgB,aAAa,aAAa,QAAQ,KAAK,IAAI;AAC1E,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,WAAW;AAAA,IACf,gBAAgB,eAAe,aAAa,UAAU,IAAI,QAAQ;AAAA,IAClE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,CAAC,cAAc,SAAS,KAAK,2BAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD,GAAG;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,WAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,CAAC,gBAAgB,qBAAqB,KAAK,CAAC,mBAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAQA,IAAM,4BAA4B,CAAC,YAAoC;AACrE,MAAI,CAAC,QAAQ,UAAU,CAAC,QAAQ,YAAY;AAC1C,WAAO;AAAA,EACT;AACA,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,SAAOC,mBAAkB;AAAA,IACvB,GAAG;AAAA,IACH,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACnD,GAAI,QAAQ,aAAa,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,IAC/D,WAAW,GAAG,gBAAY,IAAI,QAAe;AAAA,EAC/C,CAAC;AACH;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMD,eAAc,QAAQ,eAAe,0BAA0B,OAAO;AAG5E,QAAM,mBAAmB,QAAQ;AACjC,QAAM,YAAY,qBAAqB,kBAAkB,QAAQ,kBAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AAMpE,QAAI,qBAAqB,OAAO,GAAG;AACjC,aAAO,KAAK;AAAA,IACd;AAEA,QAAI,UAAU,SAAS;AACrB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,MAAM,sBAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,SAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,iBAAiB,CAAC,SAAoD,aAAa,OAAO,IAAI,CAAC;AAE5G,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AEpOO,IAAM,kBAAkB,CAC7B,UAAmE,CAAC,MACjD;AACnB,MAAI,OAAO,YAAY,YAAY;AACjC,UAAM,iBAAiB,+BAA+B;AAAA,MACpD,GAAG;AAAA,MACH,cAAc;AAAA,IAChB,CAAC;AACD,WAAO,CAAC,SAAS,UAAU,SAAS;AAClC,qBAAe,SAAS,UAAU,IAAI;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,OAAO,SAAS,UAAU,SAAS;AACxC,QAAI;AACF,YAAM,kBAAkB,MAAM,QAAQ,OAAO;AAC7C,YAAM,UAAU,+BAA+B;AAAA,QAC7C,GAAG;AAAA,QACH,cAAc;AAAA,MAChB,CAAC;AACD,cAAQ,SAAS,UAAU,IAAI;AAAA,IACjC,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AACF;;;ACtDA,SAAS,qCAAqC;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,SAAO,8BAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACtBA,SAAS,kBAAkB;AAgCpB,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEA,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["createClerkClient","clerkClient","createClerkClient"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/clerkClient.ts","../src/authenticateRequest.ts","../src/errors.ts","../src/clerkMiddleware.ts","../src/getAuth.ts","../src/requireAuth.ts"],"sourcesContent":["export * from '@clerk/backend';\n\nexport { clerkClient } from './clerkClient';\n\nexport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback, ExpressRequestWithAuth } from './types';\nexport { clerkMiddleware } from './clerkMiddleware';\nexport { getAuth } from './getAuth';\nexport { requireAuth } from './requireAuth';\nexport { authenticateRequest } from './authenticateRequest';\n","import type { ClerkClient } from '@clerk/backend';\nimport { createClerkClient } from '@clerk/backend';\n\nimport { loadApiEnv, loadClientEnv } from './utils';\n\nlet clerkClientSingleton = {} as unknown as ClerkClient;\n\nexport const clerkClient = new Proxy(clerkClientSingleton, {\n get(_target, property: keyof ClerkClient) {\n if (property in clerkClientSingleton) {\n return clerkClientSingleton[property];\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const client = createClerkClient({ ...env, userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}` });\n\n // if the client is initialized properly, cache it to a singleton instance variable\n // in the next invocation the guard at the top will be triggered instead of creating another instance\n if (env.secretKey) {\n clerkClientSingleton = client;\n }\n\n return client[property];\n },\n set() {\n return false;\n },\n});\n","import { createClerkClient } from '@clerk/backend';\nimport type { RequestState } from '@clerk/backend/internal';\nimport { AuthStatus, createClerkRequest } from '@clerk/backend/internal';\nimport { clerkFrontendApiProxy, DEFAULT_PROXY_PATH, stripTrailingSlashes } from '@clerk/backend/proxy';\nimport { isDevelopmentFromSecretKey } from '@clerk/shared/keys';\nimport { logger } from '@clerk/shared/logger';\nimport { isHttpOrHttps, isProxyUrlRelative, isValidProxyUrl } from '@clerk/shared/proxy';\nimport { handleValueOrFn } from '@clerk/shared/utils';\nimport type { RequestHandler, Response } from 'express';\nimport { Readable } from 'stream';\n\nimport { clerkClient as defaultClerkClient } from './clerkClient';\nimport { satelliteAndMissingProxyUrlAndDomain, satelliteAndMissingSignInUrl } from './errors';\nimport type { AuthenticateRequestParams, ClerkMiddlewareOptions } from './types';\nimport {\n brandRequestAuth,\n incomingMessageToRequest,\n loadApiEnv,\n loadClientEnv,\n requestHasAuthObject,\n requestToProxyRequest,\n} from './utils';\n\n/**\n * @internal\n * Authenticates an Express request by wrapping clerkClient.authenticateRequest and\n * converts the express request object into a standard web request object\n *\n * @param opts - Configuration options for request authentication\n * @param opts.clerkClient - The Clerk client instance to use for authentication\n * @param opts.request - The Express request object to authenticate\n * @param opts.options - Optional middleware configuration options\n */\nexport const authenticateRequest = (opts: AuthenticateRequestParams) => {\n const { clerkClient, request, options } = opts;\n // Peel off middleware-only keys and the few options that need middleware-side\n // resolution (env fallbacks, URL normalization). Everything else is spread\n // straight through, so new AuthenticateRequestOptions/VerifyTokenOptions\n // fields flow to the backend without another code change here.\n const {\n clerkClient: _clerkClient,\n debug: _debug,\n frontendApiProxy: _frontendApiProxy,\n isSatellite: isSatelliteInput,\n domain: domainInput,\n signInUrl: signInUrlInput,\n proxyUrl: proxyUrlInput,\n secretKey: secretKeyInput,\n machineSecretKey: machineSecretKeyInput,\n publishableKey: publishableKeyInput,\n ...restOptions\n } = options || {};\n\n const clerkRequest = createClerkRequest(incomingMessageToRequest(request));\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n\n const secretKey = secretKeyInput || env.secretKey;\n const machineSecretKey = machineSecretKeyInput || env.machineSecretKey;\n const publishableKey = publishableKeyInput || env.publishableKey;\n\n const isSatellite = handleValueOrFn(isSatelliteInput, clerkRequest.clerkUrl, env.isSatellite);\n const domain = handleValueOrFn(domainInput, clerkRequest.clerkUrl) || env.domain;\n const signInUrl = signInUrlInput || env.signInUrl;\n const proxyUrl = absoluteProxyUrl(\n handleValueOrFn(proxyUrlInput, clerkRequest.clerkUrl, env.proxyUrl),\n clerkRequest.clerkUrl.toString(),\n );\n\n if (isSatellite && !proxyUrl && !domain) {\n throw new Error(satelliteAndMissingProxyUrlAndDomain);\n }\n\n if (isSatellite && !isHttpOrHttps(signInUrl) && isDevelopmentFromSecretKey(secretKey || '')) {\n throw new Error(satelliteAndMissingSignInUrl);\n }\n\n return clerkClient.authenticateRequest(clerkRequest, {\n ...restOptions,\n secretKey,\n machineSecretKey,\n publishableKey,\n proxyUrl,\n isSatellite,\n domain,\n signInUrl,\n });\n};\n\nconst setResponseHeaders = (requestState: RequestState, res: Response): Error | undefined => {\n if (requestState.headers) {\n requestState.headers.forEach((value, key) => res.appendHeader(key, value));\n }\n return setResponseForHandshake(requestState, res);\n};\n\n/**\n * Depending on the auth state of the request, handles applying redirects and validating that a handshake state was properly handled.\n *\n * Returns an error if state is handshake without a redirect, otherwise returns undefined. res.writableEnded should be checked after this method is called.\n */\nconst setResponseForHandshake = (requestState: RequestState, res: Response): Error | undefined => {\n const hasLocationHeader = requestState.headers.get('location');\n if (hasLocationHeader) {\n // triggering a handshake redirect\n res.status(307).end();\n return;\n }\n\n if (requestState.status === AuthStatus.Handshake) {\n return new Error('Clerk: unexpected handshake without redirect');\n }\n\n return;\n};\n\nconst absoluteProxyUrl = (relativeOrAbsoluteUrl: string, baseUrl: string): string => {\n if (!relativeOrAbsoluteUrl || !isValidProxyUrl(relativeOrAbsoluteUrl) || !isProxyUrlRelative(relativeOrAbsoluteUrl)) {\n return relativeOrAbsoluteUrl;\n }\n return new URL(relativeOrAbsoluteUrl, baseUrl).toString();\n};\n\n// `apiUrl` and `apiVersion` are pinned at client construction time inside\n// `@clerk/backend`'s `createAuthenticateRequest` factory (build-time values\n// override runtime ones). The default singleton in `./clerkClient` is built\n// from env only, so passing these via `clerkMiddleware()` would be silently\n// ignored. When the caller hasn't supplied their own `clerkClient` but did\n// pass `apiUrl`/`apiVersion`, build a per-middleware client with those values.\nconst resolveDefaultClerkClient = (options: ClerkMiddlewareOptions) => {\n if (!options.apiUrl && !options.apiVersion) {\n return defaultClerkClient;\n }\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n return createClerkClient({\n ...env,\n ...(options.apiUrl ? { apiUrl: options.apiUrl } : {}),\n ...(options.apiVersion ? { apiVersion: options.apiVersion } : {}),\n userAgent: `${PACKAGE_NAME}@${PACKAGE_VERSION}`,\n });\n};\n\nexport const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const clerkClient = options.clerkClient || resolveDefaultClerkClient(options);\n\n // Extract proxy configuration\n const frontendApiProxy = options.frontendApiProxy;\n const proxyPath = stripTrailingSlashes(frontendApiProxy?.path ?? DEFAULT_PROXY_PATH) || DEFAULT_PROXY_PATH;\n\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const middleware: RequestHandler = async (request, response, next) => {\n // Skip authentication only when a Clerk middleware has already processed\n // this request. The brand check matters: a truthy `req.auth` is not proof\n // of that, since express-jwt, passport and other libraries set the same\n // property, and treating their value as ours would silently disable Clerk\n // authentication.\n if (requestHasAuthObject(request)) {\n return next();\n }\n\n if ('auth' in request) {\n logger.warnOnce(\n 'Clerk: another middleware has already set `req.auth` on this request. Clerk authentication will run anyway and overwrite it. To use another auth library alongside Clerk, configure it to store its state on a different request property.',\n );\n }\n\n const env = { ...loadApiEnv(), ...loadClientEnv() };\n const publishableKey = options.publishableKey || env.publishableKey;\n const secretKey = options.secretKey || env.secretKey;\n\n // Handle Frontend API proxy requests early, before authentication\n if (frontendApiProxy) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n\n if (isEnabled && (requestUrl.pathname === proxyPath || requestUrl.pathname.startsWith(proxyPath + '/'))) {\n // Convert Express request to Fetch API Request\n const proxyRequest = requestToProxyRequest(request);\n\n // Call the core proxy function\n const proxyResponse = await clerkFrontendApiProxy(proxyRequest, {\n proxyPath,\n publishableKey,\n secretKey,\n });\n\n // Send the proxy response back to the client\n response.status(proxyResponse.status);\n proxyResponse.headers.forEach((value, key) => {\n response.setHeader(key, value);\n });\n\n if (proxyResponse.body) {\n const reader = proxyResponse.body.getReader();\n const stream = new Readable({\n async read() {\n try {\n const { done, value } = await reader.read();\n if (done) {\n this.push(null);\n } else {\n this.push(Buffer.from(value));\n }\n } catch (error) {\n this.destroy(error instanceof Error ? error : new Error(String(error)));\n }\n },\n });\n stream.pipe(response);\n } else {\n response.end();\n }\n return;\n }\n }\n\n // Pass the proxy path to authenticateRequest - the backend resolves it\n // against the request's public origin (from x-forwarded-* headers).\n let resolvedOptions = options;\n if (frontendApiProxy && !options.proxyUrl) {\n const requestUrl = new URL(request.originalUrl || request.url, `http://${request.headers.host}`);\n const isProxyEnabled =\n typeof frontendApiProxy.enabled === 'function'\n ? frontendApiProxy.enabled(requestUrl)\n : frontendApiProxy.enabled;\n if (isProxyEnabled) {\n resolvedOptions = { ...options, proxyUrl: proxyPath };\n }\n }\n\n try {\n const requestState = await authenticateRequest({\n clerkClient,\n request,\n options: resolvedOptions,\n });\n\n const err = setResponseHeaders(requestState, response);\n if (err) {\n return next(err);\n }\n if (response.writableEnded) {\n return;\n }\n\n const auth = brandRequestAuth((opts: Parameters<typeof requestState.toAuth>[0]) => requestState.toAuth(opts));\n\n Object.assign(request, { auth });\n\n next();\n } catch (err) {\n next(err);\n }\n };\n\n return middleware;\n};\n","const createErrorMessage = (msg: string) => {\n return `🔒 Clerk: ${msg.trim()}\n\n For more info, check out the docs: https://clerk.com/docs,\n or come say hi in our discord server: https://clerk.com/discord\n `;\n};\n\nexport const middlewareRequired = (fnName: string) =>\n createErrorMessage(`The \"clerkMiddleware\" should be registered before using \"${fnName}\".\nExample:\n\nimport express from 'express';\nimport { clerkMiddleware } from '@clerk/express';\n\nconst app = express();\napp.use(clerkMiddleware());\n`);\n\nexport const satelliteAndMissingProxyUrlAndDomain =\n 'Missing domain and proxyUrl. A satellite application needs to specify a domain or a proxyUrl';\nexport const satelliteAndMissingSignInUrl = `\nInvalid signInUrl. A satellite application requires a signInUrl for development instances.\nCheck if signInUrl is missing from your configuration or if it is not an absolute URL.`;\n","import type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ClerkMiddlewareOptionsCallback } from './types';\n\n/**\n * Middleware that integrates Clerk authentication into your Express application.\n * It checks the request's cookies and headers for a session JWT and, if found,\n * attaches the Auth object to the request object under the `auth` key.\n *\n * Accepts either a static options object or a callback that receives the request\n * and returns options. The callback form is useful for multi-domain setups where\n * the publishable key differs per domain.\n *\n * @example\n * app.use(clerkMiddleware(options));\n *\n * @example\n * const clerkClient = createClerkClient({ ... });\n * app.use(clerkMiddleware({ clerkClient }));\n *\n * @example\n * app.use(clerkMiddleware());\n *\n * @example\n * // Dynamic keys per domain\n * app.use(clerkMiddleware((req) => ({\n * publishableKey: req.hostname === 'example.com' ? PK_A : PK_B,\n * })));\n */\nexport const clerkMiddleware = (\n options: ClerkMiddlewareOptions | ClerkMiddlewareOptionsCallback = {},\n): RequestHandler => {\n if (typeof options !== 'function') {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n return (request, response, next) => {\n authMiddleware(request, response, next);\n };\n }\n\n return async (request, response, next) => {\n try {\n const resolvedOptions = await options(request);\n const handler = authenticateAndDecorateRequest({\n ...resolvedOptions,\n acceptsToken: 'any',\n });\n handler(request, response, next);\n } catch (err) {\n next(err);\n }\n };\n};\n","import type { AuthOptions, GetAuthFn } from '@clerk/backend/internal';\nimport { getAuthObjectForAcceptedToken } from '@clerk/backend/internal';\nimport type { Request as ExpressRequest } from 'express';\n\nimport { middlewareRequired } from './errors';\nimport { requestHasAuthObject } from './utils';\n\n/**\n * Retrieves the Clerk AuthObject using the current request object.\n *\n * @param {GetAuthOptions} options - Optional configuration for retrieving auth object.\n * @returns {AuthObject} Object with information about the request state and claims.\n * @throws {Error} `clerkMiddleware` or `requireAuth` is required to be set in the middleware chain before this util is used.\n */\nexport const getAuth: GetAuthFn<ExpressRequest> = ((req: ExpressRequest, options?: AuthOptions) => {\n if (!requestHasAuthObject(req)) {\n throw new Error(middlewareRequired('getAuth'));\n }\n\n const authObject = req.auth(options);\n\n return getAuthObjectForAcceptedToken({ authObject, acceptsToken: options?.acceptsToken });\n}) as GetAuthFn<ExpressRequest>;\n","import { deprecated } from '@clerk/shared/deprecated';\nimport type { RequestHandler } from 'express';\n\nimport { authenticateAndDecorateRequest } from './authenticateRequest';\nimport type { ClerkMiddlewareOptions, ExpressRequestWithAuth } from './types';\n\n/**\n * Middleware to require authentication for user requests.\n * Redirects unauthenticated requests to the sign-in url.\n *\n * @deprecated Use `clerkMiddleware()` with `getAuth()` instead.\n * `requireAuth` will be removed in the next major version.\n *\n * @example\n * // Before (deprecated)\n * import { requireAuth } from '@clerk/express'\n * router.get('/path', requireAuth(), getHandler)\n *\n * @example\n * // After (recommended)\n * import { clerkMiddleware, getAuth } from '@clerk/express'\n *\n * app.use(clerkMiddleware())\n *\n * app.get('/api/protected', (req, res) => {\n * const { userId } = getAuth(req);\n * if (!userId) {\n * return res.status(401).json({ error: 'Unauthorized' });\n * }\n * // handle authenticated request\n * })\n */\nexport const requireAuth = (options: ClerkMiddlewareOptions = {}): RequestHandler => {\n const authMiddleware = authenticateAndDecorateRequest({\n ...options,\n acceptsToken: 'any',\n });\n\n return (request, response, next) => {\n deprecated(\n 'requireAuth',\n 'Use `clerkMiddleware()` with `getAuth()` instead. `requireAuth` will be removed in the next major version.',\n );\n\n authMiddleware(request, response, err => {\n if (err) {\n return next(err);\n }\n\n const signInUrl = options.signInUrl || process.env.CLERK_SIGN_IN_URL || '/';\n\n if (!(request as ExpressRequestWithAuth).auth()?.userId) {\n return response.redirect(signInUrl);\n }\n\n next();\n });\n };\n};\n"],"mappings":";;;;;;;;;;AAAA,cAAc;;;ACCd,SAAS,yBAAyB;AAIlC,IAAI,uBAAuB,CAAC;AAErB,IAAM,cAAc,IAAI,MAAM,sBAAsB;AAAA,EACzD,IAAI,SAAS,UAA6B;AACxC,QAAI,YAAY,sBAAsB;AACpC,aAAO,qBAAqB,QAAQ;AAAA,IACtC;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,SAAS,kBAAkB,EAAE,GAAG,KAAK,WAAW,GAAG,gBAAY,IAAI,+BAAe,GAAG,CAAC;AAI5F,QAAI,IAAI,WAAW;AACjB,6BAAuB;AAAA,IACzB;AAEA,WAAO,OAAO,QAAQ;AAAA,EACxB;AAAA,EACA,MAAM;AACJ,WAAO;AAAA,EACT;AACF,CAAC;;;AC3BD,SAAS,qBAAAA,0BAAyB;AAElC,SAAS,YAAY,0BAA0B;AAC/C,SAAS,uBAAuB,oBAAoB,4BAA4B;AAChF,SAAS,kCAAkC;AAC3C,SAAS,cAAc;AACvB,SAAS,eAAe,oBAAoB,uBAAuB;AACnE,SAAS,uBAAuB;AAEhC,SAAS,gBAAgB;;;ACTzB,IAAM,qBAAqB,CAAC,QAAgB;AAC1C,SAAO,oBAAa,IAAI,KAAK,CAAC;AAAA;AAAA;AAAA;AAAA;AAKhC;AAEO,IAAM,qBAAqB,CAAC,WACjC,mBAAmB,4DAA4D,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAQtF;AAEM,IAAM,uCACX;AACK,IAAM,+BAA+B;AAAA;AAAA;;;ADYrC,IAAM,sBAAsB,CAAC,SAAoC;AACtE,QAAM,EAAE,aAAAC,cAAa,SAAS,QAAQ,IAAI;AAK1C,QAAM;AAAA,IACJ,aAAa;AAAA,IACb,OAAO;AAAA,IACP,kBAAkB;AAAA,IAClB,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,WAAW;AAAA,IACX,UAAU;AAAA,IACV,WAAW;AAAA,IACX,kBAAkB;AAAA,IAClB,gBAAgB;AAAA,IAChB,GAAG;AAAA,EACL,IAAI,WAAW,CAAC;AAEhB,QAAM,eAAe,mBAAmB,yBAAyB,OAAO,CAAC;AACzE,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAElD,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,mBAAmB,yBAAyB,IAAI;AACtD,QAAM,iBAAiB,uBAAuB,IAAI;AAElD,QAAM,cAAc,gBAAgB,kBAAkB,aAAa,UAAU,IAAI,WAAW;AAC5F,QAAM,SAAS,gBAAgB,aAAa,aAAa,QAAQ,KAAK,IAAI;AAC1E,QAAM,YAAY,kBAAkB,IAAI;AACxC,QAAM,WAAW;AAAA,IACf,gBAAgB,eAAe,aAAa,UAAU,IAAI,QAAQ;AAAA,IAClE,aAAa,SAAS,SAAS;AAAA,EACjC;AAEA,MAAI,eAAe,CAAC,YAAY,CAAC,QAAQ;AACvC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,MAAI,eAAe,CAAC,cAAc,SAAS,KAAK,2BAA2B,aAAa,EAAE,GAAG;AAC3F,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,SAAOA,aAAY,oBAAoB,cAAc;AAAA,IACnD,GAAG;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,IAAM,qBAAqB,CAAC,cAA4B,QAAqC;AAC3F,MAAI,aAAa,SAAS;AACxB,iBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ,IAAI,aAAa,KAAK,KAAK,CAAC;AAAA,EAC3E;AACA,SAAO,wBAAwB,cAAc,GAAG;AAClD;AAOA,IAAM,0BAA0B,CAAC,cAA4B,QAAqC;AAChG,QAAM,oBAAoB,aAAa,QAAQ,IAAI,UAAU;AAC7D,MAAI,mBAAmB;AAErB,QAAI,OAAO,GAAG,EAAE,IAAI;AACpB;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,WAAW,WAAW;AAChD,WAAO,IAAI,MAAM,8CAA8C;AAAA,EACjE;AAEA;AACF;AAEA,IAAM,mBAAmB,CAAC,uBAA+B,YAA4B;AACnF,MAAI,CAAC,yBAAyB,CAAC,gBAAgB,qBAAqB,KAAK,CAAC,mBAAmB,qBAAqB,GAAG;AACnH,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,uBAAuB,OAAO,EAAE,SAAS;AAC1D;AAQA,IAAM,4BAA4B,CAAC,YAAoC;AACrE,MAAI,CAAC,QAAQ,UAAU,CAAC,QAAQ,YAAY;AAC1C,WAAO;AAAA,EACT;AACA,QAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,SAAOC,mBAAkB;AAAA,IACvB,GAAG;AAAA,IACH,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACnD,GAAI,QAAQ,aAAa,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,IAC/D,WAAW,GAAG,gBAAY,IAAI,+BAAe;AAAA,EAC/C,CAAC;AACH;AAEO,IAAM,iCAAiC,CAAC,UAAkC,CAAC,MAAsB;AACtG,QAAMD,eAAc,QAAQ,eAAe,0BAA0B,OAAO;AAG5E,QAAM,mBAAmB,QAAQ;AACjC,QAAM,YAAY,qBAAqB,kBAAkB,QAAQ,kBAAkB,KAAK;AAGxF,QAAM,aAA6B,OAAO,SAAS,UAAU,SAAS;AAMpE,QAAI,qBAAqB,OAAO,GAAG;AACjC,aAAO,KAAK;AAAA,IACd;AAEA,QAAI,UAAU,SAAS;AACrB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,UAAM,MAAM,EAAE,GAAG,WAAW,GAAG,GAAG,cAAc,EAAE;AAClD,UAAM,iBAAiB,QAAQ,kBAAkB,IAAI;AACrD,UAAM,YAAY,QAAQ,aAAa,IAAI;AAG3C,QAAI,kBAAkB;AACpB,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,YACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AAEvB,UAAI,cAAc,WAAW,aAAa,aAAa,WAAW,SAAS,WAAW,YAAY,GAAG,IAAI;AAEvG,cAAM,eAAe,sBAAsB,OAAO;AAGlD,cAAM,gBAAgB,MAAM,sBAAsB,cAAc;AAAA,UAC9D;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAGD,iBAAS,OAAO,cAAc,MAAM;AACpC,sBAAc,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC5C,mBAAS,UAAU,KAAK,KAAK;AAAA,QAC/B,CAAC;AAED,YAAI,cAAc,MAAM;AACtB,gBAAM,SAAS,cAAc,KAAK,UAAU;AAC5C,gBAAM,SAAS,IAAI,SAAS;AAAA,YAC1B,MAAM,OAAO;AACX,kBAAI;AACF,sBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,oBAAI,MAAM;AACR,uBAAK,KAAK,IAAI;AAAA,gBAChB,OAAO;AACL,uBAAK,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,gBAC9B;AAAA,cACF,SAAS,OAAO;AACd,qBAAK,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC,CAAC;AAAA,cACxE;AAAA,YACF;AAAA,UACF,CAAC;AACD,iBAAO,KAAK,QAAQ;AAAA,QACtB,OAAO;AACL,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAAA,IACF;AAIA,QAAI,kBAAkB;AACtB,QAAI,oBAAoB,CAAC,QAAQ,UAAU;AACzC,YAAM,aAAa,IAAI,IAAI,QAAQ,eAAe,QAAQ,KAAK,UAAU,QAAQ,QAAQ,IAAI,EAAE;AAC/F,YAAM,iBACJ,OAAO,iBAAiB,YAAY,aAChC,iBAAiB,QAAQ,UAAU,IACnC,iBAAiB;AACvB,UAAI,gBAAgB;AAClB,0BAAkB,EAAE,GAAG,SAAS,UAAU,UAAU;AAAA,MACtD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,eAAe,MAAM,oBAAoB;AAAA,QAC7C,aAAAA;AAAA,QACA;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,YAAM,MAAM,mBAAmB,cAAc,QAAQ;AACrD,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AACA,UAAI,SAAS,eAAe;AAC1B;AAAA,MACF;AAEA,YAAM,OAAO,iBAAiB,CAAC,SAAoD,aAAa,OAAO,IAAI,CAAC;AAE5G,aAAO,OAAO,SAAS,EAAE,KAAK,CAAC;AAE/B,WAAK;AAAA,IACP,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AACT;;;AEpOO,IAAM,kBAAkB,CAC7B,UAAmE,CAAC,MACjD;AACnB,MAAI,OAAO,YAAY,YAAY;AACjC,UAAM,iBAAiB,+BAA+B;AAAA,MACpD,GAAG;AAAA,MACH,cAAc;AAAA,IAChB,CAAC;AACD,WAAO,CAAC,SAAS,UAAU,SAAS;AAClC,qBAAe,SAAS,UAAU,IAAI;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,OAAO,SAAS,UAAU,SAAS;AACxC,QAAI;AACF,YAAM,kBAAkB,MAAM,QAAQ,OAAO;AAC7C,YAAM,UAAU,+BAA+B;AAAA,QAC7C,GAAG;AAAA,QACH,cAAc;AAAA,MAChB,CAAC;AACD,cAAQ,SAAS,UAAU,IAAI;AAAA,IACjC,SAAS,KAAK;AACZ,WAAK,GAAG;AAAA,IACV;AAAA,EACF;AACF;;;ACtDA,SAAS,qCAAqC;AAavC,IAAM,WAAsC,CAAC,KAAqB,YAA0B;AACjG,MAAI,CAAC,qBAAqB,GAAG,GAAG;AAC9B,UAAM,IAAI,MAAM,mBAAmB,SAAS,CAAC;AAAA,EAC/C;AAEA,QAAM,aAAa,IAAI,KAAK,OAAO;AAEnC,SAAO,8BAA8B,EAAE,YAAY,cAAc,SAAS,aAAa,CAAC;AAC1F;;;ACtBA,SAAS,kBAAkB;AAgCpB,IAAM,cAAc,CAAC,UAAkC,CAAC,MAAsB;AACnF,QAAM,iBAAiB,+BAA+B;AAAA,IACpD,GAAG;AAAA,IACH,cAAc;AAAA,EAChB,CAAC;AAED,SAAO,CAAC,SAAS,UAAU,SAAS;AAClC;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEA,mBAAe,SAAS,UAAU,SAAO;AACvC,UAAI,KAAK;AACP,eAAO,KAAK,GAAG;AAAA,MACjB;AAEA,YAAM,YAAY,QAAQ,aAAa,QAAQ,IAAI,qBAAqB;AAExE,UAAI,CAAE,QAAmC,KAAK,GAAG,QAAQ;AACvD,eAAO,SAAS,SAAS,SAAS;AAAA,MACpC;AAEA,WAAK;AAAA,IACP,CAAC;AAAA,EACH;AACF;","names":["createClerkClient","clerkClient","createClerkClient"]}
package/dist/webhooks.mjs CHANGED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  incomingMessageToRequest
3
- } from "./chunk-L77JF5KH.mjs";
3
+ } from "./chunk-GS66UZNJ.mjs";
4
4
 
5
5
  // src/webhooks.ts
6
6
  import { verifyWebhook as verifyWebhookBase } from "@clerk/backend/webhooks";
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@clerk/express",
3
- "version": "2.1.25",
3
+ "version": "2.1.26-canary.v20260610182054",
4
4
  "description": "Clerk server SDK for usage with Express",
5
5
  "keywords": [
6
6
  "clerk",
@@ -62,8 +62,8 @@
62
62
  ],
63
63
  "dependencies": {
64
64
  "tslib": "2.8.1",
65
- "@clerk/backend": "^3.6.1",
66
- "@clerk/shared": "^4.17.0"
65
+ "@clerk/backend": "3.6.2-canary.v20260610182054",
66
+ "@clerk/shared": "4.17.1-canary.v20260610182054"
67
67
  },
68
68
  "devDependencies": {
69
69
  "@types/express": "^4.17.25",