@mastra/auth-clerk 0.10.0

package/dist/index.d.cts

@@ -0,0 +1 @@
+export { MastraAuthClerk } from './_tsup-dts-rollup.cjs';

package/dist/index.d.ts

@@ -0,0 +1 @@
+export { MastraAuthClerk } from './_tsup-dts-rollup.js';

package/dist/index.js

@@ -0,0 +1,364 @@
+import { SpanKind, trace, context, propagation, SpanStatusCode } from './chunk-JLXWUSDO.js';
+import { createClerkClient } from '@clerk/backend';
+import { verifyJwks } from '@mastra/auth';
+
+// ../../packages/core/dist/chunk-EWDGXKOQ.js
+function hasActiveTelemetry(tracerName = "default-tracer") {
+  try {
+    return !!trace.getTracer(tracerName);
+  } catch {
+    return false;
+  }
+}
+function getBaggageValues(ctx) {
+  const currentBaggage = propagation.getBaggage(ctx);
+  const requestId = currentBaggage?.getEntry("http.request_id")?.value;
+  const componentName = currentBaggage?.getEntry("componentName")?.value;
+  const runId = currentBaggage?.getEntry("runId")?.value;
+  return {
+    requestId,
+    componentName,
+    runId
+  };
+}
+function withSpan(options) {
+  return function(_target, propertyKey, descriptor) {
+    if (!descriptor || typeof descriptor === "number") return;
+    const originalMethod = descriptor.value;
+    const methodName = String(propertyKey);
+    descriptor.value = function(...args) {
+      if (options?.skipIfNoTelemetry && !hasActiveTelemetry(options?.tracerName)) {
+        return originalMethod.apply(this, args);
+      }
+      const tracer = trace.getTracer(options?.tracerName ?? "default-tracer");
+      let spanName;
+      let spanKind;
+      if (typeof options === "string") {
+        spanName = options;
+      } else if (options) {
+        spanName = options.spanName || methodName;
+        spanKind = options.spanKind;
+      } else {
+        spanName = methodName;
+      }
+      const span = tracer.startSpan(spanName, { kind: spanKind });
+      let ctx = trace.setSpan(context.active(), span);
+      args.forEach((arg, index) => {
+        try {
+          span.setAttribute(`${spanName}.argument.${index}`, JSON.stringify(arg));
+        } catch {
+          span.setAttribute(`${spanName}.argument.${index}`, "[Not Serializable]");
+        }
+      });
+      const { requestId, componentName, runId } = getBaggageValues(ctx);
+      if (requestId) {
+        span.setAttribute("http.request_id", requestId);
+      }
+      if (componentName) {
+        span.setAttribute("componentName", componentName);
+        span.setAttribute("runId", runId);
+      } else if (this && this.name) {
+        span.setAttribute("componentName", this.name);
+        span.setAttribute("runId", this.runId);
+        ctx = propagation.setBaggage(
+          ctx,
+          propagation.createBaggage({
+            // @ts-ignore
+            componentName: { value: this.name },
+            // @ts-ignore
+            runId: { value: this.runId },
+            // @ts-ignore
+            "http.request_id": { value: requestId }
+          })
+        );
+      }
+      let result;
+      try {
+        result = context.with(ctx, () => originalMethod.apply(this, args));
+        if (result instanceof Promise) {
+          return result.then((resolvedValue) => {
+            try {
+              span.setAttribute(`${spanName}.result`, JSON.stringify(resolvedValue));
+            } catch {
+              span.setAttribute(`${spanName}.result`, "[Not Serializable]");
+            }
+            return resolvedValue;
+          }).finally(() => span.end());
+        }
+        try {
+          span.setAttribute(`${spanName}.result`, JSON.stringify(result));
+        } catch {
+          span.setAttribute(`${spanName}.result`, "[Not Serializable]");
+        }
+        return result;
+      } catch (error) {
+        span.setStatus({
+          code: SpanStatusCode.ERROR,
+          message: error instanceof Error ? error.message : "Unknown error"
+        });
+        if (error instanceof Error) {
+          span.recordException(error);
+        }
+        throw error;
+      } finally {
+        if (!(result instanceof Promise)) {
+          span.end();
+        }
+      }
+    };
+    return descriptor;
+  };
+}
+function InstrumentClass(options) {
+  return function(target) {
+    const methods = Object.getOwnPropertyNames(target.prototype);
+    methods.forEach((method) => {
+      if (options?.excludeMethods?.includes(method) || method === "constructor") return;
+      if (options?.methodFilter && !options.methodFilter(method)) return;
+      const descriptor = Object.getOwnPropertyDescriptor(target.prototype, method);
+      if (descriptor && typeof descriptor.value === "function") {
+        Object.defineProperty(
+          target.prototype,
+          method,
+          withSpan({
+            spanName: options?.prefix ? `${options.prefix}.${method}` : method,
+            skipIfNoTelemetry: true,
+            spanKind: options?.spanKind || SpanKind.INTERNAL,
+            tracerName: options?.tracerName
+          })(target, method, descriptor)
+        );
+      }
+    });
+    return target;
+  };
+}
+
+// ../../packages/core/dist/chunk-XXVGT7SJ.js
+var RegisteredLogger = {
+  LLM: "LLM"};
+var LogLevel = {
+  DEBUG: "debug",
+  INFO: "info",
+  WARN: "warn",
+  ERROR: "error"};
+var MastraLogger = class {
+  name;
+  level;
+  transports;
+  constructor(options = {}) {
+    this.name = options.name || "Mastra";
+    this.level = options.level || LogLevel.ERROR;
+    this.transports = new Map(Object.entries(options.transports || {}));
+  }
+  getTransports() {
+    return this.transports;
+  }
+  async getLogs(transportId) {
+    if (!transportId || !this.transports.has(transportId)) {
+      return [];
+    }
+    return this.transports.get(transportId).getLogs() ?? [];
+  }
+  async getLogsByRunId({ transportId, runId }) {
+    if (!transportId || !this.transports.has(transportId) || !runId) {
+      return [];
+    }
+    return this.transports.get(transportId).getLogsByRunId({ runId }) ?? [];
+  }
+};
+var ConsoleLogger = class extends MastraLogger {
+  constructor(options = {}) {
+    super(options);
+  }
+  debug(message, ...args) {
+    if (this.level === LogLevel.DEBUG) {
+      console.debug(message, ...args);
+    }
+  }
+  info(message, ...args) {
+    if (this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
+      console.info(message, ...args);
+    }
+  }
+  warn(message, ...args) {
+    if (this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
+      console.warn(message, ...args);
+    }
+  }
+  error(message, ...args) {
+    if (this.level === LogLevel.ERROR || this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
+      console.error(message, ...args);
+    }
+  }
+  async getLogs(_transportId) {
+    return [];
+  }
+  async getLogsByRunId(_args) {
+    return [];
+  }
+};
+
+// ../../packages/core/dist/chunk-JOCKZ2US.js
+var MastraBase = class {
+  component = RegisteredLogger.LLM;
+  logger;
+  name;
+  telemetry;
+  constructor({ component, name }) {
+    this.component = component || RegisteredLogger.LLM;
+    this.name = name;
+    this.logger = new ConsoleLogger({ name: `${this.component} - ${this.name}` });
+  }
+  /**
+   * Set the logger for the agent
+   * @param logger
+   */
+  __setLogger(logger) {
+    this.logger = logger;
+    if (this.component !== RegisteredLogger.LLM) {
+      this.logger.debug(`Logger updated [component=${this.component}] [name=${this.name}]`);
+    }
+  }
+  /**
+   * Set the telemetry for the
+   * @param telemetry
+   */
+  __setTelemetry(telemetry) {
+    this.telemetry = telemetry;
+    if (this.component !== RegisteredLogger.LLM) {
+      this.logger.debug(`Telemetry updated [component=${this.component}] [name=${this.telemetry.name}]`);
+    }
+  }
+  /**
+   * Get the telemetry on the vector
+   * @returns telemetry
+   */
+  __getTelemetry() {
+    return this.telemetry;
+  }
+  /* 
+    get experimental_telemetry config
+    */
+  get experimental_telemetry() {
+    return this.telemetry ? {
+      // tracer: this.telemetry.tracer,
+      tracer: this.telemetry.getBaggageTracer(),
+      isEnabled: !!this.telemetry.tracer
+    } : void 0;
+  }
+};
+
+// ../../packages/core/dist/chunk-C6A6W6XS.js
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __knownSymbol = (name, symbol) => (symbol = Symbol[name]) ? symbol : Symbol.for("Symbol." + name);
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, {
+  enumerable: true,
+  configurable: true,
+  writable: true,
+  value
+}) : obj[key] = value;
+var __name = (target, value) => __defProp(target, "name", {
+  value,
+  configurable: true
+});
+var __decoratorStart = (base) => [, , , __create(base?.[__knownSymbol("metadata")] ?? null)];
+var __decoratorStrings = ["class", "method", "getter", "setter", "accessor", "field", "value", "get", "set"];
+var __expectFn = (fn) => fn !== void 0 && typeof fn !== "function" ? __typeError("Function expected") : fn;
+var __decoratorContext = (kind, name, done, metadata, fns) => ({
+  kind: __decoratorStrings[kind],
+  name,
+  metadata,
+  addInitializer: (fn) => done._ ? __typeError("Already initialized") : fns.push(__expectFn(fn || null))
+});
+var __decoratorMetadata = (array, target) => __defNormalProp(target, __knownSymbol("metadata"), array[3]);
+var __runInitializers = (array, flags, self, value) => {
+  for (var i = 0, fns = array[flags >> 1], n = fns && fns.length; i < n; i++) fns[i].call(self) ;
+  return value;
+};
+var __decorateElement = (array, flags, name, decorators, target, extra) => {
+  var it, done, ctx, k = flags & 7, p = false;
+  var j = 0;
+  var extraInitializers = array[j] || (array[j] = []);
+  var desc = k && ((target = target.prototype), k < 5 && (k > 3 || !p) && __getOwnPropDesc(target , name));
+  __name(target, name);
+  for (var i = decorators.length - 1; i >= 0; i--) {
+    ctx = __decoratorContext(k, name, done = {}, array[3], extraInitializers);
+    it = (0, decorators[i])(target, ctx), done._ = 1;
+    __expectFn(it) && (target = it);
+  }
+  return __decoratorMetadata(array, target), desc && __defProp(target, name, desc), p ? k ^ 4 ? extra : desc : target;
+};
+
+// ../../packages/core/dist/server/index.js
+var _MastraAuthProvider_decorators;
+var _init;
+var _a;
+_MastraAuthProvider_decorators = [InstrumentClass({
+  prefix: "auth",
+  excludeMethods: ["__setTools", "__setLogger", "__setTelemetry", "#log"]
+})];
+var MastraAuthProvider = class extends (_a = MastraBase) {
+  constructor(options) {
+    super({
+      component: "AUTH",
+      name: options?.name
+    });
+    if (options?.authorizeUser) {
+      this.authorizeUser = options.authorizeUser.bind(this);
+    }
+  }
+  registerOptions(opts) {
+    if (opts?.authorizeUser) {
+      this.authorizeUser = opts.authorizeUser.bind(this);
+    }
+  }
+};
+MastraAuthProvider = /* @__PURE__ */ ((_) => {
+  _init = __decoratorStart(_a);
+  MastraAuthProvider = __decorateElement(_init, 0, "MastraAuthProvider", _MastraAuthProvider_decorators, MastraAuthProvider);
+  __runInitializers(_init, 1, MastraAuthProvider);
+  return MastraAuthProvider;
+})();
+
+// src/index.ts
+var MastraAuthClerk = class extends MastraAuthProvider {
+  clerk;
+  jwksUri;
+  constructor(options) {
+    super({ name: options?.name ?? "clerk" });
+    const jwksUri = options?.jwksUri ?? process.env.CLERK_JWKS_URI;
+    const secretKey = options?.secretKey ?? process.env.CLERK_SECRET_KEY;
+    const publishableKey = options?.publishableKey ?? process.env.CLERK_PUBLISHABLE_KEY;
+    if (!jwksUri || !secretKey || !publishableKey) {
+      throw new Error(
+        "Clerk JWKS URI, secret key and publishable key are required, please provide them in the options or set the environment variables CLERK_JWKS_URI, CLERK_SECRET_KEY and CLERK_PUBLISHABLE_KEY"
+      );
+    }
+    this.jwksUri = jwksUri;
+    this.clerk = createClerkClient({
+      secretKey,
+      publishableKey
+    });
+    this.registerOptions(options);
+  }
+  async authenticateToken(token) {
+    const user = await verifyJwks(token, this.jwksUri);
+    return user;
+  }
+  async authorizeUser(user) {
+    if (!user.sub) {
+      return false;
+    }
+    const orgs = await this.clerk.users.getOrganizationMembershipList({
+      userId: user.sub
+    });
+    return orgs.data.length > 0;
+  }
+};
+
+export { MastraAuthClerk };

package/eslint.config.js

@@ -0,0 +1,6 @@
+import { createConfig } from '@internal/lint/eslint';
+
+const config = await createConfig();
+
+/** @type {import("eslint").Linter.Config[]} */
+export default [...config];

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@mastra/auth-clerk",
+  "version": "0.10.0",
+  "description": "Mastra Clerk Auth integration",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "license": "Elastic-2.0",
+  "dependencies": {
+    "@clerk/backend": "^1.32.3",
+    "@mastra/auth": "0.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.13.1",
+    "eslint": "^9.25.1",
+    "tsup": "^8.4.0",
+    "typescript": "^5.8.3",
+    "vitest": "^2.1.9",
+    "@internal/lint": "0.0.8",
+    "@mastra/core": "0.10.2"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm,cjs --experimental-dts --clean --treeshake",
+    "build:watch": "pnpm build --watch",
+    "test": "vitest run",
+    "lint": "eslint ."
+  }
+}

package/src/index.test.ts

@@ -0,0 +1,126 @@
+import { createClerkClient } from '@clerk/backend';
+import { verifyJwks } from '@mastra/auth';
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { MastraAuthClerk } from './index';
+
+// Mock the external dependencies
+vi.mock('@clerk/backend', () => ({
+  createClerkClient: vi.fn(),
+}));
+
+vi.mock('@mastra/auth', () => ({
+  verifyJwks: vi.fn(),
+}));
+
+describe('MastraAuthClerk', () => {
+  const mockOptions = {
+    jwksUri: 'https://clerk.jwks.uri',
+    secretKey: 'test-secret-key',
+    publishableKey: 'test-publishable-key',
+  };
+
+  const mockClerkClient = {
+    users: {
+      getOrganizationMembershipList: vi.fn(),
+    },
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    (createClerkClient as any).mockReturnValue(mockClerkClient);
+  });
+
+  describe('initialization', () => {
+    it('should initialize with provided options', () => {
+      const auth = new MastraAuthClerk(mockOptions);
+      expect(auth).toBeInstanceOf(MastraAuthClerk);
+      expect(createClerkClient).toHaveBeenCalledWith({
+        secretKey: mockOptions.secretKey,
+        publishableKey: mockOptions.publishableKey,
+      });
+    });
+
+    it('should throw error when required options are missing', () => {
+      expect(() => new MastraAuthClerk({})).toThrow('Clerk JWKS URI, secret key and publishable key are required');
+    });
+  });
+
+  describe('authenticateToken', () => {
+    it('should verify token and return user', async () => {
+      const mockUser = { sub: 'user123', email: 'test@example.com' };
+      (verifyJwks as any).mockResolvedValue(mockUser);
+
+      const auth = new MastraAuthClerk(mockOptions);
+      const result = await auth.authenticateToken('test-token');
+
+      expect(verifyJwks).toHaveBeenCalledWith('test-token', mockOptions.jwksUri);
+      expect(result).toEqual(mockUser);
+    });
+
+    it('should return null when token verification fails', async () => {
+      (verifyJwks as any).mockResolvedValue(null);
+
+      const auth = new MastraAuthClerk(mockOptions);
+      const result = await auth.authenticateToken('invalid-token');
+
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('authorizeUser', () => {
+    it('should return false when user has no sub', async () => {
+      const auth = new MastraAuthClerk(mockOptions);
+      const result = await auth.authorizeUser({ email: 'test@example.com' });
+
+      expect(result).toBe(false);
+      expect(mockClerkClient.users.getOrganizationMembershipList).not.toHaveBeenCalled();
+    });
+
+    it('should return true when user has organization memberships', async () => {
+      mockClerkClient.users.getOrganizationMembershipList.mockResolvedValue({
+        data: [{ id: 'org1' }],
+      });
+
+      const auth = new MastraAuthClerk(mockOptions);
+      const result = await auth.authorizeUser({ sub: 'user123' });
+
+      expect(mockClerkClient.users.getOrganizationMembershipList).toHaveBeenCalledWith({
+        userId: 'user123',
+      });
+      expect(result).toBe(true);
+    });
+
+    it('should return false when user has no organization memberships', async () => {
+      mockClerkClient.users.getOrganizationMembershipList.mockResolvedValue({
+        data: [],
+      });
+
+      const auth = new MastraAuthClerk(mockOptions);
+      const result = await auth.authorizeUser({ sub: 'user123' });
+
+      expect(result).toBe(false);
+    });
+  });
+
+  it('can be overridden with custom authorization logic', async () => {
+    const clerk = new MastraAuthClerk({
+      ...mockOptions,
+      async authorizeUser(user: any): Promise<boolean> {
+        // Custom authorization logic that checks for specific permissions
+        return user?.permissions?.includes('admin') ?? false;
+      },
+    });
+
+    // Test with admin user
+    const adminUser = { sub: 'user123', permissions: ['admin'] };
+    expect(await clerk.authorizeUser(adminUser)).toBe(true);
+
+    // Test with non-admin user
+    const regularUser = { sub: 'user456', permissions: ['read'] };
+    expect(await clerk.authorizeUser(regularUser)).toBe(false);
+
+    // Test with user without permissions
+    const noPermissionsUser = { sub: 'user789' };
+    expect(await clerk.authorizeUser(noPermissionsUser)).toBe(false);
+  });
+});

package/src/index.ts

@@ -0,0 +1,58 @@
+import { createClerkClient } from '@clerk/backend';
+import type { ClerkClient } from '@clerk/backend';
+import { verifyJwks } from '@mastra/auth';
+import type { JwtPayload } from '@mastra/auth';
+import type { MastraAuthProviderOptions } from '@mastra/core/server';
+import { MastraAuthProvider } from '@mastra/core/server';
+
+type ClerkUser = JwtPayload;
+
+interface MastraAuthClerkOptions extends MastraAuthProviderOptions<ClerkUser> {
+  jwksUri?: string;
+  secretKey?: string;
+  publishableKey?: string;
+}
+
+export class MastraAuthClerk extends MastraAuthProvider<ClerkUser> {
+  protected clerk: ClerkClient;
+  protected jwksUri: string;
+
+  constructor(options?: MastraAuthClerkOptions) {
+    super({ name: options?.name ?? 'clerk' });
+
+    const jwksUri = options?.jwksUri ?? process.env.CLERK_JWKS_URI;
+    const secretKey = options?.secretKey ?? process.env.CLERK_SECRET_KEY;
+    const publishableKey = options?.publishableKey ?? process.env.CLERK_PUBLISHABLE_KEY;
+
+    if (!jwksUri || !secretKey || !publishableKey) {
+      throw new Error(
+        'Clerk JWKS URI, secret key and publishable key are required, please provide them in the options or set the environment variables CLERK_JWKS_URI, CLERK_SECRET_KEY and CLERK_PUBLISHABLE_KEY',
+      );
+    }
+
+    this.jwksUri = jwksUri;
+    this.clerk = createClerkClient({
+      secretKey,
+      publishableKey,
+    });
+
+    this.registerOptions(options);
+  }
+
+  async authenticateToken(token: string): Promise<ClerkUser | null> {
+    const user = await verifyJwks(token, this.jwksUri);
+    return user;
+  }
+
+  async authorizeUser(user: ClerkUser) {
+    if (!user.sub) {
+      return false;
+    }
+
+    const orgs = await this.clerk.users.getOrganizationMembershipList({
+      userId: user.sub,
+    });
+
+    return orgs.data.length > 0;
+  }
+}

package/tsconfig.json

@@ -0,0 +1,5 @@
+{
+  "extends": "../../tsconfig.node.json",
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "**/*.test.ts"]
+}

package/vitest.config.ts

@@ -0,0 +1,8 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    include: ['src/**/*.test.ts'],
+  },
+});