canopycms-auth-clerk 0.0.0

package/README.md

@@ -0,0 +1,81 @@
+# canopycms-auth-clerk
+
+Clerk authentication provider for CanopyCMS.
+
+## Installation
+
+```bash
+npm install canopycms canopycms-auth-clerk @clerk/nextjs
+```
+
+## Usage
+
+### Basic Setup
+
+```typescript
+import { createClerkAuthPlugin } from 'canopycms-auth-clerk'
+import { createCanopyHandler } from 'canopycms/next'
+
+const authPlugin = createClerkAuthPlugin({
+  secretKey: process.env.CLERK_SECRET_KEY,
+  useOrganizationsAsGroups: true, // Map Clerk organizations to CMS groups
+})
+
+const handler = createCanopyHandler({
+  config,
+  authPlugin,
+  // ...
+})
+```
+
+### Configuration Options
+
+```typescript
+interface ClerkAuthConfig {
+  /**
+   * Clerk secret key (defaults to process.env.CLERK_SECRET_KEY)
+   */
+  secretKey?: string
+
+  /**
+   * Use organizations as groups
+   * @default true
+   */
+  useOrganizationsAsGroups?: boolean
+}
+```
+
+### Groups-Only Permission Model
+
+CanopyCMS uses a groups-only permission model. The Clerk plugin extracts the user ID and group memberships from Clerk organizations:
+
+- **User ID**: Clerk's `userId` is used as the CMS user identifier
+- **Groups**: When `useOrganizationsAsGroups` is enabled, Clerk organization memberships are returned as group names
+
+### Reserved Groups in CanopyCMS
+
+CanopyCMS uses reserved groups for permissions:
+
+- **Admins**: Full access to all operations (manage groups, merge PRs, delete branches, etc.)
+- **Reviewers**: Can review branches, request changes, approve PRs
+
+To grant admin access to a user, add them to the "Admins" group in CanopyCMS's group management UI, or use the bootstrap admin mechanism:
+
+```bash
+# Set bootstrap admins via environment variable
+CANOPY_BOOTSTRAP_ADMIN_IDS=user_abc123,user_def456
+```
+
+Bootstrap admins are automatically treated as members of the Admins group, even before the group system is configured.
+
+### Using Organizations as Groups
+
+When `useOrganizationsAsGroups` is enabled (default), Clerk organizations are automatically mapped to CanopyCMS groups for permission management. Create an organization named "Admins" or "Reviewers" in Clerk and add users to grant them those permissions.
+
+## Example App Integration
+
+See the [example app](../../apps/example1) for a complete integration example.
+
+## License
+
+MIT

package/dist/cache-writer.d.ts

@@ -0,0 +1,26 @@
+export interface RefreshClerkCacheOptions {
+    /** Clerk Secret Key (CLERK_SECRET_KEY) */
+    secretKey: string;
+    /** Directory to write cache files to (e.g., /mnt/efs/workspace/.cache) */
+    cachePath: string;
+    /** Whether to treat Clerk organizations as groups (default: true) */
+    useOrganizationsAsGroups?: boolean;
+}
+export interface RefreshClerkCacheResult {
+    userCount: number;
+    groupCount: number;
+    membershipCount: number;
+}
+/**
+ * Fetches all user/org metadata from Clerk API and writes to JSON cache files.
+ *
+ * Used by the EC2 worker to populate the cache that FileBasedAuthCache reads.
+ * Writes atomically (write to temp file, then rename) to avoid partial reads.
+ *
+ * Output files:
+ * - {cachePath}/users.json    — { users: UserSearchResult[] }
+ * - {cachePath}/orgs.json     — { groups: GroupMetadata[] }
+ * - {cachePath}/memberships.json — { memberships: { [userId]: groupId[] } }
+ */
+export declare function refreshClerkCache(options: RefreshClerkCacheOptions): Promise<RefreshClerkCacheResult>;
+//# sourceMappingURL=cache-writer.d.ts.map

package/dist/cache-writer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache-writer.d.ts","sourceRoot":"","sources":["../src/cache-writer.ts"],"names":[],"mappings":"AAsCA,MAAM,WAAW,wBAAwB;IACvC,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAA;IACjB,0EAA0E;IAC1E,SAAS,EAAE,MAAM,CAAA;IACjB,qEAAqE;IACrE,wBAAwB,CAAC,EAAE,OAAO,CAAA;CACnC;AAED,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,eAAe,EAAE,MAAM,CAAA;CACxB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,wBAAwB,GAChC,OAAO,CAAC,uBAAuB,CAAC,CAqFlC"}

package/dist/cache-writer.js

@@ -0,0 +1,94 @@
+import { createClerkClient } from '@clerk/backend';
+import { writeAuthCacheSnapshot } from 'canopycms/auth/cache';
+function unwrapClerkResponse(response) {
+    return Array.isArray(response) ? response : response.data;
+}
+/**
+ * Fetches all user/org metadata from Clerk API and writes to JSON cache files.
+ *
+ * Used by the EC2 worker to populate the cache that FileBasedAuthCache reads.
+ * Writes atomically (write to temp file, then rename) to avoid partial reads.
+ *
+ * Output files:
+ * - {cachePath}/users.json    — { users: UserSearchResult[] }
+ * - {cachePath}/orgs.json     — { groups: GroupMetadata[] }
+ * - {cachePath}/memberships.json — { memberships: { [userId]: groupId[] } }
+ */
+export async function refreshClerkCache(options) {
+    const { secretKey, cachePath, useOrganizationsAsGroups = true } = options;
+    const clerkClient = createClerkClient({ secretKey });
+    // Fetch all users (paginate to handle large organizations)
+    const clerkUsers = [];
+    const pageSize = 500;
+    let offset = 0;
+    // eslint-disable-next-line no-constant-condition
+    while (true) {
+        const usersResponse = (await clerkClient.users.getUserList({
+            limit: pageSize,
+            offset,
+        }));
+        const page = unwrapClerkResponse(usersResponse);
+        clerkUsers.push(...page);
+        if (page.length < pageSize)
+            break;
+        offset += pageSize;
+    }
+    const users = clerkUsers.map((u) => ({
+        id: u.id,
+        name: u.fullName ?? u.full_name ?? u.username ?? u.id,
+        email: u.primaryEmailAddress?.emailAddress ?? u.email_addresses?.[0]?.email_address ?? '',
+        avatarUrl: u.imageUrl ?? u.image_url ?? undefined,
+    }));
+    let groups = [];
+    const memberships = {};
+    if (useOrganizationsAsGroups) {
+        // Fetch all organizations (paginate)
+        const clerkOrgs = [];
+        let orgOffset = 0;
+        const orgPageSize = 100;
+        // eslint-disable-next-line no-constant-condition
+        while (true) {
+            const orgsResponse = (await clerkClient.organizations.getOrganizationList({
+                limit: orgPageSize,
+                offset: orgOffset,
+            }));
+            const page = unwrapClerkResponse(orgsResponse);
+            clerkOrgs.push(...page);
+            if (page.length < orgPageSize)
+                break;
+            orgOffset += orgPageSize;
+        }
+        groups = clerkOrgs.map((o) => ({
+            id: o.id,
+            name: o.name,
+            memberCount: o.membersCount ?? o.members_count,
+        }));
+        // Fetch memberships per user
+        for (const user of clerkUsers) {
+            try {
+                const membershipResponse = (await clerkClient.users.getOrganizationMembershipList({
+                    userId: user.id,
+                }));
+                const userMemberships = unwrapClerkResponse(membershipResponse);
+                if (userMemberships.length > 0) {
+                    memberships[user.id] = userMemberships.map((m) => m.organization.id);
+                }
+            }
+            catch (err) {
+                console.warn(`Failed to fetch memberships for user ${user.id}:`, err instanceof Error ? err.message : err);
+            }
+        }
+    }
+    // Write cache files atomically via snapshot directory + symlink swap
+    await writeAuthCacheSnapshot(cachePath, {
+        'users.json': { users },
+        'orgs.json': { groups },
+        'memberships.json': { memberships },
+    });
+    return {
+        userCount: users.length,
+        groupCount: groups.length,
+        membershipCount: Object.keys(memberships).length,
+    };
+}
+//# sourceMappingURL=cache-writer.js.map

package/dist/cache-writer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache-writer.js","sourceRoot":"","sources":["../src/cache-writer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAClD,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAA;AAiC7D,SAAS,mBAAmB,CAAI,QAA0B;IACxD,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAA;AAC3D,CAAC;AAiBD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAiC;IAEjC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,wBAAwB,GAAG,IAAI,EAAE,GAAG,OAAO,CAAA;IAEzE,MAAM,WAAW,GAAG,iBAAiB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAA;IAEpD,2DAA2D;IAC3D,MAAM,UAAU,GAAoB,EAAE,CAAA;IACtC,MAAM,QAAQ,GAAG,GAAG,CAAA;IACpB,IAAI,MAAM,GAAG,CAAC,CAAA;IACd,iDAAiD;IACjD,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,aAAa,GAAG,CAAC,MAAM,WAAW,CAAC,KAAK,CAAC,WAAW,CAAC;YACzD,KAAK,EAAE,QAAQ;YACf,MAAM;SACP,CAAC,CAAiC,CAAA;QACnC,MAAM,IAAI,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAA;QAC/C,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAA;QACxB,IAAI,IAAI,CAAC,MAAM,GAAG,QAAQ;YAAE,MAAK;QACjC,MAAM,IAAI,QAAQ,CAAA;IACpB,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACnC,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,IAAI,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,EAAE;QACrD,KAAK,EAAE,CAAC,CAAC,mBAAmB,EAAE,YAAY,IAAI,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,aAAa,IAAI,EAAE;QACzF,SAAS,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,SAAS,IAAI,SAAS;KAClD,CAAC,CAAC,CAAA;IAEH,IAAI,MAAM,GAA8D,EAAE,CAAA;IAC1E,MAAM,WAAW,GAA6B,EAAE,CAAA;IAEhD,IAAI,wBAAwB,EAAE,CAAC;QAC7B,qCAAqC;QACrC,MAAM,SAAS,GAAwB,EAAE,CAAA;QACzC,IAAI,SAAS,GAAG,CAAC,CAAA;QACjB,MAAM,WAAW,GAAG,GAAG,CAAA;QACvB,iDAAiD;QACjD,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,YAAY,GAAG,CAAC,MAAM,WAAW,CAAC,aAAa,CAAC,mBAAmB,CAAC;gBACxE,KAAK,EAAE,WAAW;gBAClB,MAAM,EAAE,SAAS;aAClB,CAAC,CAAqC,CAAA;YACvC,MAAM,IAAI,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAA;YAC9C,SAAS,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAA;YACvB,IAAI,IAAI,CAAC,MAAM,GAAG,WAAW;gBAAE,MAAK;YACpC,SAAS,IAAI,WAAW,CAAA;QAC1B,CAAC;QAED,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC7B,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,aAAa;SAC/C,CAAC,CAAC,CAAA;QAEH,6BAA6B;QAC7B,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,kBAAkB,GAAG,CAAC,MAAM,WAAW,CAAC,KAAK,CAAC,6BAA6B,CAAC;oBAChF,MAAM,EAAE,IAAI,CAAC,EAAE;iBAChB,CAAC,CAA+C,CAAA;gBACjD,MAAM,eAAe,GAAG,mBAAmB,CAAC,kBAAkB,CAAC,CAAA;gBAC/D,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC/B,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAA;gBACtE,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CACV,wCAAwC,IAAI,CAAC,EAAE,GAAG,EAClD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,MAAM,sBAAsB,CAAC,SAAS,EAAE;QACtC,YAAY,EAAE,EAAE,KAAK,EAAE;QACvB,WAAW,EAAE,EAAE,MAAM,EAAE;QACvB,kBAAkB,EAAE,EAAE,WAAW,EAAE;KACpC,CAAC,CAAA;IAEF,OAAO;QACL,SAAS,EAAE,KAAK,CAAC,MAAM;QACvB,UAAU,EAAE,MAAM,CAAC,MAAM;QACzB,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,MAAM;KACjD,CAAA;AACH,CAAC"}

package/dist/clerk-plugin.d.ts

@@ -0,0 +1,48 @@
+import type { AuthPlugin, AuthPluginFactory } from 'canopycms/auth';
+import type { UserSearchResult, GroupMetadata, AuthenticationResult } from 'canopycms/auth';
+import { type HeadersLike } from 'canopycms/auth';
+export interface ClerkAuthConfig {
+    /**
+     * Use organizations as groups
+     * @default true
+     */
+    useOrganizationsAsGroups?: boolean;
+    /**
+     * Clerk Secret Key. If not provided, will use CLERK_SECRET_KEY env var.
+     */
+    secretKey?: string;
+    /**
+     * PEM public key for networkless JWT verification.
+     * If not provided, will use CLERK_JWT_KEY env var.
+     */
+    jwtKey?: string;
+    /**
+     * List of authorized parties (domains) for CSRF protection.
+     * If not provided, will parse from CLERK_AUTHORIZED_PARTIES env var.
+     */
+    authorizedParties?: string[];
+}
+/**
+ * Extract token from headers.
+ * Looks for Bearer token in Authorization header or __session cookie.
+ */
+export declare const extractToken: (headers: HeadersLike) => string | null;
+/**
+ * Clerk authentication plugin implementation for CanopyCMS.
+ * Uses @clerk/backend for framework-agnostic JWT verification.
+ */
+export declare class ClerkAuthPlugin implements AuthPlugin {
+    private config;
+    private clerkClient;
+    constructor(config?: ClerkAuthConfig);
+    authenticate(context: unknown): Promise<AuthenticationResult>;
+    searchUsers(query: string, limit?: number): Promise<UserSearchResult[]>;
+    getUserMetadata(userId: string): Promise<UserSearchResult | null>;
+    getGroupMetadata(groupId: string): Promise<GroupMetadata | null>;
+    listGroups(limit?: number): Promise<GroupMetadata[]>;
+}
+/**
+ * Factory function to create a Clerk auth plugin instance
+ */
+export declare const createClerkAuthPlugin: AuthPluginFactory<ClerkAuthConfig>;
+//# sourceMappingURL=clerk-plugin.d.ts.map

package/dist/clerk-plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clerk-plugin.d.ts","sourceRoot":"","sources":["../src/clerk-plugin.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AACnE,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAA;AAC3F,OAAO,EAAkB,KAAK,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAEjE,MAAM,WAAW,eAAe;IAC9B;;;OAGG;IACH,wBAAwB,CAAC,EAAE,OAAO,CAAA;IAElC;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAA;IAElB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAA;IAEf;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC7B;AAmED;;;GAGG;AACH,eAAO,MAAM,YAAY,GAAI,SAAS,WAAW,KAAG,MAAM,GAAG,IAiB5D,CAAA;AAED;;;GAGG;AACH,qBAAa,eAAgB,YAAW,UAAU;IAChD,OAAO,CAAC,MAAM,CAIb;IACD,OAAO,CAAC,WAAW,CAAsC;gBAE7C,MAAM,GAAE,eAAoB;IAyBlC,YAAY,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAuE7D,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,SAAK,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC;IAuBnE,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAgBjE,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAqBhE,UAAU,CAAC,KAAK,SAAK,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;CAqBvD;AAED;;GAEG;AACH,eAAO,MAAM,qBAAqB,EAAE,iBAAiB,CAAC,eAAe,CAEpE,CAAA"}

package/dist/clerk-plugin.js

@@ -0,0 +1,214 @@
+import { createClerkClient, verifyToken as clerkVerifyToken } from '@clerk/backend';
+import { extractHeaders } from 'canopycms/auth';
+/**
+ * Unwrap Clerk paginated response to array.
+ * Clerk SDK sometimes returns arrays directly, sometimes paginated objects.
+ */
+function unwrapClerkResponse(response) {
+    return Array.isArray(response) ? response : response.data;
+}
+/**
+ * Map Clerk user data to Canopy user metadata.
+ * Handles both camelCase and snake_case property variants.
+ */
+function mapClerkUserData(clerkUser) {
+    const avatarUrl = clerkUser.imageUrl ?? clerkUser.image_url;
+    return {
+        email: clerkUser.primaryEmailAddress?.emailAddress ?? clerkUser.email_addresses?.[0]?.email_address,
+        name: clerkUser.fullName ?? clerkUser.full_name ?? clerkUser.username ?? clerkUser.id,
+        avatarUrl: avatarUrl ?? undefined,
+    };
+}
+/**
+ * Get member count from organization, handling property name variants.
+ */
+function getOrgMemberCount(org) {
+    return org.membersCount ?? org.members_count;
+}
+/**
+ * Extract token from headers.
+ * Looks for Bearer token in Authorization header or __session cookie.
+ */
+export const extractToken = (headers) => {
+    // Try Authorization header first
+    const authHeader = headers.get('Authorization');
+    if (authHeader?.startsWith('Bearer ')) {
+        return authHeader.slice(7);
+    }
+    // Try __session cookie
+    const cookie = headers.get('Cookie');
+    if (cookie) {
+        const match = cookie.match(/__session=([^;]+)/);
+        if (match) {
+            return match[1];
+        }
+    }
+    return null;
+};
+/**
+ * Clerk authentication plugin implementation for CanopyCMS.
+ * Uses @clerk/backend for framework-agnostic JWT verification.
+ */
+export class ClerkAuthPlugin {
+    constructor(config = {}) {
+        const secretKey = config.secretKey ?? process.env.CLERK_SECRET_KEY;
+        if (!secretKey) {
+            throw new Error('ClerkAuthPlugin: CLERK_SECRET_KEY environment variable or secretKey config is required');
+        }
+        const jwtKey = config.jwtKey ?? process.env.CLERK_JWT_KEY;
+        const authorizedParties = config.authorizedParties ??
+            process.env.CLERK_AUTHORIZED_PARTIES?.split(',')
+                .map((s) => s.trim())
+                .filter(Boolean);
+        this.config = {
+            useOrganizationsAsGroups: config.useOrganizationsAsGroups ?? true,
+            secretKey,
+            jwtKey,
+            authorizedParties,
+        };
+        this.clerkClient = createClerkClient({ secretKey });
+    }
+    async authenticate(context) {
+        try {
+            // Extract headers from context (supports CanopyRequest and Headers)
+            const headers = extractHeaders(context);
+            if (!headers) {
+                return {
+                    success: false,
+                    error: 'Invalid context: expected CanopyRequest or Headers object',
+                };
+            }
+            // Extract token from headers
+            const token = extractToken(headers);
+            if (!token) {
+                return { success: false, error: 'No authentication token found' };
+            }
+            // Verify the token
+            const verifyOptions = {
+                secretKey: this.config.secretKey,
+            };
+            if (this.config.jwtKey) {
+                verifyOptions.jwtKey = this.config.jwtKey;
+            }
+            if (this.config.authorizedParties) {
+                verifyOptions.authorizedParties = this.config.authorizedParties;
+            }
+            const payload = await clerkVerifyToken(token, verifyOptions);
+            if (!payload || !payload.sub) {
+                return { success: false, error: 'Invalid token payload' };
+            }
+            const userId = payload.sub;
+            // Get user details from Clerk
+            const clerkUser = (await this.clerkClient.users.getUser(userId));
+            // Get organizations as external groups
+            let externalGroups;
+            if (this.config.useOrganizationsAsGroups) {
+                const orgs = (await this.clerkClient.users.getOrganizationMembershipList({
+                    userId: clerkUser.id,
+                }));
+                const memberships = unwrapClerkResponse(orgs);
+                externalGroups = memberships.map((m) => m.organization.id);
+            }
+            const userData = mapClerkUserData(clerkUser);
+            // Return identity only - core will apply bootstrap admins
+            return {
+                success: true,
+                user: {
+                    userId: clerkUser.id,
+                    ...userData,
+                    externalGroups,
+                },
+            };
+        }
+        catch (error) {
+            return {
+                success: false,
+                error: error instanceof Error ? error.message : 'Authentication failed',
+            };
+        }
+    }
+    async searchUsers(query, limit = 10) {
+        try {
+            const response = (await this.clerkClient.users.getUserList({
+                query,
+                limit,
+            }));
+            const users = unwrapClerkResponse(response);
+            return users.map((u) => {
+                const mapped = mapClerkUserData(u);
+                return {
+                    id: u.id,
+                    name: mapped.name,
+                    email: mapped.email ?? '',
+                    avatarUrl: mapped.avatarUrl,
+                };
+            });
+        }
+        catch (error) {
+            console.error('ClerkAuthPlugin: searchUsers failed', error);
+            return [];
+        }
+    }
+    async getUserMetadata(userId) {
+        try {
+            const user = (await this.clerkClient.users.getUser(userId));
+            const mapped = mapClerkUserData(user);
+            return {
+                id: user.id,
+                name: mapped.name,
+                email: mapped.email ?? '',
+                avatarUrl: mapped.avatarUrl,
+            };
+        }
+        catch (error) {
+            console.error('ClerkAuthPlugin: getUserMetadata failed', error);
+            return null;
+        }
+    }
+    async getGroupMetadata(groupId) {
+        if (!this.config.useOrganizationsAsGroups) {
+            return null;
+        }
+        try {
+            const org = (await this.clerkClient.organizations.getOrganization({
+                organizationId: groupId,
+            }));
+            return {
+                id: org.id,
+                name: org.name,
+                memberCount: getOrgMemberCount(org),
+            };
+        }
+        catch (error) {
+            console.error('ClerkAuthPlugin: getGroupMetadata failed', error);
+            return null;
+        }
+    }
+    async listGroups(limit = 50) {
+        if (!this.config.useOrganizationsAsGroups) {
+            return [];
+        }
+        try {
+            const response = (await this.clerkClient.organizations.getOrganizationList({
+                limit,
+            }));
+            const orgs = unwrapClerkResponse(response);
+            return orgs.map((o) => ({
+                id: o.id,
+                name: o.name,
+                memberCount: getOrgMemberCount(o),
+            }));
+        }
+        catch (error) {
+            console.error('ClerkAuthPlugin: listGroups failed', error);
+            return [];
+        }
+    }
+}
+/**
+ * Factory function to create a Clerk auth plugin instance
+ */
+export const createClerkAuthPlugin = (config) => {
+    return new ClerkAuthPlugin(config);
+};
+//# sourceMappingURL=clerk-plugin.js.map

package/dist/clerk-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"clerk-plugin.js","sourceRoot":"","sources":["../src/clerk-plugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,WAAW,IAAI,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAGnF,OAAO,EAAE,cAAc,EAAoB,MAAM,gBAAgB,CAAA;AA2DjE;;;GAGG;AACH,SAAS,mBAAmB,CAAI,QAA0B;IACxD,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAA;AAC3D,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,SAAwB;IAKhD,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,SAAS,CAAA;IAC3D,OAAO;QACL,KAAK,EACH,SAAS,CAAC,mBAAmB,EAAE,YAAY,IAAI,SAAS,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,aAAa;QAC9F,IAAI,EAAE,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,EAAE;QACrF,SAAS,EAAE,SAAS,IAAI,SAAS;KAClC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,GAAsB;IAC/C,OAAO,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,aAAa,CAAA;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,OAAoB,EAAiB,EAAE;IAClE,iCAAiC;IACjC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;IAC/C,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAC5B,CAAC;IAED,uBAAuB;IACvB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACpC,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAC/C,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC,CAAA;AAED;;;GAGG;AACH,MAAM,OAAO,eAAe;IAQ1B,YAAY,SAA0B,EAAE;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAA;QAClE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,wFAAwF,CACzF,CAAA;QACH,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAA;QACzD,MAAM,iBAAiB,GACrB,MAAM,CAAC,iBAAiB;YACxB,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,KAAK,CAAC,GAAG,CAAC;iBAC7C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBACpB,MAAM,CAAC,OAAO,CAAC,CAAA;QAEpB,IAAI,CAAC,MAAM,GAAG;YACZ,wBAAwB,EAAE,MAAM,CAAC,wBAAwB,IAAI,IAAI;YACjE,SAAS;YACT,MAAM;YACN,iBAAiB;SAClB,CAAA;QAED,IAAI,CAAC,WAAW,GAAG,iBAAiB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAA;IACrD,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAgB;QACjC,IAAI,CAAC;YACH,oEAAoE;YACpE,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAA;YACvC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,2DAA2D;iBACnE,CAAA;YACH,CAAC;YAED,6BAA6B;YAC7B,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAA;YACnC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAA;YACnE,CAAC;YAED,mBAAmB;YACnB,MAAM,aAAa,GAA2C;gBAC5D,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;aACjC,CAAA;YAED,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACvB,aAAa,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAA;YAC3C,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;gBAClC,aAAa,CAAC,iBAAiB,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAA;YACjE,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,aAAa,CAAC,CAAA;YAE5D,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBAC7B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAA;YAC3D,CAAC;YAED,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAA;YAE1B,8BAA8B;YAC9B,MAAM,SAAS,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAkB,CAAA;YAEjF,uCAAuC;YACvC,IAAI,cAAoC,CAAA;YACxC,IAAI,IAAI,CAAC,MAAM,CAAC,wBAAwB,EAAE,CAAC;gBACzC,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,6BAA6B,CAAC;oBACvE,MAAM,EAAE,SAAS,CAAC,EAAE;iBACrB,CAAC,CAA+C,CAAA;gBAEjD,MAAM,WAAW,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAA;gBAC7C,cAAc,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAA;YAC5D,CAAC;YAED,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAA;YAE5C,0DAA0D;YAC1D,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,IAAI,EAAE;oBACJ,MAAM,EAAE,SAAS,CAAC,EAAE;oBACpB,GAAG,QAAQ;oBACX,cAAc;iBACf;aACF,CAAA;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB;aACxE,CAAA;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,KAAK,GAAG,EAAE;QACzC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,WAAW,CAAC;gBACzD,KAAK;gBACL,KAAK;aACN,CAAC,CAAiC,CAAA;YAEnC,MAAM,KAAK,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAA;YAC3C,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;gBACrB,MAAM,MAAM,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAA;gBAClC,OAAO;oBACL,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE;oBACzB,SAAS,EAAE,MAAM,CAAC,SAAS;iBAC5B,CAAA;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAA;YAC3D,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,MAAc;QAClC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAkB,CAAA;YAC5E,MAAM,MAAM,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAA;YACrC,OAAO;gBACL,EAAE,EAAE,IAAI,CAAC,EAAE;gBACX,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE;gBACzB,SAAS,EAAE,MAAM,CAAC,SAAS;aAC5B,CAAA;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAA;YAC/D,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,OAAe;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,wBAAwB,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAA;QACb,CAAC;QAED,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,eAAe,CAAC;gBAChE,cAAc,EAAE,OAAO;aACxB,CAAC,CAAsB,CAAA;YAExB,OAAO;gBACL,EAAE,EAAE,GAAG,CAAC,EAAE;gBACV,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,WAAW,EAAE,iBAAiB,CAAC,GAAG,CAAC;aACpC,CAAA;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAA;YAChE,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,KAAK,GAAG,EAAE;QACzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,wBAAwB,EAAE,CAAC;YAC1C,OAAO,EAAE,CAAA;QACX,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,mBAAmB,CAAC;gBACzE,KAAK;aACN,CAAC,CAAqC,CAAA;YAEvC,MAAM,IAAI,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAA;YAC1C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACtB,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,WAAW,EAAE,iBAAiB,CAAC,CAAC,CAAC;aAClC,CAAC,CAAC,CAAA;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAA;YAC1D,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAuC,CAAC,MAAM,EAAE,EAAE;IAClF,OAAO,IAAI,eAAe,CAAC,MAAM,CAAC,CAAA;AACpC,CAAC,CAAA"}

package/dist/client.d.ts

@@ -0,0 +1,19 @@
+import type { CanopyClientConfig } from 'canopycms/client';
+/**
+ * Hook that provides Clerk-specific auth handlers and components for CanopyCMS editor.
+ * Use this in your edit page to integrate Clerk authentication with CanopyCMS.
+ *
+ * @example
+ * ```tsx
+ * import { useClerkAuthConfig } from 'canopycms-auth-clerk/client'
+ * import config from '../../canopycms.config'
+ *
+ * export default function EditPage() {
+ *   const clerkAuth = useClerkAuthConfig()
+ *   const editorConfig = config.client(clerkAuth)
+ *   return <CanopyEditorPage config={editorConfig} />
+ * }
+ * ```
+ */
+export declare function useClerkAuthConfig(): Pick<CanopyClientConfig, 'editor'>;
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AAE1D;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,kBAAkB,IAAI,IAAI,CAAC,kBAAkB,EAAE,QAAQ,CAAC,CAevE"}

package/dist/client.js

@@ -0,0 +1,36 @@
+'use client';
+import { useClerk } from '@clerk/nextjs';
+import { UserButton } from '@clerk/nextjs';
+/**
+ * Hook that provides Clerk-specific auth handlers and components for CanopyCMS editor.
+ * Use this in your edit page to integrate Clerk authentication with CanopyCMS.
+ *
+ * @example
+ * ```tsx
+ * import { useClerkAuthConfig } from 'canopycms-auth-clerk/client'
+ * import config from '../../canopycms.config'
+ *
+ * export default function EditPage() {
+ *   const clerkAuth = useClerkAuthConfig()
+ *   const editorConfig = config.client(clerkAuth)
+ *   return <CanopyEditorPage config={editorConfig} />
+ * }
+ * ```
+ */
+export function useClerkAuthConfig() {
+    const { signOut } = useClerk();
+    return {
+        editor: {
+            AccountComponent: UserButton,
+            onLogoutClick: async () => {
+                try {
+                    await signOut();
+                }
+                catch (error) {
+                    console.error('Failed to sign out:', error);
+                }
+            },
+        },
+    };
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,YAAY,CAAA;AAEZ,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AACxC,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAG1C;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,EAAE,OAAO,EAAE,GAAG,QAAQ,EAAE,CAAA;IAE9B,OAAO;QACL,MAAM,EAAE;YACN,gBAAgB,EAAE,UAAU;YAC5B,aAAa,EAAE,KAAK,IAAI,EAAE;gBACxB,IAAI,CAAC;oBACH,MAAM,OAAO,EAAE,CAAA;gBACjB,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAA;gBAC7C,CAAC;YACH,CAAC;SACF;KACF,CAAA;AACH,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { ClerkAuthPlugin, createClerkAuthPlugin } from './clerk-plugin';
+export type { ClerkAuthConfig } from './clerk-plugin';
+export { createClerkJwtVerifier } from './jwt-verifier';
+export type { ClerkJwtVerifierConfig } from './jwt-verifier';
+export { refreshClerkCache } from './cache-writer';
+export type { RefreshClerkCacheOptions, RefreshClerkCacheResult } from './cache-writer';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AACvE,YAAY,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AACrD,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAA;AACvD,YAAY,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAA;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAClD,YAAY,EAAE,wBAAwB,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export { ClerkAuthPlugin, createClerkAuthPlugin } from './clerk-plugin';
+export { createClerkJwtVerifier } from './jwt-verifier';
+export { refreshClerkCache } from './cache-writer';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AAEvE,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAA;AAEvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/jwt-verifier.d.ts

@@ -0,0 +1,28 @@
+import type { TokenVerifier } from 'canopycms/auth';
+export interface ClerkJwtVerifierConfig {
+    /**
+     * PEM public key for networkless JWT verification.
+     * Required for operation without internet access.
+     */
+    jwtKey: string;
+    /**
+     * Clerk Secret Key as fallback (requires internet).
+     * If not provided, only jwtKey verification is attempted.
+     */
+    secretKey?: string;
+    /**
+     * Authorized parties for CSRF protection.
+     */
+    authorizedParties?: string[];
+}
+/**
+ * Creates a token verifier function that uses Clerk's JWT verification.
+ *
+ * When jwtKey (PEM public key) is provided, verification is **networkless** —
+ * no Clerk API calls are made. This is used in Lambda environments
+ * with no internet access.
+ *
+ * Returns a TokenVerifier compatible with CachingAuthPlugin.
+ */
+export declare function createClerkJwtVerifier(config: ClerkJwtVerifierConfig): TokenVerifier;
+//# sourceMappingURL=jwt-verifier.d.ts.map

package/dist/jwt-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-verifier.d.ts","sourceRoot":"","sources":["../src/jwt-verifier.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAGnD,MAAM,WAAW,sBAAsB;IACrC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC7B;AAED;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,sBAAsB,GAAG,aAAa,CA8BpF"}

package/dist/jwt-verifier.js

@@ -0,0 +1,42 @@
+import { verifyToken as clerkVerifyToken } from '@clerk/backend';
+import { extractHeaders } from 'canopycms/auth';
+import { extractToken } from './clerk-plugin';
+/**
+ * Creates a token verifier function that uses Clerk's JWT verification.
+ *
+ * When jwtKey (PEM public key) is provided, verification is **networkless** —
+ * no Clerk API calls are made. This is used in Lambda environments
+ * with no internet access.
+ *
+ * Returns a TokenVerifier compatible with CachingAuthPlugin.
+ */
+export function createClerkJwtVerifier(config) {
+    return async (context) => {
+        const headers = extractHeaders(context);
+        if (!headers)
+            return null;
+        const token = extractToken(headers);
+        if (!token)
+            return null;
+        try {
+            const verifyOptions = {};
+            if (config.jwtKey) {
+                verifyOptions.jwtKey = config.jwtKey;
+            }
+            if (config.secretKey) {
+                verifyOptions.secretKey = config.secretKey;
+            }
+            if (config.authorizedParties) {
+                verifyOptions.authorizedParties = config.authorizedParties;
+            }
+            const payload = await clerkVerifyToken(token, verifyOptions);
+            if (!payload?.sub)
+                return null;
+            return { userId: payload.sub };
+        }
+        catch {
+            return null;
+        }
+    };
+}
+//# sourceMappingURL=jwt-verifier.js.map

package/dist/jwt-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-verifier.js","sourceRoot":"","sources":["../src/jwt-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,IAAI,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAA;AAE/C,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAmB7C;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAA8B;IACnE,OAAO,KAAK,EAAE,OAAgB,EAAE,EAAE;QAChC,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAA;QACvC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QAEzB,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAA;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QAEvB,IAAI,CAAC;YACH,MAAM,aAAa,GAA2C,EAAE,CAAA;YAEhE,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,aAAa,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAA;YACtC,CAAC;YACD,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACrB,aAAa,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAA;YAC5C,CAAC;YACD,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;gBAC7B,aAAa,CAAC,iBAAiB,GAAG,MAAM,CAAC,iBAAiB,CAAA;YAC5D,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,aAAa,CAAC,CAAA;YAE5D,IAAI,CAAC,OAAO,EAAE,GAAG;gBAAE,OAAO,IAAI,CAAA;YAE9B,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,EAAE,CAAA;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC,CAAA;AACH,CAAC"}