-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Improve Backend request handling #742
base: main
Are you sure you want to change the base?
Conversation
Co-authored-by: Alexis Aguilar <98043211+alexisintech@users.noreply.github.com> Co-authored-by: panteliselef <panteliselef@outlook.com> Co-authored-by: Lennart <lekoarts@gmail.com>
Co-authored-by: Roy Anger <roy@royanger.com>
Co-authored-by: Roy Anger <roy@royanger.com>
Co-authored-by: Roy Anger <roy@royanger.com>
Co-authored-by: Jacob M-G Evans <27247160+JacobMGEvans@users.noreply.github.com>
Co-authored-by: Lennart <lekoarts@gmail.com>
Co-authored-by: Lennart <lekoarts@gmail.com>
!preview |
Hey @dimkl, your docs preview is available.
|
099d2f6
to
ffca89b
Compare
and is used in combination with `getAuth()` to retrieve the auth and handle appropriately the request. | ||
|
||
## Implementing lax authentication | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does "lax authentication" mean for users? We can add an explanation here
</CodeBlockTabs> | ||
|
||
## Implementing strict authentication | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does "strict authentication" mean? We can add an explanation here
| `secretKey` | `string` | TODO | | ||
| `apiUrl` | `string` | TODO | | ||
| `apiVersion` | `string` | TODO | | ||
| `userAgent` | `string` | TODO | | ||
| `audience` | `string \| string[]` | TODO | | ||
| `publishableKey` | `string` | TODO | | ||
| `isSatellite` | `boolean` | TODO | | ||
| `domain` | `string` | TODO | | ||
| `proxyUrl` | `string` | TODO | | ||
| `sdkMetadata` | `{ name: string, version: string }` | TODO | | ||
| `telemetry` | `{ disabled: boolean, debug: boolean }` | TODO | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if this PR isn't ready for review, please revert to draft 🫶
also, I'm pretty sure we have the descriptions for these values on other pages! I'd ctrl + shift + f to search all of the clerk docs and just copy and paste the descriptions :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i have reverted it to draft since it's not ready for review 😓
Yes, i think that I've seen most of them somewhere in our docs.
|
||
1. Use the above Public Key to verify the token's signature. | ||
2. Validate that the token is not expired by checking the `exp` ([Expiration time](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4)) and `nbf` ([Not before](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5)) claims. | ||
1. Uses the instance Public Key to verify the token's signature (to manually find and use the public key check [here](#get-your-instances-public-key)). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so does authenticateRequest automatically have access to the user's public key?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The authenticateRequest()
retrieves the jwks (containing the JWK to verify to the token signature) of the instance from BAPI using the secretKey
parameter.
1. Use the above Public Key to verify the token's signature. | ||
2. Validate that the token is not expired by checking the `exp` ([Expiration time](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4)) and `nbf` ([Not before](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5)) claims. | ||
1. Uses the instance Public Key to verify the token's signature (to manually find and use the public key check [here](#get-your-instances-public-key)). | ||
2. Validates that the token is not expired by checking the `exp` ([Expiration time](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4)) and `nbf` ([Not before](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5)) claims. | ||
3. The `azp` claim in the Clerk Session JWT stands for authorized parties. If the `azp` claim exists, validate that it equals any of your known origins that are permitted to generate those tokens. This is an extra security check that we highly recommend that you do. Verifying the `azp` claim on the server side ensures that the session token is generated from the expected frontend application. For example, if you are permitting tokens retrieved from `http://localhost:3000`, then the `azp` claim should equal `http://localhost:3000`. You can also pass an array of strings like so: `['http://localhost:4003', 'https://clerk.dev']`. If the `azp` claim does not exist, then you can skip this step. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does authenticateRequest() do verify the azp
claim for the user as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No it doesn't. We could remove this.
Since verifying that the jwt is not expired and the jwt is signed by the Clerk instance with the secretKey set in the developer server, is sufficient.
63cda1c
to
210e452
Compare
b4cb9ea
to
d1e1f42
Compare
7ff7598
to
57f6050
Compare
6b94d9a
to
5abdb0a
Compare
e3640db
to
085a0a7
Compare
c6268d4
to
611e596
Compare
This PR will be used to decide upon the nodejs related SDKs doc structure.
Files updated:
🔎 Preview /backend-requests/handling/fastify
🔎 Preview /backend-requests/handling/manual-jwt
🔎 Preview /backend-requests/overview