chore: Improve Backend request handling #742
Conversation
Co-authored-by: Alexis Aguilar <98043211+alexisintech@users.noreply.github.com> Co-authored-by: panteliselef <panteliselef@outlook.com> Co-authored-by: Lennart <lekoarts@gmail.com>
Co-authored-by: Roy Anger <roy@royanger.com>
Co-authored-by: Roy Anger <roy@royanger.com>
Co-authored-by: Roy Anger <roy@royanger.com>
Co-authored-by: Jacob M-G Evans <27247160+JacobMGEvans@users.noreply.github.com>
Co-authored-by: Lennart <lekoarts@gmail.com>
Co-authored-by: Lennart <lekoarts@gmail.com>
|
!preview |
|
Hey @dimkl, your docs preview is available.
|
dimkl
force-pushed
the
sdk-1395-backend-requests
branch
from
099d2f6
to
ffca89b
Compare
dimkl
changed the title
| and is used in combination with `getAuth()` to retrieve the auth and handle appropriately the request. | ||
|
|
||
| ## Implementing lax authentication | ||
|
|
There was a problem hiding this comment.
What does "lax authentication" mean for users? We can add an explanation here
| </CodeBlockTabs> | ||
|
|
||
| ## Implementing strict authentication | ||
|
|
There was a problem hiding this comment.
What does "strict authentication" mean? We can add an explanation here
| | `secretKey` | `string` | TODO | | ||
| | `apiUrl` | `string` | TODO | | ||
| | `apiVersion` | `string` | TODO | | ||
| | `userAgent` | `string` | TODO | | ||
| | `audience` | `string \| string[]` | TODO | | ||
| | `publishableKey` | `string` | TODO | | ||
| | `isSatellite` | `boolean` | TODO | | ||
| | `domain` | `string` | TODO | | ||
| | `proxyUrl` | `string` | TODO | | ||
| | `sdkMetadata` | `{ name: string, version: string }` | TODO | | ||
| | `telemetry` | `{ disabled: boolean, debug: boolean }` | TODO | |
There was a problem hiding this comment.
if this PR isn't ready for review, please revert to draft 🫶
also, I'm pretty sure we have the descriptions for these values on other pages! I'd ctrl + shift + f to search all of the clerk docs and just copy and paste the descriptions :)
There was a problem hiding this comment.
i have reverted it to draft since it's not ready for review 😓
Yes, i think that I've seen most of them somewhere in our docs.
|
|
||
| 1. Use the above Public Key to verify the token's signature. | ||
| 2. Validate that the token is not expired by checking the `exp` ([Expiration time](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4)) and `nbf` ([Not before](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5)) claims. | ||
| 1. Uses the instance Public Key to verify the token's signature (to manually find and use the public key check [here](#get-your-instances-public-key)). |
There was a problem hiding this comment.
so does authenticateRequest automatically have access to the user's public key?
There was a problem hiding this comment.
The authenticateRequest() retrieves the jwks (containing the JWK to verify to the token signature) of the instance from BAPI using the secretKey parameter.
| 1. Use the above Public Key to verify the token's signature. | ||
| 2. Validate that the token is not expired by checking the `exp` ([Expiration time](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4)) and `nbf` ([Not before](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5)) claims. | ||
| 1. Uses the instance Public Key to verify the token's signature (to manually find and use the public key check [here](#get-your-instances-public-key)). | ||
| 2. Validates that the token is not expired by checking the `exp` ([Expiration time](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4)) and `nbf` ([Not before](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5)) claims. | ||
| 3. The `azp` claim in the Clerk Session JWT stands for authorized parties. If the `azp` claim exists, validate that it equals any of your known origins that are permitted to generate those tokens. This is an extra security check that we highly recommend that you do. Verifying the `azp` claim on the server side ensures that the session token is generated from the expected frontend application. For example, if you are permitting tokens retrieved from `http://localhost:3000`, then the `azp` claim should equal `http://localhost:3000`. You can also pass an array of strings like so: `['http://localhost:4003', 'https://clerk.dev']`. If the `azp` claim does not exist, then you can skip this step. |
There was a problem hiding this comment.
does authenticateRequest() do verify the azp claim for the user as well?
There was a problem hiding this comment.
No it doesn't. We could remove this.
Since verifying that the jwt is not expired and the jwt is signed by the Clerk instance with the secretKey set in the developer server, is sufficient.
alexisintech
force-pushed
the
core-2
branch
2 times, most recently
from
63cda1c
to
210e452
Compare
alexisintech
force-pushed
the
core-2
branch
6 times, most recently
from
b4cb9ea
to
d1e1f42
Compare
alexisintech
force-pushed
the
core-2
branch
2 times, most recently
from
7ff7598
to
57f6050
Compare
alexisintech
force-pushed
the
core-2
branch
3 times, most recently
from
6b94d9a
to
5abdb0a
Compare
alexisintech
force-pushed
the
core-2
branch
2 times, most recently
from
e3640db
to
085a0a7
Compare
alexisintech
force-pushed
the
core-2
branch
2 times, most recently
from
c6268d4
to
611e596
Compare
This PR will be used to decide upon the nodejs related SDKs doc structure.
Files updated:
🔎 Preview /backend-requests/handling/fastify
🔎 Preview /backend-requests/handling/manual-jwt
🔎 Preview /backend-requests/overview