-
Notifications
You must be signed in to change notification settings - Fork 381
feat(backend): Introduce M2M endpoints authentication using machine secret keys #6229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Closed
Changes from 24 commits
Commits
Show all changes
61 commits
Select commit
Hold shift + click to select a range
05d6c8e
chore(backend): Introduce machine token secrets as authorization header
wobsoriano ca7a8be
chore: clean up
wobsoriano af6a27b
chore: use a more readable option for bapi proxy methods
wobsoriano fa94227
chore: add initial changeset
wobsoriano 8dcd607
chore: add machine_secret_key type to api keys api
wobsoriano 5d78030
Merge remote-tracking branch 'origin/main' into rob/user-2264-m2m
wobsoriano 7bb3eb8
chore: reuse header consts
wobsoriano 424a5a4
chore: rename to machine secret
wobsoriano 1dbd41b
chore: clean up
wobsoriano 7c3063c
chore: add secret property to create method
wobsoriano 9dab708
Merge branch 'main' into rob/user-2264-m2m
wobsoriano db38ca5
chore: remove machine secret type from api key creation
wobsoriano 5ce88ee
chore: make secret property optional
wobsoriano c33e3fd
Merge branch 'main' into rob/user-2264-m2m
wobsoriano f9526af
Merge branch 'main' into rob/user-2264-m2m
wobsoriano cb6c822
Merge branch 'main' into rob/user-2264-m2m
wobsoriano 68bcb7e
Merge branch 'main' into rob/user-2264-m2m
wobsoriano e900e13
chore: add machines BAPI endpoints
wobsoriano 6c0fc64
chore: trigger rebuild
wobsoriano c1d1ae2
chore: remove unnecessary params
wobsoriano d53115d
Merge branch 'main' into rob/user-2264-m2m
wobsoriano d87f937
Merge branch 'main' into rob/user-2264-m2m
wobsoriano 7ff0538
chore: remove unused properties
wobsoriano e844565
chore: improve machine secret check
wobsoriano 017bb4b
fix required secrets
wobsoriano e26660e
fix required secrets
wobsoriano 0f7387d
fix required secrets
wobsoriano f78ddcc
chore: remove removed properties
wobsoriano 1492a1e
Merge branch 'main' into rob/user-2264-m2m
wobsoriano a8c66e1
chore: remove name and claims from m2m tokens
wobsoriano 201cb23
fix tests
wobsoriano 64afde6
fix incorrect method in tests
wobsoriano b38465b
chore: update tests
wobsoriano 18b76da
chore: update test descriptions
wobsoriano d91404c
chore: improve tests
wobsoriano 37a3d65
chore: update changeset
wobsoriano 1d69db8
chore: skip pub key init for machine tokens
wobsoriano b26bd76
chore: skip pub and secret key check for authenticate request with ma…
wobsoriano d609285
fix error handling
wobsoriano 2e080db
chore: allow machine secrets in authenticateRequest
wobsoriano 7055b8a
chore: remove unused export keyword
wobsoriano 051dd85
chore: more tests
wobsoriano 7371a32
chore: add missing secret key or machine secret error test
wobsoriano d96d436
Merge branch 'main' into rob/user-2264-m2m
wobsoriano 6642321
chore: run dedupe
wobsoriano 239b6ba
chore: add secret key
wobsoriano a8d310f
chore: do not destructure body params in m2m endpoints
wobsoriano 2a74cf9
chore: do not destructure body params in machine endpoints
wobsoriano 60b139a
chore: update tests
wobsoriano ad9a0ec
chore: Use machine secret key from created Clerk client
wobsoriano 8ca8009
chore: update missing clerk instance key or machine secret key error
wobsoriano 7569d95
formatting
wobsoriano ad5a0f9
fix authenticate request option types
wobsoriano b72e891
fix assertion
wobsoriano 2b2ce8e
Add machine secret key to merged options
wobsoriano afb5923
allow custom machine secret key per method
wobsoriano 01653ae
add jsdoc
wobsoriano e05d414
chore: separate backend api client machine secret key and options sec…
wobsoriano 85e47f1
chore: clean up authorizationHeader
wobsoriano e2ede5f
clean up authenticate context
wobsoriano c98d1ed
clean up authenticate context
wobsoriano File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| "@clerk/backend": minor | ||
| --- | ||
|
|
||
| WIP M2M Tokens |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,15 +1,102 @@ | ||
| import { joinPaths } from '../../util/path'; | ||
| import type { ClerkBackendApiRequestOptions } from '../request'; | ||
| import type { MachineToken } from '../resources/MachineToken'; | ||
| import { AbstractAPI } from './AbstractApi'; | ||
|
|
||
| const basePath = '/m2m_tokens'; | ||
|
|
||
| type WithMachineSecret<T> = T & { machineSecret?: string | null }; | ||
|
|
||
| type CreateMachineTokenParams = WithMachineSecret<{ | ||
| claims?: Record<string, any> | null; | ||
| secondsUntilExpiration?: number | null; | ||
| }>; | ||
|
|
||
| type UpdateMachineTokenParams = WithMachineSecret< | ||
| { | ||
| m2mTokenId: string; | ||
| revocationReason?: string | null; | ||
| revoked?: boolean; | ||
| } & Pick<CreateMachineTokenParams, 'secondsUntilExpiration' | 'claims'> | ||
| >; | ||
|
|
||
| type RevokeMachineTokenParams = WithMachineSecret<{ | ||
| m2mTokenId: string; | ||
| revocationReason?: string | null; | ||
| }>; | ||
|
|
||
| type VerifyMachineTokenParams = WithMachineSecret<{ | ||
| secret: string; | ||
| }>; | ||
|
|
||
| export class MachineTokensApi extends AbstractAPI { | ||
| async verifySecret(secret: string) { | ||
| #requireMachineSecret(machineSecret?: string | null): asserts machineSecret is string { | ||
| if (!machineSecret) { | ||
| throw new Error('A machine secret is required.'); | ||
| } | ||
| } | ||
|
|
||
| async create(params: CreateMachineTokenParams) { | ||
| const { machineSecret, ...bodyParams } = params; | ||
| this.#requireMachineSecret(machineSecret); | ||
| return this.request<MachineToken>({ | ||
| method: 'POST', | ||
| path: basePath, | ||
| bodyParams, | ||
| headerParams: { | ||
| Authorization: `Bearer ${machineSecret}`, | ||
| }, | ||
| }); | ||
| } | ||
|
|
||
| async update(params: UpdateMachineTokenParams) { | ||
| const { m2mTokenId, machineSecret, ...bodyParams } = params; | ||
| this.#requireMachineSecret(machineSecret); | ||
| this.requireId(m2mTokenId); | ||
| return this.request<MachineToken>({ | ||
| method: 'PATCH', | ||
| path: joinPaths(basePath, m2mTokenId), | ||
| bodyParams, | ||
| headerParams: { | ||
| Authorization: `Bearer ${machineSecret}`, | ||
| }, | ||
| }); | ||
| } | ||
|
|
||
| async revoke(params: RevokeMachineTokenParams) { | ||
| const { m2mTokenId, machineSecret, ...bodyParams } = params; | ||
| this.requireId(m2mTokenId); | ||
|
|
||
| const requestOptions: ClerkBackendApiRequestOptions = { | ||
| method: 'POST', | ||
| path: joinPaths(basePath, m2mTokenId, 'revoke'), | ||
| bodyParams, | ||
| }; | ||
|
|
||
| if (machineSecret) { | ||
| requestOptions.headerParams = { | ||
| Authorization: `Bearer ${machineSecret}`, | ||
| }; | ||
| } | ||
|
|
||
| return this.request<MachineToken>(requestOptions); | ||
| } | ||
|
|
||
| async verifySecret(params: VerifyMachineTokenParams) { | ||
| const { secret, machineSecret } = params; | ||
|
|
||
| const requestOptions: ClerkBackendApiRequestOptions = { | ||
| method: 'POST', | ||
| path: joinPaths(basePath, 'verify'), | ||
| bodyParams: { secret }, | ||
| }); | ||
| }; | ||
|
|
||
| if (machineSecret) { | ||
| requestOptions.headerParams = { | ||
| Authorization: `Bearer ${machineSecret}`, | ||
| }; | ||
| } | ||
|
|
||
| return this.request<MachineToken>(requestOptions); | ||
| } | ||
wobsoriano marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.