UNPKG

@clerk/backend

Version:

Clerk Backend SDK - REST Client for Backend API & JWT verification utilities

clerk/javascript

1,548 lines (1,512 loc) • 188 kB

JavaScript

"use strict"; var __defProp = Object.defineProperty; var __getOwnPropDesc = Object.getOwnPropertyDescriptor; var __getOwnPropNames = Object.getOwnPropertyNames; var __hasOwnProp = Object.prototype.hasOwnProperty; var __typeError = (msg) => { throw TypeError(msg); }; var __export = (target, all) => { for (var name in all) __defProp(target, name, { get: all[name], enumerable: true }); }; var __copyProps = (to, from, except, desc) => { if (from && typeof from === "object" || typeof from === "function") { for (let key of __getOwnPropNames(from)) if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable }); } return to; }; var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod); var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg); var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value); var __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "access private method"), method); // src/internal.ts var internal_exports = {}; __export(internal_exports, { AuthStatus: () => AuthStatus, TokenType: () => TokenType, authenticatedMachineObject: () => authenticatedMachineObject, constants: () => constants, createAuthenticateRequest: () => createAuthenticateRequest, createClerkRequest: () => createClerkRequest, createRedirect: () => createRedirect, debugRequestState: () => debugRequestState, decorateObjectWithResources: () => decorateObjectWithResources, getAuthObjectForAcceptedToken: () => getAuthObjectForAcceptedToken, getAuthObjectFromJwt: () => getAuthObjectFromJwt, getMachineTokenType: () => getMachineTokenType, invalidTokenAuthObject: () => invalidTokenAuthObject, isMachineTokenByPrefix: () => isMachineTokenByPrefix, isMachineTokenType: () => isMachineTokenType, isTokenTypeAccepted: () => isTokenTypeAccepted, makeAuthObjectSerializable: () => makeAuthObjectSerializable, reverificationError: () => import_authorization_errors.reverificationError, reverificationErrorResponse: () => import_authorization_errors.reverificationErrorResponse, signedInAuthObject: () => signedInAuthObject, signedOutAuthObject: () => signedOutAuthObject, stripPrivateDataFromObject: () => stripPrivateDataFromObject, unauthenticatedMachineObject: () => unauthenticatedMachineObject, verifyMachineAuthToken: () => verifyMachineAuthToken }); module.exports = __toCommonJS(internal_exports); // src/constants.ts var API_URL = "https://api.clerk.com"; var API_VERSION = "v1"; var USER_AGENT = `${"@clerk/backend"}@${"2.9.4"}`; var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60; var SUPPORTED_BAPI_VERSION = "2025-04-10"; var Attributes = { AuthToken: "__clerkAuthToken", AuthSignature: "__clerkAuthSignature", AuthStatus: "__clerkAuthStatus", AuthReason: "__clerkAuthReason", AuthMessage: "__clerkAuthMessage", ClerkUrl: "__clerkUrl" }; var Cookies = { Session: "__session", Refresh: "__refresh", ClientUat: "__client_uat", Handshake: "__clerk_handshake", DevBrowser: "__clerk_db_jwt", RedirectCount: "__clerk_redirect_count", HandshakeNonce: "__clerk_handshake_nonce" }; var QueryParameters = { ClerkSynced: "__clerk_synced", SuffixedCookies: "suffixed_cookies", ClerkRedirectUrl: "__clerk_redirect_url", // use the reference to Cookies to indicate that it's the same value DevBrowser: Cookies.DevBrowser, Handshake: Cookies.Handshake, HandshakeHelp: "__clerk_help", LegacyDevBrowser: "__dev_session", HandshakeReason: "__clerk_hs_reason", HandshakeNonce: Cookies.HandshakeNonce, HandshakeFormat: "format" }; var Headers2 = { Accept: "accept", AuthMessage: "x-clerk-auth-message", Authorization: "authorization", AuthReason: "x-clerk-auth-reason", AuthSignature: "x-clerk-auth-signature", AuthStatus: "x-clerk-auth-status", AuthToken: "x-clerk-auth-token", CacheControl: "cache-control", ClerkRedirectTo: "x-clerk-redirect-to", ClerkRequestData: "x-clerk-request-data", ClerkUrl: "x-clerk-clerk-url", CloudFrontForwardedProto: "cloudfront-forwarded-proto", ContentType: "content-type", ContentSecurityPolicy: "content-security-policy", ContentSecurityPolicyReportOnly: "content-security-policy-report-only", EnableDebug: "x-clerk-debug", ForwardedHost: "x-forwarded-host", ForwardedPort: "x-forwarded-port", ForwardedProto: "x-forwarded-proto", Host: "host", Location: "location", Nonce: "x-nonce", Origin: "origin", Referrer: "referer", SecFetchDest: "sec-fetch-dest", SecFetchSite: "sec-fetch-site", UserAgent: "user-agent", ReportingEndpoints: "reporting-endpoints" }; var ContentTypes = { Json: "application/json" }; var constants = { Attributes, Cookies, Headers: Headers2, ContentTypes, QueryParameters }; // src/createRedirect.ts var import_buildAccountsBaseUrl = require("@clerk/shared/buildAccountsBaseUrl"); // src/util/shared.ts var import_url = require("@clerk/shared/url"); var import_retry = require("@clerk/shared/retry"); var import_keys = require("@clerk/shared/keys"); var import_deprecated = require("@clerk/shared/deprecated"); var import_error = require("@clerk/shared/error"); var import_keys2 = require("@clerk/shared/keys"); var errorThrower = (0, import_error.buildErrorThrower)({ packageName: "@clerk/backend" }); var { isDevOrStagingUrl } = (0, import_keys2.createDevOrStagingUrlCache)(); // src/createRedirect.ts var buildUrl = (_baseUrl, _targetUrl, _returnBackUrl, _devBrowserToken) => { if (_baseUrl === "") { return legacyBuildUrl(_targetUrl.toString(), _returnBackUrl?.toString()); } const baseUrl = new URL(_baseUrl); const returnBackUrl = _returnBackUrl ? new URL(_returnBackUrl, baseUrl) : void 0; const res = new URL(_targetUrl, baseUrl); const isCrossOriginRedirect = `${baseUrl.hostname}:${baseUrl.port}` !== `${res.hostname}:${res.port}`; if (returnBackUrl) { if (isCrossOriginRedirect) { returnBackUrl.searchParams.delete(constants.QueryParameters.ClerkSynced); } res.searchParams.set("redirect_url", returnBackUrl.toString()); } if (isCrossOriginRedirect && _devBrowserToken) { res.searchParams.set(constants.QueryParameters.DevBrowser, _devBrowserToken); } return res.toString(); }; var legacyBuildUrl = (targetUrl, redirectUrl) => { let url; if (!targetUrl.startsWith("http")) { if (!redirectUrl || !redirectUrl.startsWith("http")) { throw new Error("destination url or return back url should be an absolute path url!"); } const baseURL = new URL(redirectUrl); url = new URL(targetUrl, baseURL.origin); } else { url = new URL(targetUrl); } if (redirectUrl) { url.searchParams.set("redirect_url", redirectUrl); } return url.toString(); }; var createRedirect = (params) => { const { publishableKey, redirectAdapter, signInUrl, signUpUrl, baseUrl, sessionStatus } = params; const parsedPublishableKey = (0, import_keys.parsePublishableKey)(publishableKey); const frontendApi = parsedPublishableKey?.frontendApi; const isDevelopment = parsedPublishableKey?.instanceType === "development"; const accountsBaseUrl = (0, import_buildAccountsBaseUrl.buildAccountsBaseUrl)(frontendApi); const hasPendingStatus = sessionStatus === "pending"; const redirectToTasks = (url, { returnBackUrl }) => { return redirectAdapter( buildUrl(baseUrl, `${url}/tasks`, returnBackUrl, isDevelopment ? params.devBrowserToken : null) ); }; const redirectToSignUp = ({ returnBackUrl } = {}) => { if (!signUpUrl && !accountsBaseUrl) { errorThrower.throwMissingPublishableKeyError(); } const accountsSignUpUrl = `${accountsBaseUrl}/sign-up`; function buildSignUpUrl(signIn) { if (!signIn) { return; } const url = new URL(signIn, baseUrl); url.pathname = `${url.pathname}/create`; return url.toString(); } const targetUrl = signUpUrl || buildSignUpUrl(signInUrl) || accountsSignUpUrl; if (hasPendingStatus) { return redirectToTasks(targetUrl, { returnBackUrl }); } return redirectAdapter(buildUrl(baseUrl, targetUrl, returnBackUrl, isDevelopment ? params.devBrowserToken : null)); }; const redirectToSignIn = ({ returnBackUrl } = {}) => { if (!signInUrl && !accountsBaseUrl) { errorThrower.throwMissingPublishableKeyError(); } const accountsSignInUrl = `${accountsBaseUrl}/sign-in`; const targetUrl = signInUrl || accountsSignInUrl; if (hasPendingStatus) { return redirectToTasks(targetUrl, { returnBackUrl }); } return redirectAdapter(buildUrl(baseUrl, targetUrl, returnBackUrl, isDevelopment ? params.devBrowserToken : null)); }; return { redirectToSignUp, redirectToSignIn }; }; // src/util/mergePreDefinedOptions.ts function mergePreDefinedOptions(preDefinedOptions, options) { return Object.keys(preDefinedOptions).reduce( (obj, key) => { return { ...obj, [key]: options[key] || obj[key] }; }, { ...preDefinedOptions } ); } // src/errors.ts var TokenVerificationErrorCode = { InvalidSecretKey: "clerk_key_invalid" }; var TokenVerificationErrorReason = { TokenExpired: "token-expired", TokenInvalid: "token-invalid", TokenInvalidAlgorithm: "token-invalid-algorithm", TokenInvalidAuthorizedParties: "token-invalid-authorized-parties", TokenInvalidSignature: "token-invalid-signature", TokenNotActiveYet: "token-not-active-yet", TokenIatInTheFuture: "token-iat-in-the-future", TokenVerificationFailed: "token-verification-failed", InvalidSecretKey: "secret-key-invalid", LocalJWKMissing: "jwk-local-missing", RemoteJWKFailedToLoad: "jwk-remote-failed-to-load", RemoteJWKInvalid: "jwk-remote-invalid", RemoteJWKMissing: "jwk-remote-missing", JWKFailedToResolve: "jwk-failed-to-resolve", JWKKidMismatch: "jwk-kid-mismatch" }; var TokenVerificationErrorAction = { ContactSupport: "Contact support@clerk.com", EnsureClerkJWT: "Make sure that this is a valid Clerk generate JWT.", SetClerkJWTKey: "Set the CLERK_JWT_KEY environment variable.", SetClerkSecretKey: "Set the CLERK_SECRET_KEY environment variable.", EnsureClockSync: "Make sure your system clock is in sync (e.g. turn off and on automatic time synchronization)." }; var TokenVerificationError = class _TokenVerificationError extends Error { constructor({ action, message, reason }) { super(message); Object.setPrototypeOf(this, _TokenVerificationError.prototype); this.reason = reason; this.message = message; this.action = action; } getFullMessage() { return `${[this.message, this.action].filter((m) => m).join(" ")} (reason=${this.reason}, token-carrier=${this.tokenCarrier})`; } }; var MachineTokenVerificationErrorCode = { TokenInvalid: "token-invalid", InvalidSecretKey: "secret-key-invalid", UnexpectedError: "unexpected-error" }; var MachineTokenVerificationError = class _MachineTokenVerificationError extends Error { constructor({ message, code, status }) { super(message); Object.setPrototypeOf(this, _MachineTokenVerificationError.prototype); this.code = code; this.status = status; } getFullMessage() { return `${this.message} (code=${this.code}, status=${this.status})`; } }; // src/runtime.ts var import_crypto = require("#crypto"); var globalFetch = fetch.bind(globalThis); var runtime = { crypto: import_crypto.webcrypto, get fetch() { return process.env.NODE_ENV === "test" ? fetch : globalFetch; }, AbortController: globalThis.AbortController, Blob: globalThis.Blob, FormData: globalThis.FormData, Headers: globalThis.Headers, Request: globalThis.Request, Response: globalThis.Response }; // src/util/rfc4648.ts var base64url = { parse(string, opts) { return parse(string, base64UrlEncoding, opts); }, stringify(data, opts) { return stringify(data, base64UrlEncoding, opts); } }; var base64UrlEncoding = { chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_", bits: 6 }; function parse(string, encoding, opts = {}) { if (!encoding.codes) { encoding.codes = {}; for (let i = 0; i < encoding.chars.length; ++i) { encoding.codes[encoding.chars[i]] = i; } } if (!opts.loose && string.length * encoding.bits & 7) { throw new SyntaxError("Invalid padding"); } let end = string.length; while (string[end - 1] === "=") { --end; if (!opts.loose && !((string.length - end) * encoding.bits & 7)) { throw new SyntaxError("Invalid padding"); } } const out = new (opts.out ?? Uint8Array)(end * encoding.bits / 8 | 0); let bits = 0; let buffer = 0; let written = 0; for (let i = 0; i < end; ++i) { const value = encoding.codes[string[i]]; if (value === void 0) { throw new SyntaxError("Invalid character " + string[i]); } buffer = buffer << encoding.bits | value; bits += encoding.bits; if (bits >= 8) { bits -= 8; out[written++] = 255 & buffer >> bits; } } if (bits >= encoding.bits || 255 & buffer << 8 - bits) { throw new SyntaxError("Unexpected end of data"); } return out; } function stringify(data, encoding, opts = {}) { const { pad = true } = opts; const mask = (1 << encoding.bits) - 1; let out = ""; let bits = 0; let buffer = 0; for (let i = 0; i < data.length; ++i) { buffer = buffer << 8 | 255 & data[i]; bits += 8; while (bits > encoding.bits) { bits -= encoding.bits; out += encoding.chars[mask & buffer >> bits]; } } if (bits) { out += encoding.chars[mask & buffer << encoding.bits - bits]; } if (pad) { while (out.length * encoding.bits & 7) { out += "="; } } return out; } // src/jwt/algorithms.ts var algToHash = { RS256: "SHA-256", RS384: "SHA-384", RS512: "SHA-512" }; var RSA_ALGORITHM_NAME = "RSASSA-PKCS1-v1_5"; var jwksAlgToCryptoAlg = { RS256: RSA_ALGORITHM_NAME, RS384: RSA_ALGORITHM_NAME, RS512: RSA_ALGORITHM_NAME }; var algs = Object.keys(algToHash); function getCryptoAlgorithm(algorithmName) { const hash = algToHash[algorithmName]; const name = jwksAlgToCryptoAlg[algorithmName]; if (!hash || !name) { throw new Error(`Unsupported algorithm ${algorithmName}, expected one of ${algs.join(",")}.`); } return { hash: { name: algToHash[algorithmName] }, name: jwksAlgToCryptoAlg[algorithmName] }; } // src/jwt/assertions.ts var isArrayString = (s) => { return Array.isArray(s) && s.length > 0 && s.every((a) => typeof a === "string"); }; var assertAudienceClaim = (aud, audience) => { const audienceList = [audience].flat().filter((a) => !!a); const audList = [aud].flat().filter((a) => !!a); const shouldVerifyAudience = audienceList.length > 0 && audList.length > 0; if (!shouldVerifyAudience) { return; } if (typeof aud === "string") { if (!audienceList.includes(aud)) { throw new TokenVerificationError({ action: TokenVerificationErrorAction.EnsureClerkJWT, reason: TokenVerificationErrorReason.TokenVerificationFailed, message: `Invalid JWT audience claim (aud) ${JSON.stringify(aud)}. Is not included in "${JSON.stringify( audienceList )}".` }); } } else if (isArrayString(aud)) { if (!aud.some((a) => audienceList.includes(a))) { throw new TokenVerificationError({ action: TokenVerificationErrorAction.EnsureClerkJWT, reason: TokenVerificationErrorReason.TokenVerificationFailed, message: `Invalid JWT audience claim array (aud) ${JSON.stringify(aud)}. Is not included in "${JSON.stringify( audienceList )}".` }); } } }; var assertHeaderType = (typ) => { if (typeof typ === "undefined") { return; } if (typ !== "JWT") { throw new TokenVerificationError({ action: TokenVerificationErrorAction.EnsureClerkJWT, reason: TokenVerificationErrorReason.TokenInvalid, message: `Invalid JWT type ${JSON.stringify(typ)}. Expected "JWT".` }); } }; var assertHeaderAlgorithm = (alg) => { if (!algs.includes(alg)) { throw new TokenVerificationError({ action: TokenVerificationErrorAction.EnsureClerkJWT, reason: TokenVerificationErrorReason.TokenInvalidAlgorithm, message: `Invalid JWT algorithm ${JSON.stringify(alg)}. Supported: ${algs}.` }); } }; var assertSubClaim = (sub) => { if (typeof sub !== "string") { throw new TokenVerificationError({ action: TokenVerificationErrorAction.EnsureClerkJWT, reason: TokenVerificationErrorReason.TokenVerificationFailed, message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.` }); } }; var assertAuthorizedPartiesClaim = (azp, authorizedParties) => { if (!azp || !authorizedParties || authorizedParties.length === 0) { return; } if (!authorizedParties.includes(azp)) { throw new TokenVerificationError({ reason: TokenVerificationErrorReason.TokenInvalidAuthorizedParties, message: `Invalid JWT Authorized party claim (azp) ${JSON.stringify(azp)}. Expected "${authorizedParties}".` }); } }; var assertExpirationClaim = (exp, clockSkewInMs) => { if (typeof exp !== "number") { throw new TokenVerificationError({ action: TokenVerificationErrorAction.EnsureClerkJWT, reason: TokenVerificationErrorReason.TokenVerificationFailed, message: `Invalid JWT expiry date claim (exp) ${JSON.stringify(exp)}. Expected number.` }); } const currentDate = new Date(Date.now()); const expiryDate = /* @__PURE__ */ new Date(0); expiryDate.setUTCSeconds(exp); const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs; if (expired) { throw new TokenVerificationError({ reason: TokenVerificationErrorReason.TokenExpired, message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.` }); } }; var assertActivationClaim = (nbf, clockSkewInMs) => { if (typeof nbf === "undefined") { return; } if (typeof nbf !== "number") { throw new TokenVerificationError({ action: TokenVerificationErrorAction.EnsureClerkJWT, reason: TokenVerificationErrorReason.TokenVerificationFailed, message: `Invalid JWT not before date claim (nbf) ${JSON.stringify(nbf)}. Expected number.` }); } const currentDate = new Date(Date.now()); const notBeforeDate = /* @__PURE__ */ new Date(0); notBeforeDate.setUTCSeconds(nbf); const early = notBeforeDate.getTime() > currentDate.getTime() + clockSkewInMs; if (early) { throw new TokenVerificationError({ reason: TokenVerificationErrorReason.TokenNotActiveYet, message: `JWT cannot be used prior to not before date claim (nbf). Not before date: ${notBeforeDate.toUTCString()}; Current date: ${currentDate.toUTCString()};` }); } }; var assertIssuedAtClaim = (iat, clockSkewInMs) => { if (typeof iat === "undefined") { return; } if (typeof iat !== "number") { throw new TokenVerificationError({ action: TokenVerificationErrorAction.EnsureClerkJWT, reason: TokenVerificationErrorReason.TokenVerificationFailed, message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected number.` }); } const currentDate = new Date(Date.now()); const issuedAtDate = /* @__PURE__ */ new Date(0); issuedAtDate.setUTCSeconds(iat); const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs; if (postIssued) { throw new TokenVerificationError({ reason: TokenVerificationErrorReason.TokenIatInTheFuture, message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};` }); } }; // src/jwt/cryptoKeys.ts var import_isomorphicAtob = require("@clerk/shared/isomorphicAtob"); function pemToBuffer(secret) { const trimmed = secret.replace(/-----BEGIN.*?-----/g, "").replace(/-----END.*?-----/g, "").replace(/\s/g, ""); const decoded = (0, import_isomorphicAtob.isomorphicAtob)(trimmed); const buffer = new ArrayBuffer(decoded.length); const bufView = new Uint8Array(buffer); for (let i = 0, strLen = decoded.length; i < strLen; i++) { bufView[i] = decoded.charCodeAt(i); } return bufView; } function importKey(key, algorithm, keyUsage) { if (typeof key === "object") { return runtime.crypto.subtle.importKey("jwk", key, algorithm, false, [keyUsage]); } const keyData = pemToBuffer(key); const format = keyUsage === "sign" ? "pkcs8" : "spki"; return runtime.crypto.subtle.importKey(format, keyData, algorithm, false, [keyUsage]); } // src/jwt/verifyJwt.ts var DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1e3; async function hasValidSignature(jwt, key) { const { header, signature, raw } = jwt; const encoder = new TextEncoder(); const data = encoder.encode([raw.header, raw.payload].join(".")); const algorithm = getCryptoAlgorithm(header.alg); try { const cryptoKey = await importKey(key, algorithm, "verify"); const verified = await runtime.crypto.subtle.verify(algorithm.name, cryptoKey, signature, data); return { data: verified }; } catch (error) { return { errors: [ new TokenVerificationError({ reason: TokenVerificationErrorReason.TokenInvalidSignature, message: error?.message }) ] }; } } function decodeJwt(token) { const tokenParts = (token || "").toString().split("."); if (tokenParts.length !== 3) { return { errors: [ new TokenVerificationError({ reason: TokenVerificationErrorReason.TokenInvalid, message: `Invalid JWT form. A JWT consists of three parts separated by dots.` }) ] }; } const [rawHeader, rawPayload, rawSignature] = tokenParts; const decoder = new TextDecoder(); const header = JSON.parse(decoder.decode(base64url.parse(rawHeader, { loose: true }))); const payload = JSON.parse(decoder.decode(base64url.parse(rawPayload, { loose: true }))); const signature = base64url.parse(rawSignature, { loose: true }); const data = { header, payload, signature, raw: { header: rawHeader, payload: rawPayload, signature: rawSignature, text: token } }; return { data }; } async function verifyJwt(token, options) { const { audience, authorizedParties, clockSkewInMs, key } = options; const clockSkew = clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS; const { data: decoded, errors } = decodeJwt(token); if (errors) { return { errors }; } const { header, payload } = decoded; try { const { typ, alg } = header; assertHeaderType(typ); assertHeaderAlgorithm(alg); const { azp, sub, aud, iat, exp, nbf } = payload; assertSubClaim(sub); assertAudienceClaim([aud], [audience]); assertAuthorizedPartiesClaim(azp, authorizedParties); assertExpirationClaim(exp, clockSkew); assertActivationClaim(nbf, clockSkew); assertIssuedAtClaim(iat, clockSkew); } catch (err) { return { errors: [err] }; } const { data: signatureValid, errors: signatureErrors } = await hasValidSignature(decoded, key); if (signatureErrors) { return { errors: [ new TokenVerificationError({ action: TokenVerificationErrorAction.EnsureClerkJWT, reason: TokenVerificationErrorReason.TokenVerificationFailed, message: `Error verifying JWT signature. ${signatureErrors[0]}` }) ] }; } if (!signatureValid) { return { errors: [ new TokenVerificationError({ reason: TokenVerificationErrorReason.TokenInvalidSignature, message: "JWT signature is invalid." }) ] }; } return { data: payload }; } // src/util/optionsAssertions.ts function assertValidSecretKey(val) { if (!val || typeof val !== "string") { throw Error("Missing Clerk Secret Key. Go to https://dashboard.clerk.com and get your key for your instance."); } } function assertValidPublishableKey(val) { (0, import_keys.parsePublishableKey)(val, { fatal: true }); } // src/tokens/tokenTypes.ts var TokenType = { SessionToken: "session_token", ApiKey: "api_key", M2MToken: "m2m_token", OAuthToken: "oauth_token" }; // src/tokens/authenticateContext.ts var AuthenticateContext = class { constructor(cookieSuffix, clerkRequest, options) { this.cookieSuffix = cookieSuffix; this.clerkRequest = clerkRequest; /** * The original Clerk frontend API URL, extracted from publishable key before proxy URL override. * Used for backend operations like token validation and issuer checking. */ this.originalFrontendApi = ""; if (options.acceptsToken === TokenType.M2MToken || options.acceptsToken === TokenType.ApiKey) { this.initHeaderValues(); } else { this.initPublishableKeyValues(options); this.initHeaderValues(); this.initCookieValues(); this.initHandshakeValues(); } Object.assign(this, options); this.clerkUrl = this.clerkRequest.clerkUrl; } /** * Retrieves the session token from either the cookie or the header. * * @returns {string | undefined} The session token if available, otherwise undefined. */ get sessionToken() { return this.sessionTokenInCookie || this.tokenInHeader; } usesSuffixedCookies() { const suffixedClientUat = this.getSuffixedCookie(constants.Cookies.ClientUat); const clientUat = this.getCookie(constants.Cookies.ClientUat); const suffixedSession = this.getSuffixedCookie(constants.Cookies.Session) || ""; const session = this.getCookie(constants.Cookies.Session) || ""; if (session && !this.tokenHasIssuer(session)) { return false; } if (session && !this.tokenBelongsToInstance(session)) { return true; } if (!suffixedClientUat && !suffixedSession) { return false; } const { data: sessionData } = decodeJwt(session); const sessionIat = sessionData?.payload.iat || 0; const { data: suffixedSessionData } = decodeJwt(suffixedSession); const suffixedSessionIat = suffixedSessionData?.payload.iat || 0; if (suffixedClientUat !== "0" && clientUat !== "0" && sessionIat > suffixedSessionIat) { return false; } if (suffixedClientUat === "0" && clientUat !== "0") { return false; } if (this.instanceType !== "production") { const isSuffixedSessionExpired = this.sessionExpired(suffixedSessionData); if (suffixedClientUat !== "0" && clientUat === "0" && isSuffixedSessionExpired) { return false; } } if (!suffixedClientUat && suffixedSession) { return false; } return true; } /** * Determines if the request came from a different origin based on the referrer header. * Used for cross-origin detection in multi-domain authentication flows. * * @returns {boolean} True if referrer exists and is from a different origin, false otherwise. */ isCrossOriginReferrer() { if (!this.referrer || !this.clerkUrl.origin) { return false; } try { if (this.getHeader(constants.Headers.SecFetchSite) === "cross-site") { return true; } const referrerOrigin = new URL(this.referrer).origin; return referrerOrigin !== this.clerkUrl.origin; } catch { return false; } } initPublishableKeyValues(options) { assertValidPublishableKey(options.publishableKey); this.publishableKey = options.publishableKey; const originalPk = (0, import_keys.parsePublishableKey)(this.publishableKey, { fatal: true, domain: options.domain, isSatellite: options.isSatellite }); this.originalFrontendApi = originalPk.frontendApi; const pk = (0, import_keys.parsePublishableKey)(this.publishableKey, { fatal: true, proxyUrl: options.proxyUrl, domain: options.domain, isSatellite: options.isSatellite }); this.instanceType = pk.instanceType; this.frontendApi = pk.frontendApi; } initHeaderValues() { this.tokenInHeader = this.parseAuthorizationHeader(this.getHeader(constants.Headers.Authorization)); this.origin = this.getHeader(constants.Headers.Origin); this.host = this.getHeader(constants.Headers.Host); this.forwardedHost = this.getHeader(constants.Headers.ForwardedHost); this.forwardedProto = this.getHeader(constants.Headers.CloudFrontForwardedProto) || this.getHeader(constants.Headers.ForwardedProto); this.referrer = this.getHeader(constants.Headers.Referrer); this.userAgent = this.getHeader(constants.Headers.UserAgent); this.secFetchDest = this.getHeader(constants.Headers.SecFetchDest); this.accept = this.getHeader(constants.Headers.Accept); } initCookieValues() { this.sessionTokenInCookie = this.getSuffixedOrUnSuffixedCookie(constants.Cookies.Session); this.refreshTokenInCookie = this.getSuffixedCookie(constants.Cookies.Refresh); this.clientUat = Number.parseInt(this.getSuffixedOrUnSuffixedCookie(constants.Cookies.ClientUat) || "") || 0; } initHandshakeValues() { this.devBrowserToken = this.getQueryParam(constants.QueryParameters.DevBrowser) || this.getSuffixedOrUnSuffixedCookie(constants.Cookies.DevBrowser); this.handshakeToken = this.getQueryParam(constants.QueryParameters.Handshake) || this.getCookie(constants.Cookies.Handshake); this.handshakeRedirectLoopCounter = Number(this.getCookie(constants.Cookies.RedirectCount)) || 0; this.handshakeNonce = this.getQueryParam(constants.QueryParameters.HandshakeNonce) || this.getCookie(constants.Cookies.HandshakeNonce); } getQueryParam(name) { return this.clerkRequest.clerkUrl.searchParams.get(name); } getHeader(name) { return this.clerkRequest.headers.get(name) || void 0; } getCookie(name) { return this.clerkRequest.cookies.get(name) || void 0; } getSuffixedCookie(name) { return this.getCookie((0, import_keys.getSuffixedCookieName)(name, this.cookieSuffix)) || void 0; } getSuffixedOrUnSuffixedCookie(cookieName) { if (this.usesSuffixedCookies()) { return this.getSuffixedCookie(cookieName); } return this.getCookie(cookieName); } parseAuthorizationHeader(authorizationHeader) { if (!authorizationHeader) { return void 0; } const [scheme, token] = authorizationHeader.split(" ", 2); if (!token) { return scheme; } if (scheme === "Bearer") { return token; } return void 0; } tokenHasIssuer(token) { const { data, errors } = decodeJwt(token); if (errors) { return false; } return !!data.payload.iss; } tokenBelongsToInstance(token) { if (!token) { return false; } const { data, errors } = decodeJwt(token); if (errors) { return false; } const tokenIssuer = data.payload.iss.replace(/https?:\/\//gi, ""); return this.originalFrontendApi === tokenIssuer; } sessionExpired(jwt) { return !!jwt && jwt?.payload.exp <= Date.now() / 1e3 >> 0; } }; var createAuthenticateContext = async (clerkRequest, options) => { const cookieSuffix = options.publishableKey ? await (0, import_keys.getCookieSuffix)(options.publishableKey, runtime.crypto.subtle) : ""; return new AuthenticateContext(cookieSuffix, clerkRequest, options); }; // src/tokens/authObjects.ts var import_authorization = require("@clerk/shared/authorization"); var import_jwtPayloadParser = require("@clerk/shared/jwtPayloadParser"); // src/util/path.ts var SEPARATOR = "/"; var MULTIPLE_SEPARATOR_REGEX = new RegExp("(?<!:)" + SEPARATOR + "{1,}", "g"); function joinPaths(...args) { return args.filter((p) => p).join(SEPARATOR).replace(MULTIPLE_SEPARATOR_REGEX, SEPARATOR); } // src/api/endpoints/AbstractApi.ts var AbstractAPI = class { constructor(request) { this.request = request; } requireId(id) { if (!id) { throw new Error("A valid resource ID is required."); } } }; // src/api/endpoints/ActorTokenApi.ts var basePath = "/actor_tokens"; var ActorTokenAPI = class extends AbstractAPI { async create(params) { return this.request({ method: "POST", path: basePath, bodyParams: params }); } async revoke(actorTokenId) { this.requireId(actorTokenId); return this.request({ method: "POST", path: joinPaths(basePath, actorTokenId, "revoke") }); } }; // src/api/endpoints/AccountlessApplicationsAPI.ts var basePath2 = "/accountless_applications"; var AccountlessApplicationAPI = class extends AbstractAPI { async createAccountlessApplication(params) { const headerParams = params?.requestHeaders ? Object.fromEntries(params.requestHeaders.entries()) : void 0; return this.request({ method: "POST", path: basePath2, headerParams }); } async completeAccountlessApplicationOnboarding(params) { const headerParams = params?.requestHeaders ? Object.fromEntries(params.requestHeaders.entries()) : void 0; return this.request({ method: "POST", path: joinPaths(basePath2, "complete"), headerParams }); } }; // src/api/endpoints/AllowlistIdentifierApi.ts var basePath3 = "/allowlist_identifiers"; var AllowlistIdentifierAPI = class extends AbstractAPI { async getAllowlistIdentifierList(params = {}) { return this.request({ method: "GET", path: basePath3, queryParams: { ...params, paginated: true } }); } async createAllowlistIdentifier(params) { return this.request({ method: "POST", path: basePath3, bodyParams: params }); } async deleteAllowlistIdentifier(allowlistIdentifierId) { this.requireId(allowlistIdentifierId); return this.request({ method: "DELETE", path: joinPaths(basePath3, allowlistIdentifierId) }); } }; // src/api/endpoints/APIKeysApi.ts var basePath4 = "/api_keys"; var APIKeysAPI = class extends AbstractAPI { async create(params) { return this.request({ method: "POST", path: basePath4, bodyParams: params }); } async revoke(params) { const { apiKeyId, ...bodyParams } = params; this.requireId(apiKeyId); return this.request({ method: "POST", path: joinPaths(basePath4, apiKeyId, "revoke"), bodyParams }); } async getSecret(apiKeyId) { this.requireId(apiKeyId); return this.request({ method: "GET", path: joinPaths(basePath4, apiKeyId, "secret") }); } async verifySecret(secret) { return this.request({ method: "POST", path: joinPaths(basePath4, "verify"), bodyParams: { secret } }); } }; // src/api/endpoints/BetaFeaturesApi.ts var basePath5 = "/beta_features"; var BetaFeaturesAPI = class extends AbstractAPI { /** * Change the domain of a production instance. * * Changing the domain requires updating the DNS records accordingly, deploying new SSL certificates, * updating your Social Connection's redirect URLs and setting the new keys in your code. * * @remarks * WARNING: Changing your domain will invalidate all current user sessions (i.e. users will be logged out). * Also, while your application is being deployed, a small downtime is expected to occur. */ async changeDomain(params) { return this.request({ method: "POST", path: joinPaths(basePath5, "change_domain"), bodyParams: params }); } }; // src/api/endpoints/BlocklistIdentifierApi.ts var basePath6 = "/blocklist_identifiers"; var BlocklistIdentifierAPI = class extends AbstractAPI { async getBlocklistIdentifierList(params = {}) { return this.request({ method: "GET", path: basePath6, queryParams: params }); } async createBlocklistIdentifier(params) { return this.request({ method: "POST", path: basePath6, bodyParams: params }); } async deleteBlocklistIdentifier(blocklistIdentifierId) { this.requireId(blocklistIdentifierId); return this.request({ method: "DELETE", path: joinPaths(basePath6, blocklistIdentifierId) }); } }; // src/api/endpoints/ClientApi.ts var basePath7 = "/clients"; var ClientAPI = class extends AbstractAPI { async getClientList(params = {}) { return this.request({ method: "GET", path: basePath7, queryParams: { ...params, paginated: true } }); } async getClient(clientId) { this.requireId(clientId); return this.request({ method: "GET", path: joinPaths(basePath7, clientId) }); } verifyClient(token) { return this.request({ method: "POST", path: joinPaths(basePath7, "verify"), bodyParams: { token } }); } async getHandshakePayload(queryParams) { return this.request({ method: "GET", path: joinPaths(basePath7, "handshake_payload"), queryParams }); } }; // src/api/endpoints/DomainApi.ts var basePath8 = "/domains"; var DomainAPI = class extends AbstractAPI { async list() { return this.request({ method: "GET", path: basePath8 }); } async add(params) { return this.request({ method: "POST", path: basePath8, bodyParams: params }); } async update(params) { const { domainId, ...bodyParams } = params; this.requireId(domainId); return this.request({ method: "PATCH", path: joinPaths(basePath8, domainId), bodyParams }); } /** * Deletes a satellite domain for the instance. * It is currently not possible to delete the instance's primary domain. */ async delete(satelliteDomainId) { return this.deleteDomain(satelliteDomainId); } /** * @deprecated Use `delete` instead */ async deleteDomain(satelliteDomainId) { this.requireId(satelliteDomainId); return this.request({ method: "DELETE", path: joinPaths(basePath8, satelliteDomainId) }); } }; // src/api/endpoints/EmailAddressApi.ts var basePath9 = "/email_addresses"; var EmailAddressAPI = class extends AbstractAPI { async getEmailAddress(emailAddressId) { this.requireId(emailAddressId); return this.request({ method: "GET", path: joinPaths(basePath9, emailAddressId) }); } async createEmailAddress(params) { return this.request({ method: "POST", path: basePath9, bodyParams: params }); } async updateEmailAddress(emailAddressId, params = {}) { this.requireId(emailAddressId); return this.request({ method: "PATCH", path: joinPaths(basePath9, emailAddressId), bodyParams: params }); } async deleteEmailAddress(emailAddressId) { this.requireId(emailAddressId); return this.request({ method: "DELETE", path: joinPaths(basePath9, emailAddressId) }); } }; // src/api/endpoints/IdPOAuthAccessTokenApi.ts var basePath10 = "/oauth_applications/access_tokens"; var IdPOAuthAccessTokenApi = class extends AbstractAPI { async verifyAccessToken(accessToken) { return this.request({ method: "POST", path: joinPaths(basePath10, "verify"), bodyParams: { access_token: accessToken } }); } }; // src/api/endpoints/InstanceApi.ts var basePath11 = "/instance"; var InstanceAPI = class extends AbstractAPI { async get() { return this.request({ method: "GET", path: basePath11 }); } async update(params) { return this.request({ method: "PATCH", path: basePath11, bodyParams: params }); } async updateRestrictions(params) { return this.request({ method: "PATCH", path: joinPaths(basePath11, "restrictions"), bodyParams: params }); } async updateOrganizationSettings(params) { return this.request({ method: "PATCH", path: joinPaths(basePath11, "organization_settings"), bodyParams: params }); } }; // src/api/endpoints/InvitationApi.ts var basePath12 = "/invitations"; var InvitationAPI = class extends AbstractAPI { async getInvitationList(params = {}) { return this.request({ method: "GET", path: basePath12, queryParams: { ...params, paginated: true } }); } async createInvitation(params) { return this.request({ method: "POST", path: basePath12, bodyParams: params }); } async revokeInvitation(invitationId) { this.requireId(invitationId); return this.request({ method: "POST", path: joinPaths(basePath12, invitationId, "revoke") }); } }; // src/api/endpoints/MachineApi.ts var basePath13 = "/machines"; var MachineApi = class extends AbstractAPI { async get(machineId) { this.requireId(machineId); return this.request({ method: "GET", path: joinPaths(basePath13, machineId) }); } async list(queryParams = {}) { return this.request({ method: "GET", path: basePath13, queryParams }); } async create(bodyParams) { return this.request({ method: "POST", path: basePath13, bodyParams }); } async update(params) { const { machineId, ...bodyParams } = params; this.requireId(machineId); return this.request({ method: "PATCH", path: joinPaths(basePath13, machineId), bodyParams }); } async delete(machineId) { this.requireId(machineId); return this.request({ method: "DELETE", path: joinPaths(basePath13, machineId) }); } async getSecretKey(machineId) { this.requireId(machineId); return this.request({ method: "GET", path: joinPaths(basePath13, machineId, "secret_key") }); } /** * Creates a new machine scope, allowing the specified machine to access another machine. * * @param machineId - The ID of the machine that will have access to another machine. * @param toMachineId - The ID of the machine that will be scoped to the current machine. */ async createScope(machineId, toMachineId) { this.requireId(machineId); return this.request({ method: "POST", path: joinPaths(basePath13, machineId, "scopes"), bodyParams: { toMachineId } }); } /** * Deletes a machine scope, removing access from one machine to another. * * @param machineId - The ID of the machine that has access to another machine. * @param otherMachineId - The ID of the machine that is being accessed. */ async deleteScope(machineId, otherMachineId) { this.requireId(machineId); return this.request({ method: "DELETE", path: joinPaths(basePath13, machineId, "scopes", otherMachineId) }); } }; // src/api/endpoints/M2MTokenApi.ts var basePath14 = "/m2m_tokens"; var _M2MTokenApi_instances, createRequestOptions_fn; var M2MTokenApi = class extends AbstractAPI { constructor() { super(...arguments); __privateAdd(this, _M2MTokenApi_instances); } async createToken(params) { const { claims = null, machineSecretKey, secondsUntilExpiration = null } = params || {}; const requestOptions = __privateMethod(this, _M2MTokenApi_instances, createRequestOptions_fn).call(this, { method: "POST", path: basePath14, bodyParams: { secondsUntilExpiration, claims } }, machineSecretKey); return this.request(requestOptions); } async revokeToken(params) { const { m2mTokenId, revocationReason = null, machineSecretKey } = params; this.requireId(m2mTokenId); const requestOptions = __privateMethod(this, _M2MTokenApi_instances, createRequestOptions_fn).call(this, { method: "POST", path: joinPaths(basePath14, m2mTokenId, "revoke"), bodyParams: { revocationReason } }, machineSecretKey); return this.request(requestOptions); } async verifyToken(params) { const { token, machineSecretKey } = params; const requestOptions = __privateMethod(this, _M2MTokenApi_instances, createRequestOptions_fn).call(this, { method: "POST", path: joinPaths(basePath14, "verify"), bodyParams: { token } }, machineSecretKey); return this.request(requestOptions); } }; _M2MTokenApi_instances = new WeakSet(); createRequestOptions_fn = function(options, machineSecretKey) { if (machineSecretKey) { return { ...options, headerParams: { ...options.headerParams, Authorization: `Bearer ${machineSecretKey}` } }; } return options; }; // src/api/endpoints/JwksApi.ts var basePath15 = "/jwks"; var JwksAPI = class extends AbstractAPI { async getJwks() { return this.request({ method: "GET", path: basePath15 }); } }; // src/api/endpoints/JwtTemplatesApi.ts var basePath16 = "/jwt_templates"; var JwtTemplatesApi = class extends AbstractAPI { async list(params = {}) { return this.request({ method: "GET", path: basePath16, queryParams: { ...params, paginated: true } }); } async get(templateId) { this.requireId(templateId); return this.request({ method: "GET", path: joinPaths(basePath16, templateId) }); } async create(params) { return this.request({ method: "POST", path: basePath16, bodyParams: params }); } async update(params) { const { templateId, ...bodyParams } = params; this.requireId(templateId); return this.request({ method: "PATCH", path: joinPaths(basePath16, templateId), bodyParams }); } async delete(templateId) { this.requireId(templateId); return this.request({ method: "DELETE", path: joinPaths(basePath16, templateId) }); } }; // src/api/endpoints/OrganizationApi.ts var basePath17 = "/organizations"; var OrganizationAPI = class extends AbstractAPI { async getOrganizationList(params) { return this.request({ method: "GET", path: basePath17, queryParams: params }); } async createOrganization(params) { return this.request({ method: "POST", path: basePath17, bodyParams: params }); } async getOrganization(params) { const { includeMembersCount } = params; const organizationIdOrSlug = "organizationId" in params ? params.organizationId : params.slug; this.requireId(organizationIdOrSlug); return this.request({ method: "GET", path: joinPaths(basePath17, organizationIdOrSlug), queryParams: { includeMembersCount } }); } async updateOrganization(organizationId, params) { this.requireId(organizationId); return this.request({ method: "PATCH", path: joinPaths(basePath17, organizationId), bodyParams: params }); } async updateOrganizationLogo(organizationId, params) { this.requireId(organizationId); const formData = new runtime.FormData(); formData.append("file", params?.file); if (params?.uploaderUserId) { formData.append("uploader_user_id", params?.uploaderUserId); } return this.request({ method: "PUT", path: joinPaths(basePath17, organizationId, "logo"), formData }); } async deleteOrganizationLogo(organizationId) { this.requireId(organizationId); return this.request({ method: "DELETE", path: joinPaths(basePath17, organizationId, "logo") }); } async updateOrganizationMetadata(organizationId, params) { this.requireId(organizationId); return this.request({ method: "PATCH", path: joinPaths(basePath17, organizationId, "metadata"), bodyParams: params }); } async deleteOrganization(organizationId) { return this.request({ method: "DELETE", path: joinPaths(basePath17, organizationId) }); } async getOrganizationMembershipList(params) { const { organizationId, ...queryParams } = params; this.requireId(organizationId); return this.request({ method: "GET", path: joinPaths(basePath17, organizationId, "memberships"), queryParams }); } async getInstanceOrganizationMembershipList(params) { return this.request({ method: "GET", path: "/organization_memberships", queryParams: params }); } async createOrganizationMembership(params) { const { organizationId, ...bodyParams } = params; this.requireId(organizationId); return this.request({ method: "POST", path: joinPaths(basePath17, organizationId, "memberships"), bodyParams }); } async updateOrganizationMembership(params) { const { organizationId, userId, ...bodyParams } = params; this.requireId(organizationId); return this.request({ method: "PATCH", path: joinPaths(basePath17, organizationId, "memberships", userId), bodyParams }); } async updateOrganizationMembershipMetadata(params) { const { organizationId, userId, ...bodyParams } = params; return this.request({ method: "PATCH", path: joinPaths(basePath17, organizationId, "memberships", userId, "metadata"), bodyParams }); } async deleteOrganizationMembership(params) { const { organizationId, userId } = params; this.requireId(organizationId); return this.request({ method: "DELETE", path: joinPaths(basePath17, organizationId, "memberships", userId) }); } async getOrganizationInvitationList(params) { const { organizationId, ...queryParams } = params; this.requireId(organizationId); return this.request({ method: "GET", path: joinPaths(basePath17, organizationId, "invitations"), queryParams }); } async createOrganizationInvitation(params) { const { organizationId, ...bodyParams } = params; this.requireId(organizationId); return this.request({ method: "POST", path