chore: clean up and reuse token type checker utilities

wobsoriano · wobsoriano · commit 5e0630bf4eab · 2025-04-24T19:15:18.000-07:00
diff --git a/packages/nextjs/src/app-router/server/auth.ts b/packages/nextjs/src/app-router/server/auth.ts
@@ -1,6 +1,7 @@
 import type { AuthObject } from '@clerk/backend';
 import type {
   AuthenticatedMachineObject,
+  AuthenticateRequestOptions,
   RedirectFun,
   SignedInAuthObject,
   SignedOutAuthObject,
@@ -51,7 +52,7 @@ type MachineAuth<T extends TokenType> = (AuthenticatedMachineObject | Unauthenti
   tokenType: T;
 };
 
-export type AuthOptions = { acceptsToken?: TokenType | TokenType[] | 'any' };
+export type AuthOptions = { acceptsToken?: AuthenticateRequestOptions['acceptsToken'] };
 
 export interface AuthFn<TRedirect = ReturnType<typeof redirect>> {
   /**
diff --git a/packages/nextjs/src/server/clerkMiddleware.ts b/packages/nextjs/src/server/clerkMiddleware.ts
@@ -21,6 +21,7 @@ import type { NextMiddleware, NextRequest } from 'next/server';
 import { NextResponse } from 'next/server';
 
 import type { AuthFn } from '../app-router/server/auth';
+import type { GetAuthOptions } from '../server/createGetAuth';
 import { isRedirect, serverRedirectWithAuth, setHeader } from '../utils';
 import { withLogger } from '../utils/debugLogger';
 import { canUseKeyless } from '../utils/feature-flags';
@@ -46,6 +47,7 @@ import {
   assertKey,
   decorateRequest,
   handleMultiDomainAndProxy,
+  isTokenTypeAccepted,
   redirectAdapter,
   setRequestHeadersOnNextResponse,
 } from './utils';
@@ -408,27 +410,21 @@ const createMiddlewareAuthHandler = (
       : {},
   );
 
-  const authHandler = async (
-    options = {
-      acceptsToken: 'session_token',
-    },
-  ) => {
-    const acceptsToken = options.acceptsToken;
+  const authHandler = async (options: GetAuthOptions) => {
+    const acceptsToken = options.acceptsToken || 'session_token';
 
     if (acceptsToken === 'any') {
       return authObjWithMethods;
     }
 
-    const tokenTypes = Array.isArray(acceptsToken) ? acceptsToken : [acceptsToken];
-    if (!tokenTypes.includes(authObject.tokenType)) {
+    if (!isTokenTypeAccepted(authObject.tokenType, acceptsToken)) {
       if (authObject.tokenType === 'session_token') {
         return {
           ...signedOutAuthObject(),
           redirectToSignIn,
           redirectToSignUp,
         };
       }
-
       return unauthenticatedMachineObject(authObject.tokenType);
     }
 
diff --git a/packages/nextjs/src/server/createGetAuth.ts b/packages/nextjs/src/server/createGetAuth.ts
@@ -1,22 +1,21 @@
 import type { AuthObject } from '@clerk/backend';
-import type { TokenType } from '@clerk/backend/internal';
 import { constants } from '@clerk/backend/internal';
 import { isTruthy } from '@clerk/shared/underscore';
 
 import { withLogger } from '../utils/debugLogger';
 import { isNextWithUnstableServerActions } from '../utils/sdk-versions';
 import type { GetAuthDataFromRequestOptions } from './data/getAuthDataFromRequest';
 import {
-  getAuthDataFromRequest as getAuthDataFromRequestOriginal,
+  getAuthDataFromRequestAsync as getAuthDataFromRequestAsyncOriginal,
   getAuthDataFromRequestSync as getAuthDataFromRequestSyncOriginal,
 } from './data/getAuthDataFromRequest';
 import { getAuthAuthHeaderMissing } from './errors';
 import { detectClerkMiddleware, getHeader } from './headers-utils';
 import type { RequestLike } from './types';
 import { assertAuthStatus } from './utils';
 
-type GetAuthOptions = {
-  acceptsToken?: TokenType | TokenType[] | 'any';
+export type GetAuthOptions = {
+  acceptsToken?: GetAuthDataFromRequestOptions['acceptsToken'];
 };
 
 /**
@@ -56,11 +55,11 @@ export const createAsyncGetAuth = ({
         assertAuthStatus(req, noAuthStatusMessage);
       }
 
-      const getAuthDataFromRequest = (req: RequestLike, opts: GetAuthDataFromRequestOptions = {}) => {
-        return getAuthDataFromRequestOriginal(req, { ...opts, logger, acceptsToken: options?.acceptsToken });
+      const getAuthDataFromRequestAsync = (req: RequestLike, opts: GetAuthDataFromRequestOptions = {}) => {
+        return getAuthDataFromRequestAsyncOriginal(req, { ...opts, logger, acceptsToken: options?.acceptsToken });
       };
 
-      return getAuthDataFromRequest(req, { ...opts, logger, acceptsToken: options?.acceptsToken });
+      return getAuthDataFromRequestAsync(req, { ...opts, logger, acceptsToken: options?.acceptsToken });
     };
   });
 
diff --git a/packages/nextjs/src/server/data/getAuthDataFromRequest.ts b/packages/nextjs/src/server/data/getAuthDataFromRequest.ts
@@ -1,9 +1,10 @@
 import type { AuthObject } from '@clerk/backend';
-import type { SignedInAuthObject, SignedOutAuthObject, TokenType } from '@clerk/backend/internal';
+import type { AuthenticateRequestOptions, SignedInAuthObject, SignedOutAuthObject } from '@clerk/backend/internal';
 import {
   authenticatedMachineObject,
   AuthStatus,
   constants,
+  getMachineTokenType,
   isMachineToken,
   signedInAuthObject,
   signedOutAuthObject,
@@ -16,12 +17,12 @@ import type { LoggerNoCommit } from '../../utils/debugLogger';
 import { API_URL, API_VERSION, PUBLISHABLE_KEY, SECRET_KEY } from '../constants';
 import { getAuthKeyFromRequest, getHeader } from '../headers-utils';
 import type { RequestLike } from '../types';
-import { assertTokenSignature, decryptClerkRequestData } from '../utils';
+import { assertTokenSignature, decryptClerkRequestData, isTokenTypeAccepted } from '../utils';
 
 export type GetAuthDataFromRequestOptions = {
   secretKey?: string;
   logger?: LoggerNoCommit;
-  acceptsToken?: TokenType | TokenType[] | 'any';
+  acceptsToken?: AuthenticateRequestOptions['acceptsToken'];
 };
 
 type SessionAuthObject = SignedInAuthObject | SignedOutAuthObject;
@@ -51,7 +52,11 @@ export const getAuthDataFromRequestSync = (
     authReason,
   };
 
-  opts.logger?.debug('auth options', options);
+  // Only accept session tokens in sync version
+  const acceptsToken = opts.acceptsToken ?? 'session_token';
+  if (acceptsToken !== 'session_token' && acceptsToken !== 'any') {
+    return signedOutAuthObject(options);
+  }
 
   if (!authStatus || authStatus !== AuthStatus.SignedIn) {
     return signedOutAuthObject(options);
@@ -69,45 +74,35 @@ export const getAuthDataFromRequestSync = (
  * Given a request object, builds an auth object from the request data. Used in server-side environments to get access
  * to auth data for a given request.
  */
-export const getAuthDataFromRequest = async (
+export const getAuthDataFromRequestAsync = async (
   req: RequestLike,
   opts: GetAuthDataFromRequestOptions = {},
 ): Promise<AuthObject> => {
-  const authStatus = getAuthKeyFromRequest(req, 'AuthStatus');
-  const authMessage = getAuthKeyFromRequest(req, 'AuthMessage');
-  const authReason = getAuthKeyFromRequest(req, 'AuthReason');
-
-  opts.logger?.debug('headers', { authStatus, authMessage, authReason });
+  const bearerToken = getHeader(req, constants.Headers.Authorization)?.replace('Bearer ', '');
+  const acceptsToken = opts.acceptsToken ?? 'session_token';
 
-  const encryptedRequestData = getHeader(req, constants.Headers.ClerkRequestData);
-  const decryptedRequestData = decryptClerkRequestData(encryptedRequestData);
+  if (bearerToken && isMachineToken(bearerToken)) {
+    const tokenType = getMachineTokenType(bearerToken);
 
-  const options = {
-    secretKey: opts?.secretKey || decryptedRequestData.secretKey || SECRET_KEY,
-    publishableKey: decryptedRequestData.publishableKey || PUBLISHABLE_KEY,
-    apiUrl: API_URL,
-    apiVersion: API_VERSION,
-    authStatus,
-    authMessage,
-    authReason,
-  };
+    if (!isTokenTypeAccepted(tokenType, acceptsToken)) {
+      return unauthenticatedMachineObject(tokenType);
+    }
 
-  const bearerToken = getHeader(req, constants.Headers.Authorization)?.replace('Bearer ', '');
+    const options = {
+      secretKey: opts?.secretKey || SECRET_KEY,
+      publishableKey: PUBLISHABLE_KEY,
+      apiUrl: API_URL,
+      apiVersion: API_VERSION,
+    };
 
-  // Handle machine tokens if bearer token exists and is a machine token
-  if (bearerToken && isMachineToken(bearerToken)) {
-    const { data, errors, tokenType } = await verifyMachineAuthToken(bearerToken, options);
+    // TODO: Cache the result of verifyMachineAuthToken
+    const { data, errors } = await verifyMachineAuthToken(bearerToken, options);
     if (errors) {
-      return unauthenticatedMachineObject(tokenType, {
-        reason: authReason,
-        message: authMessage,
-        headers: new Headers(),
-      });
+      return unauthenticatedMachineObject(tokenType);
     }
 
     return authenticatedMachineObject(tokenType, bearerToken, data);
   }
 
-  // Fall back to sync version for session tokens
   return getAuthDataFromRequestSync(req, opts);
 };
diff --git a/packages/nextjs/src/server/protect.ts b/packages/nextjs/src/server/protect.ts
@@ -10,6 +10,7 @@ import type {
 } from '@clerk/types';
 
 import { constants as nextConstants } from '../constants';
+import { isTokenTypeAccepted } from '../server/utils';
 import { isNextFetcher } from './nextFetcher';
 import type { InferAuthObjectFromToken, InferAuthObjectFromTokenArray } from './types';
 
@@ -121,10 +122,8 @@ export function createProtect(opts: {
       return notFound();
     };
 
-    // Check if the token type matches the requested token
     if (requestedToken) {
-      const tokenTypes = Array.isArray(requestedToken) ? requestedToken : [requestedToken];
-      if (!tokenTypes.includes(authObject.tokenType)) {
+      if (!isTokenTypeAccepted(authObject.tokenType, requestedToken)) {
         return handleUnauthorized();
       }
       return authObject;
diff --git a/packages/nextjs/src/server/utils.ts b/packages/nextjs/src/server/utils.ts
@@ -1,4 +1,4 @@
-import type { AuthenticateRequestOptions, ClerkRequest, RequestState } from '@clerk/backend/internal';
+import type { AuthenticateRequestOptions, ClerkRequest, RequestState, TokenType } from '@clerk/backend/internal';
 import { constants } from '@clerk/backend/internal';
 import { isDevelopmentFromSecretKey } from '@clerk/shared/keys';
 import { logger } from '@clerk/shared/logger';
@@ -259,3 +259,18 @@ function decryptData(data: string, key: string) {
   const encoded = decryptedBytes.toString(Utf8);
   return JSON.parse(encoded);
 }
+
+/**
+ * Check if a token type is accepted given a requested token type.
+ */
+export const isTokenTypeAccepted = (
+  tokenType: TokenType,
+  acceptsToken: NonNullable<AuthenticateRequestOptions['acceptsToken']>,
+): boolean => {
+  if (acceptsToken === 'any') {
+    return true;
+  }
+
+  const tokenTypes = Array.isArray(acceptsToken) ? acceptsToken : [acceptsToken];
+  return tokenTypes.includes(tokenType);
+};
