feat(nextjs): Introduce machine authentication #5710
Conversation
|
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
wobsoriano
force-pushed
the
rob/robo-114-nextjs-sdk-m2m
branch
from
ba2f2aa to
d0bab9b
Compare
wobsoriano
force-pushed
the
rob/robo-114-nextjs-sdk-m2m
branch
from
5e0630b to
69e9760
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR introduces machine authentication support for the Next.js SDK by updating auth-related helpers and middleware to accept and correctly process machine tokens. The changes include:
- Enhancements to type inference for auth objects via new generic types.
- Updates to auth(), auth.protect(), and clerkMiddleware() to handle both session and machine tokens.
- Additional tests to verify the new machine token behaviors.
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/nextjs/src/server/types.ts | Added generic types to infer auth objects from single and multiple token types. |
| packages/nextjs/src/server/protect.ts | Extended protection logic to validate and handle machine tokens. |
| packages/nextjs/src/server/nextErrors.ts | Introduced an unauthorized() function for machine token error handling. |
| packages/nextjs/src/server/data/getAuthDataFromRequest.ts | Split auth data retrieval into sync/async versions, with sync only accepting session tokens. |
| packages/nextjs/src/server/createGetAuth.ts | Updated options propagation to include acceptsToken for dynamic auth behavior. |
| packages/nextjs/src/server/clerkMiddleware.ts | Modified middleware auth handling to support machine tokens and enhanced redirects. |
| packages/nextjs/src/app-router/server/auth.ts | Updated auth() API to correctly infer return types based on token type. |
| tests files | Added/updated tests verifying machine token support and related error handling. |
|
|
||
| const authHandler = async (options?: GetAuthOptions) => { | ||
| const acceptsToken = options?.acceptsToken ?? TokenType.SessionToken; | ||
|
|
There was a problem hiding this comment.
The use of 'any' as the acceptsToken value bypasses token type validation, which is noted as a TODO regarding potential economic attacks. Consider adding a clarifying comment that explains this behavior and its intended usage to help maintain security awareness.
| // The 'any' value for acceptsToken bypasses token type validation. | |
| // This is intended for scenarios where the token type is irrelevant or | |
| // where the caller explicitly accepts all token types. However, this | |
| // behavior comes with potential security risks, such as economic attacks, | |
| // if misused. Use 'any' cautiously and only when absolutely necessary. |
Copilot uses AI. Check for mistakes.
Co-authored-by: Copilot <[email protected]>
wobsoriano
force-pushed
the
rob/robo-36-sdk-m2m
branch
from
26ea907 to
58c0c97
Compare
wobsoriano
changed the title
|
!snapshot |
|
Hey @wobsoriano - the snapshot version command generated the following package versions:
Tip: Use the snippet copy button below to quickly install the required packages. npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact |
| }) => | ||
| withLogger(debugLoggerName, logger => { | ||
| return (req: RequestLike, opts?: { secretKey?: string }): AuthObject => { | ||
| return (req: RequestLike, opts?: { secretKey?: string }): SignedInAuthObject | SignedOutAuthObject => { |
There was a problem hiding this comment.
Since getAuth() does not have machine auth feature yet (will be breaking because it's async), we need to type it as session auth
| })(req, {} as NextFetchEvent); | ||
|
|
||
| expect(resp?.status).toEqual(401); | ||
| expect(resp?.headers.get('WWW-Authenticate')).toBeTruthy(); |
There was a problem hiding this comment.
🤔 it might be a good idea to assert on the explicit value here, instead of just the truthy check
Description
This is a companion PR to #5689, that updates the Next.js SDK
clerkMiddleware(),auth(), andauth.protect()helpers to accommodate machine auth tokens.Key changes:
auth()to accept aacceptTokensparam. Useful for leaf node route protection.auth.protect()to accept atokensparam. Useful in protecting routes inside a middleware.clerkMiddleware()to passanyas the defaultacceptsTokentype toauthenticateRequest. This however opens up an opportunity for an economic attacks and will be tackled in a separate PR.Resolves ROBO-114 and ROBO-134
Checklist
pnpm testruns as expected.pnpm buildruns as expected.Type of change