Class: Clerk::RackMiddlewareV2

Inherits:
Object
  • Object
show all
Defined in:
lib/clerk/rack_middleware_v2.rb

Instance Method Summary collapse

Constructor Details

#initialize(app) ⇒ RackMiddlewareV2

Returns a new instance of RackMiddlewareV2.



61
62
63
 
# File 'lib/clerk/rack_middleware_v2.rb', line 61

def initialize(app)
  @app = app
end

Instance Method Details

#call(env) ⇒ Object 



65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
# File 'lib/clerk/rack_middleware_v2.rb', line 65

def call(env)
  env = env
  req = Rack::Request.new(env)
  env["clerk"] = Clerk::ProxyV2.new
  header_token = req.env["HTTP_AUTHORIZATION"]
  header_token = header_token.strip.sub(/\ABearer /, '') if header_token
  cookie_token = req.cookies["__session"]
  client_uat = req.cookies["__client_uat"]

  ##########################################################################
  #                                                                        #
  #                          HEADER AUTHENTICATION                         #
  #                                                                        #
  ##########################################################################
  if header_token
    begin
      return signed_out(env) if !sdk.decode_token(header_token) # malformed JWT
    rescue JWT::DecodeError
      return signed_out(env)  # malformed JSON authorization header
    end
    
    token = verify_token(header_token)
    return signed_in(env, token, header_token) if token

    # Clerk.js should refresh the token and retry
    return unknown(interstitial: false)
  end

  # in cross-origin XHRs the use of Authorization header is mandatory.
  if cross_origin_request?(req)
    return signed_out(env)
  end

  if development_or_staging? && !browser_request?(req)
    # the interstitial won't work if the user agent is not a browser, so
    # short-circuit and avoid rendering it
    #
    # We only limit this to dev/stg because we're not yet sure how robust
    # this strategy is, yet. In the future, we might enable it for prod too.
    return signed_out(env)
  end

  ##########################################################################
  #                                                                        #
  #                             COOKIE AUTHENTICATION                      #
  #                                                                        #
  ##########################################################################
  if development_or_staging? && (req.referrer.nil? || cross_origin_request?(req))
    return unknown(interstitial: true)
  end

  if production? && client_uat.nil?
    return signed_out(env)
  end

  if client_uat == "0"
    return signed_out(env)
  end

  token = verify_token(cookie_token)

  if token && token["iat"] && client_uat && Integer(client_uat) <= token["iat"]
    return signed_in(env, token, cookie_token)
  end

  unknown(interstitial: true)
end