Class: Clerk::SDK

Inherits:
Object
  • Object
show all
Defined in:
lib/clerk/sdk.rb

Constant Summary collapse

DEFAULT_HEADERS = 
{
  "User-Agent" => "Clerk/#{Clerk::VERSION}; Faraday/#{Faraday::VERSION}; Ruby/#{RUBY_VERSION}",
  "X-Clerk-SDK" => "ruby/#{Clerk::VERSION}"
}
JWKS_CACHE_LIFETIME =

How often (in seconds) should JWKs be refreshed

3600

Instance Method Summary collapse

Constructor Details

#initialize(api_key: nil, base_url: nil, logger: nil, ssl_verify: true, connection: nil) ⇒ SDK

1 hour



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
 
# File 'lib/clerk/sdk.rb', line 31

def initialize(api_key: nil, base_url: nil, logger: nil, ssl_verify: true,
               connection: nil)
  @jwks_fetched_at = nil

  if connection # Inject a Faraday::Connection for testing or full control over Faraday
    @conn = connection
    return
  else
    base_url = base_url || Clerk.configuration.base_url
    base_uri = if !base_url.end_with?("/")
                 URI("#{base_url}/")
               else
                 URI(base_url)
               end
    api_key = api_key || Clerk.configuration.api_key
    logger = logger || Clerk.configuration.logger
    @conn = Faraday.new(
      url: base_uri, headers: DEFAULT_HEADERS, ssl: {verify: ssl_verify}
    ) do |f|
      f.request :url_encoded
      f.request :authorization, "Bearer", api_key
      if logger
        f.response :logger, logger do |l|
          l.filter(/(Authorization: "Bearer) (\w+)/, '\1 [SECRET]')
        end
      end
    end
  end
end

Instance Method Details

#allowlistObject 



106
107
108
 
# File 'lib/clerk/sdk.rb', line 106

def allowlist
  Resources::Allowlist.new(self)
end

#allowlist_identifiersObject 



102
103
104
 
# File 'lib/clerk/sdk.rb', line 102

def allowlist_identifiers
  Resources::AllowlistIdentifiers.new(self)
end

#clientsObject 



110
111
112
 
# File 'lib/clerk/sdk.rb', line 110

def clients
  Resources::Clients.new(self)
end

#decode_token(token) ⇒ Object

Returns the decoded JWT payload without verifying if the signature is valid.

WARNING: This will not verify whether the signature is valid. You should not use this for untrusted messages! You most likely want to use verify_token.



148
149
150
 
# File 'lib/clerk/sdk.rb', line 148

def decode_token(token)
  JWT.decode(token, nil, false).first
end

#emailsObject 



114
115
116
 
# File 'lib/clerk/sdk.rb', line 114

def emails
  Resources::Emails.new(self)
end

#interstitial(refresh = false) ⇒ Object 



138
139
140
 
# File 'lib/clerk/sdk.rb', line 138

def interstitial(refresh=false)
  request(:get, "internal/interstitial")
end

#jwksObject 



134
135
136
 
# File 'lib/clerk/sdk.rb', line 134

def jwks
  Resources::JWKS.new(self)
end

#organizationsObject 



118
119
120
 
# File 'lib/clerk/sdk.rb', line 118

def organizations
  Resources::Organizations.new(self)
end

#request(method, path, query: [], body: nil, timeout: nil) ⇒ Object 



61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
# File 'lib/clerk/sdk.rb', line 61

def request(method, path, query: [], body: nil, timeout: nil)
  response = case method
             when :get
               @conn.get(path, query) do |req|
                 req.options.timeout = timeout if timeout
               end
             when :post
               @conn.post(path, body) do |req|
                 req.body = body
                 req.options.timeout = timeout if timeout
               end
             when :patch
               @conn.patch(path, body) do |req|
                 req.body = body
                 req.options.timeout = timeout if timeout
               end
             when :delete
               @conn.delete(path) do |req|
                 req.options.timeout = timeout if timeout
               end
             end

  body = if response["Content-Type"] == "application/json"
           JSON.parse(response.body)
         else
           response.body
         end

  if response.success?
    body
  else
    klass = case body.dig("errors", 0, "code")
            when "cookie_invalid", "client_not_found", "resource_not_found"
              Errors::Authentication
            else
              Errors::Fatal
            end
    raise klass.new(body, status: response.status)
  end
end

#sessionsObject 



122
123
124
 
# File 'lib/clerk/sdk.rb', line 122

def sessions
  Resources::Sessions.new(self)
end

#sms_messagesObject 



126
127
128
 
# File 'lib/clerk/sdk.rb', line 126

def sms_messages
  Resources::SMSMessages.new(self)
end

#usersObject 



130
131
132
 
# File 'lib/clerk/sdk.rb', line 130

def users
  Resources::Users.new(self)
end

#verify_token(token, force_refresh_jwks: false, algorithms: ['RS256'], timeout: 5) ⇒ Object

Decode the JWT and verify it's valid (verify claims, signature etc.) using the provided algorithms.

JWKS are cached for JWKS_CACHE_LIFETIME seconds, in order to avoid unecessary roundtrips. In order to invalidate the cache, pass `force_refresh_jwks: true`.

A timeout for the request to the JWKs endpoint can be set with the `timeout` argument.



161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
 
# File 'lib/clerk/sdk.rb', line 161

def verify_token(token, force_refresh_jwks: false, algorithms: ['RS256'], timeout: 5)
  jwk_loader = ->(options) do
    @cached_jwks = nil if options[:invalidate] || force_refresh_jwks
    @cached_jwks = nil if @jwks_fetched_at && Time.now.to_i - @jwks_fetched_at > JWKS_CACHE_LIFETIME

    @cached_jwks ||= begin
      keys = jwks.all["keys"]
      @jwks_fetched_at = Time.now.to_i

      # JWT.decode requires that the 'keys' key in the Hash is a symbol (as
      # opposed to a string which our SDK returns by default)
      { keys: keys }
    end
  end

  JWT.decode(token, nil, true, algorithms: algorithms, jwks: jwk_loader).first
end