Class: Clerk::SDK

Inherits:

Object

• Object
• Clerk::SDK

Defined in:

lib/clerk/sdk.rb

Constant Summary

DEFAULT_HEADERS =

{
  "User-Agent" => "Clerk/#{Clerk::VERSION}; Faraday/#{Faraday::VERSION}; Ruby/#{RUBY_VERSION}",
  "X-Clerk-SDK" => "ruby/#{Clerk::VERSION}"
}

JWKS_CACHE_LIFETIME =

How often (in seconds) should JWKs be refreshed

3600

@@jwks_cache =

1 hour

JWKSCache.new(JWKS_CACHE_LIFETIME)

Class Method Summary

• .jwks_cache ⇒ Object

Instance Method Summary

• #allowlist ⇒ Object
• #allowlist_identifiers ⇒ Object
• #clients ⇒ Object
• #decode_token(token) ⇒ Object

  Returns the decoded JWT payload without verifying if the signature is valid.

• #email_addresses ⇒ Object
• #emails ⇒ Object
• #initialize(api_key: nil, base_url: nil, logger: nil, ssl_verify: true, connection: nil) ⇒ SDK constructor

  A new instance of SDK.

• #jwks ⇒ Object
• #organizations ⇒ Object
• #phone_numbers ⇒ Object
• #request(method, path, query: [], body: nil, timeout: nil) ⇒ Object
• #sessions ⇒ Object
• #users ⇒ Object
• #verify_token(token, force_refresh_jwks: false, algorithms: ['RS256'], timeout: 5) ⇒ Object

  Decode the JWT and verify it’s valid (verify claims, signature etc.) using the provided algorithms.

Constructor Details

#initialize(api_key: nil, base_url: nil, logger: nil, ssl_verify: true, connection: nil) ⇒ SDK

Returns a new instance of SDK.

# File 'lib/clerk/sdk.rb', line 39

def initialize(api_key: nil, base_url: nil, logger: nil, ssl_verify: true,
               connection: nil)
  if connection
    # Inject a Faraday::Connection for testing or full control over Faraday
    @conn = connection
    return
  else
    base_url = base_url || Clerk.configuration.base_url
    base_uri = if !base_url.end_with?("/")
                 URI("#{base_url}/")
               else
                 URI(base_url)
               end

    api_key ||= Clerk.configuration.api_key

    if Faraday::VERSION.to_i >= 2 && api_key.nil?
      api_key = -> { raise ArgumentError, "Clerk secret key is not set" }
    end

    logger = logger || Clerk.configuration.logger
    @conn = Faraday.new(
      url: base_uri, headers: DEFAULT_HEADERS, ssl: {verify: ssl_verify}
    ) do |f|
      f.request :url_encoded
      f.request :authorization, "Bearer", api_key
      if logger
        f.response :logger, logger do |l|
          l.filter(/(Authorization: "Bearer) (\w+)/, '\1 [SECRET]')
        end
      end
    end
  end
end

Class Method Details

.jwks_cache ⇒ Object

# File 'lib/clerk/sdk.rb', line 35

def self.jwks_cache
  @@jwks_cache
end

Instance Method Details

#allowlist ⇒ Object

# File 'lib/clerk/sdk.rb', line 121

def allowlist
  Resources::Allowlist.new(self)
end

#allowlist_identifiers ⇒ Object

# File 'lib/clerk/sdk.rb', line 117

def allowlist_identifiers
  Resources::AllowlistIdentifiers.new(self)
end

#clients ⇒ Object

# File 'lib/clerk/sdk.rb', line 125

def clients
  Resources::Clients.new(self)
end

#decode_token(token) ⇒ Object

Returns the decoded JWT payload without verifying if the signature is valid.

WARNING: This will not verify whether the signature is valid. You should not use this for untrusted messages! You most likely want to use verify_token.

# File 'lib/clerk/sdk.rb', line 163

def decode_token(token)
  JWT.decode(token, nil, false).first
end

#email_addresses ⇒ Object

# File 'lib/clerk/sdk.rb', line 129

def email_addresses
  Resources::EmailAddresses.new(self)
end

#emails ⇒ Object

# File 'lib/clerk/sdk.rb', line 133

def emails
  Resources::Emails.new(self)
end

#jwks ⇒ Object

# File 'lib/clerk/sdk.rb', line 153

def jwks
  Resources::JWKS.new(self)
end

#organizations ⇒ Object

# File 'lib/clerk/sdk.rb', line 137

def organizations
  Resources::Organizations.new(self)
end

#phone_numbers ⇒ Object

# File 'lib/clerk/sdk.rb', line 141

def phone_numbers
  Resources::PhoneNumbers.new(self)
end

#request(method, path, query: [], body: nil, timeout: nil) ⇒ Object

# File 'lib/clerk/sdk.rb', line 74

def request(method, path, query: [], body: nil, timeout: nil)
  response = case method
             when :get
               @conn.get(path, query) do |req|
                 req.options.timeout = timeout if timeout
               end
             when :post
               @conn.post(path, body) do |req|
                 req.body = body.to_json
                 req.headers[:content_type] = "application/json"
                 req.options.timeout = timeout if timeout
               end
             when :patch
               @conn.patch(path, body) do |req|
                 req.body = body.to_json
                 req.headers[:content_type] = "application/json"
                 req.options.timeout = timeout if timeout
               end
             when :delete
               @conn.delete(path) do |req|
                 req.options.timeout = timeout if timeout
               end
             end

  body = if response[CONTENT_TYPE_HEADER] == "application/json"
           JSON.parse(response.body)
         else
           response.body
         end

  if response.success?
    body
  else
    klass = case body.dig("errors", 0, "code")
            when "cookie_invalid", "client_not_found", "resource_not_found"
              Errors::Authentication
            else
              Errors::Fatal
            end
    raise klass.new(body, status: response.status)
  end
end

#sessions ⇒ Object

# File 'lib/clerk/sdk.rb', line 145

def sessions
  Resources::Sessions.new(self)
end

#users ⇒ Object

# File 'lib/clerk/sdk.rb', line 149

def users
  Resources::Users.new(self)
end

#verify_token(token, force_refresh_jwks: false, algorithms: ['RS256'], timeout: 5) ⇒ Object

Decode the JWT and verify it’s valid (verify claims, signature etc.) using the provided algorithms.

JWKS are cached for JWKS_CACHE_LIFETIME seconds, in order to avoid unecessary roundtrips. In order to invalidate the cache, pass ‘force_refresh_jwks: true`.

A timeout for the request to the JWKs endpoint can be set with the ‘timeout` argument.

# File 'lib/clerk/sdk.rb', line 176

def verify_token(token, force_refresh_jwks: false, algorithms: ['RS256'], timeout: 5)
  jwk_loader = ->(options) do
    # JWT.decode requires that the 'keys' key in the Hash is a symbol (as
    # opposed to a string which our SDK returns by default)
    { keys: SDK.jwks_cache.fetch(self, kid_not_found: (options[:invalidate] || options[:kid_not_found]), force_refresh: force_refresh_jwks) }
  end

  JWT.decode(token, nil, true, algorithms: algorithms, exp_leeway: timeout, jwks: jwk_loader).first
end