Class: Clerk::SDK

Inherits:

ClerkHttpClient::SDK

Object
ClerkHttpClient::SDK
Clerk::SDK

show all

Defined in:: lib/clerk/sdk.rb

Constant Summary collapse

DEFAULT_HEADERS = TODO: Move to constants?

{
  "User-Agent": "Clerk/#{Clerk::VERSION}; Faraday/#{Faraday::VERSION}; Ruby/#{RUBY_VERSION}",
  "X-Clerk-SDK": "ruby/#{Clerk::VERSION}" # TODO: Add framework identifier
}

JWKS_CACHE_LIFETIME = How often (in seconds) should JWKs be refreshed

@@jwks_cache = 1 hour / TODO: Move to constants?

JWKSCache.new(JWKS_CACHE_LIFETIME)

Class Method Summary collapse

.jwks_cache ⇒ Object

Instance Method Summary collapse

#decode_token(token) ⇒ Object

Returns the decoded JWT payload without verifying if the signature is valid.
#verify_token(token, force_refresh_jwks: false, algorithms: ["RS256"], timeout: 5) ⇒ Object

Decode the JWT and verify it’s valid (verify claims, signature etc.) using the provided algorithms.

Class Method Details

.jwks_cache ⇒ `Object`



19
20
21

# File 'lib/clerk/sdk.rb', line 19

def self.jwks_cache
  @@jwks_cache
end

Instance Method Details

#decode_token(token) ⇒ `Object`

Returns the decoded JWT payload without verifying if the signature is valid.

WARNING: This will not verify whether the signature is valid. You should not use this for untrusted messages! You most likely want to use ‘verify_token`.



27
28
29

# File 'lib/clerk/sdk.rb', line 27

def decode_token(token)
  JWT.decode(token, nil, false).first
end

#verify_token(token, force_refresh_jwks: false, algorithms: ["RS256"], timeout: 5) ⇒ `Object`

Decode the JWT and verify it’s valid (verify claims, signature etc.) using the provided algorithms.

JWKS are cached for JWKS_CACHE_LIFETIME seconds, in order to avoid unecessary roundtrips. In order to invalidate the cache, pass ‘force_refresh_jwks: true`.

A timeout for the request to the JWKs endpoint can be set with the ‘timeout` argument.

# File 'lib/clerk/sdk.rb', line 37

def verify_token(token, force_refresh_jwks: false, algorithms: ["RS256"], timeout: 5)
  jwk_loader = ->(options) do
    # JWT.decode requires that the 'keys' key in the Hash is a symbol (as
    # opposed to a string which our SDK returns by default)
    {keys: SDK.jwks_cache.fetch(self, kid_not_found: options[:invalidate] || options[:kid_not_found], force_refresh: force_refresh_jwks)}
  end

  JWT.decode(token, nil, true, algorithms: algorithms, exp_leeway: timeout, jwks: jwk_loader).first
end