From 52f8b1a7236ef08551334ef534e96085279e74ab Mon Sep 17 00:00:00 2001
From: Haris Chaniotakis <chanioxaris@gmail.com>
Date: Wed, 4 Jan 2023 17:47:40 +0200
Subject: [PATCH] feat: Support new issuer format for dev instances

This commit adds support for the new issuer format we are going to introduce for our dev instances. The new format is 'https://foo-bar-13.clerk.accounts.dev' when the old one would be 'https://clerk.foo.bar-13.lcl.dev'
---
 clerk/middleware.go  |  4 ++--
 clerk/tokens.go      |  6 +++++-
 clerk/tokens_test.go | 21 +++++++++++++++++++++
 3 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/clerk/middleware.go b/clerk/middleware.go
index 5c209244..2bb8f074 100644
--- a/clerk/middleware.go
+++ b/clerk/middleware.go
@@ -51,7 +51,7 @@ func isAuthV2Request(r *http.Request, client Client) (string, bool) {
 
 	claims, err := client.DecodeToken(headerToken)
 	if err == nil {
-		return headerToken, strings.HasPrefix(claims.Issuer, "https://clerk.")
+		return headerToken, isValidIssuer(claims.Issuer)
 	}
 
 	// Verification from header token failed, try with token from cookie
@@ -65,5 +65,5 @@ func isAuthV2Request(r *http.Request, client Client) (string, bool) {
 		return "", false
 	}
 
-	return cookieSession.Value, strings.HasPrefix(claims.Issuer, "https://clerk.")
+	return cookieSession.Value, isValidIssuer(claims.Issuer)
 }
diff --git a/clerk/tokens.go b/clerk/tokens.go
index fa042f4a..de98b4ab 100644
--- a/clerk/tokens.go
+++ b/clerk/tokens.go
@@ -100,7 +100,7 @@ func (c *client) VerifyToken(token string, opts ...VerifyTokenOption) (*SessionC
 		return nil, err
 	}
 
-	if !strings.HasPrefix(claims.Issuer, "https://clerk.") {
+	if !isValidIssuer(claims.Issuer) {
 		return nil, fmt.Errorf("invalid issuer %s", claims.Issuer)
 	}
 
@@ -132,3 +132,7 @@ func verifyTokenParseClaims(parsedToken *jwt.JSONWebToken, key interface{}, sess
 	}
 	return parsedToken.Claims(key, sessionClaims, options.customClaims)
 }
+
+func isValidIssuer(issuer string) bool {
+	return strings.HasPrefix(issuer, "https://clerk.") || strings.Contains(issuer, ".clerk.accounts")
+}
diff --git a/clerk/tokens_test.go b/clerk/tokens_test.go
index 29330513..96ac3a39 100644
--- a/clerk/tokens_test.go
+++ b/clerk/tokens_test.go
@@ -198,6 +198,27 @@ func TestClient_VerifyToken_Success(t *testing.T) {
 	}
 }
 
+func TestClient_VerifyToken_Success_NewIssuerFormat(t *testing.T) {
+	c, _ := NewClient("token")
+
+	claims := dummySessionClaims
+	claims.Issuer = "https://foo-bar-13.clerk.accounts.dev"
+
+	token, pubKey := testGenerateTokenJWT(t, dummySessionClaims, "kid")
+
+	client := c.(*client)
+	client.jwksCache.set(testBuildJWKS(t, pubKey, jose.RS256, "kid"))
+
+	got, err := c.VerifyToken(token)
+	if err != nil {
+		t.Fatalf("Expected no error but got %v", err)
+	}
+
+	if !reflect.DeepEqual(got, &dummySessionClaims) {
+		t.Errorf("Expected %+v, but got %+v", dummySessionClaims, got)
+	}
+}
+
 func TestClient_VerifyToken_Success_ExpiredCache(t *testing.T) {
 	c, mux, _, teardown := setup("token")
 	defer teardown()