feat: HTTP middleware

[gkats]

HTTP middleware for enhancing http.Handler with Clerk authentication. The http package provides two middleware:

• WithHeaderAuthentication checks the Authorization header for a valid JWT and sets the active session claims in the request context.
• RequireHeaderAuthentication responds with 403 Forbidden and halts the handler execution chain if it's unable to detect valid session claims.

Example usage:

ctx := context.Background()
rootHandler := func(w http.ResponseWriter, r *http.Request) {
  claims, _ := clerk.SessionClaimsFromContext(r.Context())
  w.Write([]byte(fmt.Sprintf(`{"user_id":"%s"}`, claims.UserID)))
}
// Adds active session claims to the request context
http.HandleFunc("/", clerkhttp.WithHeaderAuthentication(ctx)(rootHandler)

Please note that cookie based authentication is not supported. The SDK v1 middleware supported cookie authentication as well.

Added a new jwt package which implements the core function to validate a JWT. The function name is Verify and is used by the middleware to validate the Bearer JWT. The middleware above uses the Verify() method internally.

Added a new jwk package which provides operations for the JSON Web Keys API. We need to be able to fetch the instance JWK in order to validate and parse the Bearer token.

Added a dependency to go-jose/v3 package for performing operations on JWTs.

[georgepsarakis]

👏 Just a few questions, overall looks fine to me.

[georgepsarakis]

🔧 I think %v will print the error struct in Go format?

Suggested change

	return nil, fmt.Errorf("failed to parse public key: %v", err)
	return nil, fmt.Errorf("failed to parse public key: %s", err.Error())

[gkats]

👍 You are right, copy-pasted it from v1. Changed it to wrap the error with %w instead.

[georgepsarakis]

❓ There's probably good reason, I just don't see it yet, would you mind explaining quickly why the custom deserializer is required?

[gkats]

I wanted to avoid using a go-jose type and instead make sure we use only our own package's (clerk) types everywhere.

There's no reason to expose types that are meant for internal use anywhere. We unfortunately do this in v1 of our SDK.

The go-jose library is able to decode JSON web keys and we can leverage that to get a response from our Backend API GET /v1/jwks endpoint and translate it to our own clerk.JSONWebKeySet and effectively clerk.JSONWebKey.

Unfortunately, it looks like extracting the key ID and key from a JWK response is not that straightforward. Depending on the algorithm that's used the JWK response might have different fields set, each with different meaning.

The go-jose library handles unmarshaling nicely, but its raw unmarshaled type is unexported.

So, what I thought we could do is use the jose.JSONWebKey type to unmarshal the raw JSON and then copy over the resulting fields to our type.

I initially tried type aliasing but it didn't work as expected.

Hope the above makes the decision clearer. Let me know if I should offer more details! Perhaps I can add a comment explaining what's going on here?

[agis]

I wanted to avoid using a go-jose type and instead make sure we use only our own package's (clerk) types everywhere. There's no reason to expose types that are meant for internal use anywhere. We unfortunately do this in v1 of our SDK.

Very good call. This provides us with flexibility to change the underlying library (go-jose) without it being a breaking change.

[georgepsarakis]

I see, yes good call indeed. Now that the field is unexported the purpose is also much clearer!

[georgepsarakis]

❓ Would jwks be a more easily recognizable name? I'd assume there's more internal/external familiarity but not sure.

[gkats]

Indeed. I've opted for a singular term for all packages so far and thought I'd continue the same pattern. Happy to change it though if you think it's a problem.

[agis]

Since "jwks" is not a plural term but an acronym, I think the singular/plural rationale (which I'm all for!) does not apply here, right? If so, I tend to agree with George's suggestion.

[gkats]

Yes, initially I thought I'd treat this as a "JSON Web Key" API (hence jwk).

I guess everybody else expects the "JSON Web Key Set" API, so I've changed it.

[georgepsarakis]

🔧 Might be worth adding a unit test here, even for illustrating the use a bit better.

[gkats]

My intention was to add an integration test for the options, but setting the tests up took more time than expected. I'm planning to get back to this once I find some time.

[georgepsarakis]

❓ Don't you need a successful test case as well?

[gkats]

Yes, setting up tests for token verification is cumbersome, but I'll get back to this. I'll open a ticket to track this.

[georgepsarakis]

💡 We can prefix/namespace the context key with clerk so the scope is even clearer if someone inspects its contents.

[gkats]

Great idea! Updated.

[kostaspt]

🙃 Looks like there's a mix-up between Authentication and Authorization, even in the PR description. But Authorization seems to be the right term for this case.

Suggested change

	func TestWithHeaderAuthentication_InvalidAuthorization(t *testing.T) {
	func TestWithHeaderAuthorization_InvalidAuthorization(t *testing.T) {

[gkats]

Yes, the problem is that the header is called Authorization but it's often used for authentication. I'll try to reconcile.

[gkats]

Updated!

[agis]

Amazing work! Really like the new direction where this is headed 💯 👏🏽

[agis]

🔧 s/RequireAuthorization/RequireHeaderAuthorization

Also, how about the following?

RequireHeaderAuthorization will respond with HTTP 403 if the Authorization header does not contain a valid session token.

[gkats]

👍 Nice, updated!

[agis]

❓ Conceptually speaking, what's the difference between r.Context() and ctx here?

Actually, why does WithHeaderAuthorization accepts a context in the first place? Shouldn't it work off of the incoming request's context?

[gkats]

Good question, I had the same doubts.

I left the ctx context for possible future usage.

Although it's not actually needed, if we don't add it now and we need it in a future version, we'll break the API.

Do you think it's better to remove it?

[georgepsarakis]

I'm not sure I can think of a good usage pattern here too, since the middleware setup doesn't happen within an operation context. Perhaps we should remove it?

[gkats]

Removed the context from the arguments.

[agis]

🙃 Perhaps newCtx is a more accurate name? Perhaps not introducing a variable at all would be OK here as well.

[gkats]

Updated to newCtx.

[agis]

🔧 I believe it's worth noting here the runtime implications this option has. For example, a few questions raised when I read this:

1. if I set this, does it mean my SDK will never query the FAPI/BAPI JWKs endpoints?
   a. if so, what happens if the keys are rolled and hence the JWKs need to be refreshed?
   b. if not, how often the JWKs values are queried via FAPI/BAPI?

[gkats]

Enhanced the comment with more info.

[agis]

🔧 It's worth putting this under a WARNING: The token is not validated, therefore the returned Claims should NOT be trusted.

[gkats]

Done.

[agis]

I wanted to avoid using a go-jose type and instead make sure we use only our own package's (clerk) types everywhere. There's no reason to expose types that are meant for internal use anywhere. We unfortunately do this in v1 of our SDK.

Very good call. This provides us with flexibility to change the underlying library (go-jose) without it being a breaking change.

[agis]

🔧 Since we don't want to expose jose, shouldn't we avoid embedding this and instead wrap it with our own implementation?

[gkats]

Well, yes! Great catch, I missed this. Used an unexported field instead.

[agis]

🔧 How about something like:

Package jwks provides access to the JWKs endpoint.

See https://clerk.com/docs/reference/backend-api/tag/JWKS

[gkats]

👍 Updated.

[georgepsarakis]

I'm not sure I can think of a good usage pattern here too, since the middleware setup doesn't happen within an operation context. Perhaps we should remove it?

[georgepsarakis]

🔧 I think you need the Request context here:

Suggested change

	_, err := jwt.Decode(ctx, &jwt.DecodeParams{Token: token})
	_, err := jwt.Decode(r.Context(), &jwt.DecodeParams{Token: token})

[georgepsarakis]

ℹ️ I think you're already aware but just adding a reference for #202 before we solidify the option design!

[georgepsarakis]

🔧 Suggestion for a later PR to perhaps consider allowing client injection dependency here for testing.

[georgepsarakis]

I see, yes good call indeed. Now that the field is unexported the purpose is also much clearer!

[georgepsarakis]

🔧 Shouldn't the value type here be *SessionClaims 🤔 ?

[gkats]

🤔 I'm not sure about that. TBD after we settle on custom type for the claims.

[georgepsarakis]

Oh just saw your comment here, please ignore my comment above referencing the same issue 😬

[georgepsarakis]

🔧

Suggested change

	err = claims.Claims.ValidateWithLeeway(jwt.Expected{Time: time.Now()}, params.Leeway)
	err = claims.Claims.ValidateWithLeeway(jwt.Expected{Time: time.Now().UTC()}, params.Leeway)

[agis]

Approving for expediency, I don't see any blockers here since we're not releasing yet. Awesome work! 💯

[agis]

💡 Shall we validate that proxyURL is indeed a valid URL?

[agis]

❓ Is there any reason for someone to call this as Satellite(false)? If not, then perhaps this should be simplified to Satellite() (and always set params.IsSatellite = true).

[gkats]

I guess there's not. I mainly copied whatever was there before. The only thing I can think of is the usage difference

opts := []Opt{}
if isSatellite {
  opts = append(opts, Satellite())
}
WithHeaderAuthorization(opts...)

// vs
WithHeaderAuthorization(Satellite(isSatellite))

I believe the above is a valid case for leaving the API as is.

[agis]

It seems to me that it would be more fool-proof than what v1 does, but then again I understand if you decide it's not even worth it, since it's an edge case. Up to you! :)

[agis]

❓ What's the reason for wrapping Token in a struct? Is it for providing us a way to add more options without breaking compatibility (i.e. keeping the function signature intact)?

If so, I'm having a hard time imagining something that Decode would need to be extended with, that a functional option wouldn't be a fit for. In other words, perhaps it's perfectly fine to go with Decode(ctx, string) and in the future extend with functional options if needed? The reason I'm suggesting this is because the latter seems a simpler/easier to use API to me.

[gkats]

Yes, we're trying to use custom types for method arguments so that we can easily extend them in the future without introducing breaking changes in the API.

[agis]

Interesting. That's maybe worthy of more investigation, but it's out of scope of this PR. I'll create an internal ticket to investigate further.