w

clerk · Nov 1, 2024 · 5fd04c5 · 5fd04c5
1 parent bcfce05
commit 5fd04c5
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 4 deletions.
diff --git a/lib/clerk/authenticatable.rb b/lib/clerk/authenticatable.rb
@@ -57,6 +57,10 @@ def clerk_user_signed_in?
       !!clerk_session_claims
     end
 
+    def clerk_session_needs_reverification?(params=StepUp::PRESETS[:strict])
+      request.env['clerk'].needs_reverification?(params)
+    end
+
     def clerk_sign_in_url
       ENV.fetch('CLERK_SIGN_IN_URL')
     end
@@ -70,10 +74,13 @@ def clerk_user_profile_url
     end
 
     included do
-      helper_method :clerk_session_claims, :clerk_user, :clerk_user_id, :clerk_user_signed_in?,
-                    :clerk_sign_in_url, :clerk_sign_up_url, :clerk_user_profile_url,
-                    :clerk_organization, :clerk_organization_id, :clerk_organization_role,
-                    :clerk_organization_permissions
+      helper_method :clerk_session_claims, :clerk_session_token, :clerk_user,
+                    :clerk_user, :clerk_user_id, :clerk_user_signed_in?,
+                    :clerk_sign_in_url, :clerk_sign_up_url,
+                    :clerk_user_profile_url,
+                    :clerk_organization, :clerk_organization_id,
+                    :clerk_organization_role, :clerk_organization_permissions,
+                    :clerk_session_needs_reverification?
     end
   end
 end
diff --git a/lib/clerk/constants.rb b/lib/clerk/constants.rb
@@ -48,4 +48,13 @@ module AuthErrorReason
     SESSION_TOKEN_WITHOUT_CLIENT_UAT = 'session-token-but-no-client-uat'
     UNEXPECTED_ERROR = 'unexpected-error'
   end
+
+  module StepUp
+    PRESETS = {
+      very_strict: { after_minutes: 10,   level: :multi_factor  },
+      strict:      { after_minutes: 10,   level: :second_factor },
+      moderate:    { after_minutes: 60,   level: :second_factor },
+      lax:         { after_minutes: 1440, level: :second_factor }
+    }
+  end
 end
diff --git a/lib/clerk/proxy.rb b/lib/clerk/proxy.rb
@@ -134,6 +134,40 @@ def org_permissions
       @session_claims['org_permissions']
     end
 
+    # Returns true if the session needs to perform step up verification
+    def needs_reverification?(params)
+      return false if session_claims.nil?
+
+      fva           = session_claims["fva"]
+      level         = params[:level]
+      after_minutes = Integer(params[:after_minutes])
+
+      return false if fva.nil? || after_minutes.nil? || level.nil?
+
+      factor1_age, factor2_age = fva
+      factor1_enabled = (factor1_age == -1 ? false : after_minutes > factor1_age)
+      factor2_enabled = (factor2_age == -1 ? false : after_minutes > factor2_age)
+
+      case level
+      when :first_factor  then factor1_enabled
+      when :second_factor then factor2_enabled
+      when :multi_factor
+        factor2_age == -1 ? factor1_enabled : factor1_enabled && factor2_enabled
+      end
+    end
+
+    def reverification_mismatch_response(missing_config={})
+      payload = {
+        clerk_error: {
+          type:     "forbidden",
+          reason:   "reverification-mismatch",
+          metadata: { reverification: missing_config, }
+        }
+      }
+
+      [403, { "Content-Type" => "application/json" }, [payload.to_json]]
+    end
+
     private
 
     def fetch_user(user_id)