From 99f8850728e2fc995b41eab72cafb820aafbbf19 Mon Sep 17 00:00:00 2001 From: panteliselef Date: Mon, 16 Dec 2024 17:26:37 +0200 Subject: [PATCH 1/3] chore(nextjs): Improve experience when swapping keys on Keyless mode --- .changeset/young-beans-trade.md | 5 ++++ packages/nextjs/src/server/errors.ts | 2 ++ packages/nextjs/src/server/utils.ts | 39 +++++++++++++++++++++++++--- 3 files changed, 42 insertions(+), 4 deletions(-) create mode 100644 .changeset/young-beans-trade.md diff --git a/.changeset/young-beans-trade.md b/.changeset/young-beans-trade.md new file mode 100644 index 0000000000..1771214fbb --- /dev/null +++ b/.changeset/young-beans-trade.md @@ -0,0 +1,5 @@ +--- +'@clerk/nextjs': patch +--- + +Improve experience when swapping keys on Keyless mode. diff --git a/packages/nextjs/src/server/errors.ts b/packages/nextjs/src/server/errors.ts index d2bc6d6c93..386f20b8ef 100644 --- a/packages/nextjs/src/server/errors.ts +++ b/packages/nextjs/src/server/errors.ts @@ -41,3 +41,5 @@ ${verifyMessage}`; export const authSignatureInvalid = `Clerk: Unable to verify request, this usually means the Clerk middleware did not run. Ensure Clerk's middleware is properly integrated and matches the current route. For more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware. (code=auth_signature_invalid)`; export const encryptionKeyInvalid = `Clerk: Unable to decrypt request data, this usually means the encryption key is invalid. Ensure the encryption key is properly set. For more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)`; + +export const encryptionKeyInvalidDev = `Clerk: Unable to decrypt request data.\n\nRefresh the page if your .env file was just updated. In the issue persists ensure the encryption key is valid and properly set.\n\nFor more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)`; diff --git a/packages/nextjs/src/server/utils.ts b/packages/nextjs/src/server/utils.ts index 65fbe511fb..39d561ae39 100644 --- a/packages/nextjs/src/server/utils.ts +++ b/packages/nextjs/src/server/utils.ts @@ -11,8 +11,15 @@ import type { NextRequest } from 'next/server'; import { NextResponse } from 'next/server'; import { constants as nextConstants } from '../constants'; +import { canUseKeyless__server } from '../utils/feature-flags'; import { DOMAIN, ENCRYPTION_KEY, IS_SATELLITE, PROXY_URL, SECRET_KEY, SIGN_IN_URL } from './constants'; -import { authSignatureInvalid, encryptionKeyInvalid, missingDomainAndProxy, missingSignInUrlInDev } from './errors'; +import { + authSignatureInvalid, + encryptionKeyInvalid, + encryptionKeyInvalidDev, + missingDomainAndProxy, + missingSignInUrlInDev, +} from './errors'; import { errorThrower } from './errorThrower'; import type { RequestLike } from './types'; @@ -280,10 +287,34 @@ export function decryptClerkRequestData( : ENCRYPTION_KEY || SECRET_KEY || KEYLESS_ENCRYPTION_KEY; try { - const decryptedBytes = AES.decrypt(encryptedRequestData, maybeKeylessEncryptionKey); - const encoded = decryptedBytes.toString(encUtf8); - return JSON.parse(encoded); + return decryptData(encryptedRequestData, maybeKeylessEncryptionKey); } catch (err) { + /** + * There is a great chance when running on Keyless mode that the above fails, + * because the keys hot-swapped and the Next.js dev server has not yet fully rebuilt middleware and routes. + * + * Attempt one more time with the default dummy value. + */ + if (canUseKeyless__server) { + try { + return decryptData(encryptedRequestData, KEYLESS_ENCRYPTION_KEY); + } catch (e) { + throwInvalidEncryptionKey(); + } + } + throwInvalidEncryptionKey(); + } +} + +function throwInvalidEncryptionKey(): never { + if (isProductionEnvironment()) { throw new Error(encryptionKeyInvalid); } + throw new Error(encryptionKeyInvalidDev); +} + +function decryptData(data: string, key: string) { + const decryptedBytes = AES.decrypt(data, key); + const encoded = decryptedBytes.toString(encUtf8); + return JSON.parse(encoded); } From 821544b7d36fa82bf7673096fb830b6582ce2c57 Mon Sep 17 00:00:00 2001 From: panteliselef Date: Mon, 16 Dec 2024 18:51:50 +0200 Subject: [PATCH 2/3] Update packages/nextjs/src/server/errors.ts Co-authored-by: Bryce Kalow --- packages/nextjs/src/server/errors.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/nextjs/src/server/errors.ts b/packages/nextjs/src/server/errors.ts index 386f20b8ef..c519771a7e 100644 --- a/packages/nextjs/src/server/errors.ts +++ b/packages/nextjs/src/server/errors.ts @@ -42,4 +42,4 @@ export const authSignatureInvalid = `Clerk: Unable to verify request, this usual export const encryptionKeyInvalid = `Clerk: Unable to decrypt request data, this usually means the encryption key is invalid. Ensure the encryption key is properly set. For more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)`; -export const encryptionKeyInvalidDev = `Clerk: Unable to decrypt request data.\n\nRefresh the page if your .env file was just updated. In the issue persists ensure the encryption key is valid and properly set.\n\nFor more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)`; +export const encryptionKeyInvalidDev = `Clerk: Unable to decrypt request data.\n\nRefresh the page if your .env file was just updated. If the issue persists, ensure the encryption key is valid and properly set.\n\nFor more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)`; From a9f36b8b83db92c89b1d496aa6470f91ec65ca49 Mon Sep 17 00:00:00 2001 From: panteliselef Date: Mon, 16 Dec 2024 20:47:48 +0200 Subject: [PATCH 3/3] Update .changeset/young-beans-trade.md Co-authored-by: Bryce Kalow --- .changeset/young-beans-trade.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changeset/young-beans-trade.md b/.changeset/young-beans-trade.md index 1771214fbb..821697a2c8 100644 --- a/.changeset/young-beans-trade.md +++ b/.changeset/young-beans-trade.md @@ -2,4 +2,4 @@ '@clerk/nextjs': patch --- -Improve experience when swapping keys on Keyless mode. +Improves the error message when changing keys in development causes a subsequent request to fail.