Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(nextjs): Improve experience when swapping keys on Keyless mode #4787

Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/young-beans-trade.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@clerk/nextjs': patch
---

Improve experience when swapping keys on Keyless mode.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Should we mention here regarding the hot-swapped .env case? Just to clarify the "improve experience" part

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Improve experience when swapping keys on Keyless mode.
Improve error message when swapping keys defined as environment variables. Affects (code=encryption_key_invalid).
**On Keyless mode**: Attempt to not throw the error.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BRKalow @LauraBeatris is this better ?

panteliselef marked this conversation as resolved.
Show resolved Hide resolved
2 changes: 2 additions & 0 deletions packages/nextjs/src/server/errors.ts
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,5 @@ ${verifyMessage}`;
export const authSignatureInvalid = `Clerk: Unable to verify request, this usually means the Clerk middleware did not run. Ensure Clerk's middleware is properly integrated and matches the current route. For more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware. (code=auth_signature_invalid)`;

export const encryptionKeyInvalid = `Clerk: Unable to decrypt request data, this usually means the encryption key is invalid. Ensure the encryption key is properly set. For more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)`;

export const encryptionKeyInvalidDev = `Clerk: Unable to decrypt request data.\n\nRefresh the page if your .env file was just updated. In the issue persists ensure the encryption key is valid and properly set.\n\nFor more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)`;
panteliselef marked this conversation as resolved.
Show resolved Hide resolved
39 changes: 35 additions & 4 deletions packages/nextjs/src/server/utils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,15 @@ import type { NextRequest } from 'next/server';
import { NextResponse } from 'next/server';

import { constants as nextConstants } from '../constants';
import { canUseKeyless__server } from '../utils/feature-flags';
import { DOMAIN, ENCRYPTION_KEY, IS_SATELLITE, PROXY_URL, SECRET_KEY, SIGN_IN_URL } from './constants';
import { authSignatureInvalid, encryptionKeyInvalid, missingDomainAndProxy, missingSignInUrlInDev } from './errors';
import {
authSignatureInvalid,
encryptionKeyInvalid,
encryptionKeyInvalidDev,
missingDomainAndProxy,
missingSignInUrlInDev,
} from './errors';
import { errorThrower } from './errorThrower';
import type { RequestLike } from './types';

Expand Down Expand Up @@ -280,10 +287,34 @@ export function decryptClerkRequestData(
: ENCRYPTION_KEY || SECRET_KEY || KEYLESS_ENCRYPTION_KEY;

try {
const decryptedBytes = AES.decrypt(encryptedRequestData, maybeKeylessEncryptionKey);
const encoded = decryptedBytes.toString(encUtf8);
return JSON.parse(encoded);
return decryptData(encryptedRequestData, maybeKeylessEncryptionKey);
} catch (err) {
/**
* There is a great chance when running on Keyless mode that the above fails,
* because the keys hot-swapped and the Next.js dev server has not yet fully rebuilt middleware and routes.
*
* Attempt one more time with the default dummy value.
*/
if (canUseKeyless__server) {
try {
return decryptData(encryptedRequestData, KEYLESS_ENCRYPTION_KEY);
} catch (e) {
throwInvalidEncryptionKey();
}
}
Comment on lines +292 to +304
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simple retrying with the dummy value

throwInvalidEncryptionKey();
}
}

function throwInvalidEncryptionKey(): never {
if (isProductionEnvironment()) {
throw new Error(encryptionKeyInvalid);
}
throw new Error(encryptionKeyInvalidDev);
}

function decryptData(data: string, key: string) {
const decryptedBytes = AES.decrypt(data, key);
const encoded = decryptedBytes.toString(encUtf8);
return JSON.parse(encoded);
}
Loading