refactor(clerk-js,shared,type): Support new claims and keep orgPermissions on authObject backwards compatible

Author: octoper

packages/backend/src/tokens/authObjects.ts

@@ -1,7 +1,5 @@
-import {
-  __experimental_resolveSignedInAuthStateFromJWTClaims,
-  createCheckAuthorization,
-} from '@clerk/shared/authorization';
+import { createCheckAuthorization } from '@clerk/shared/authorization';
+import { __experimental_JWTPayloadToAuthObjectProperties } from '@clerk/shared/jwtPayloadParser';
 import type {
   ActClaim,
   CheckAuthorizationFromSessionClaims,
@@ -104,7 +102,7 @@ export function signedInAuthObject(
   sessionClaims: JwtPayload,
 ): SignedInAuthObject {
   const { actor, sessionId, sessionStatus, userId, orgId, orgRole, orgSlug, orgPermissions, factorVerificationAge } =
-    __experimental_resolveSignedInAuthStateFromJWTClaims(sessionClaims);
+    __experimental_JWTPayloadToAuthObjectProperties(sessionClaims);
   const apiClient = createBackendApiClient(authenticateContext);
   const getToken = createGetToken({
     sessionId,

packages/clerk-js/src/core/jwt-client.ts

@@ -1,4 +1,4 @@
-import { __experimental_resolveSignedInAuthStateFromJWTClaims } from '@clerk/shared/authorization';
+import { __experimental_JWTPayloadToAuthObjectProperties } from '@clerk/shared/jwtPayloadParser';
 import type {
   ClientJSON,
   OrganizationMembershipJSON,
@@ -45,7 +45,7 @@ export function createClientFromJwt(jwt: string | undefined | null): Client {
   }
 
   const { sessionId, userId, orgId, orgRole, orgPermissions, orgSlug, factorVerificationAge } =
-    __experimental_resolveSignedInAuthStateFromJWTClaims(token.jwt.claims);
+    __experimental_JWTPayloadToAuthObjectProperties(token.jwt.claims);
 
   // TODO(jwt-v2): when JWT version 2 is available, we should revise org permissions
   const defaultClient = {

packages/shared/package.json

@@ -117,7 +117,8 @@
     "web3",
     "getEnvVariable",
     "pathMatcher",
-    "organization"
+    "organization",
+    "jwtPayloadParser"
   ],
   "scripts": {
     "build": "tsup",

packages/shared/src/__tests__/authorization.test.ts

@@ -0,0 +1,108 @@
+import { __experimental_JWTPayloadToAuthObjectProperties as JWTPayloadToAuthObjectProperties } from '../jwtPayloadParser';
+
+const baseClaims = {
+  exp: 1234567890,
+  iat: 1234567890,
+  iss: 'https://api.clerk.com',
+  sub: 'sub',
+  sid: 'sid',
+  azp: 'azp',
+  nbf: 1234567890,
+  __raw: '',
+};
+
+describe('resolveSignedInAuthStateFromJWTClaims', () => {
+  test.skip('produced auth object is the same for v1 and v2', () => {
+    const { sessionClaims: v2Claims, ...signedInAuthObjectV2 } = JWTPayloadToAuthObjectProperties({
+      ...baseClaims,
+      v: 2,
+      o: {
+        id: 'org_id',
+        rol: 'admin',
+        slg: 'org_slug',
+        per: 'permission1,permission2',
+      },
+    });
+
+    const { sessionClaims: v1Claims, ...signedInAuthObjectV1 } = JWTPayloadToAuthObjectProperties({
+      ...baseClaims,
+      org_id: 'org_id',
+      org_role: 'admin',
+      org_slug: 'org_slug',
+      org_permissions: ['org:permission1', 'permission2'],
+    });
+    expect(signedInAuthObjectV1).toEqual(signedInAuthObjectV2);
+  });
+
+  test('org permissions are generated correctly when fea, per, and fpm are present', () => {
+    const { sessionClaims: v2Claims, ...signedInAuthObject } = JWTPayloadToAuthObjectProperties({
+      ...baseClaims,
+      v: 2,
+      fea: 'o:impersonation,o:memberships',
+      o: {
+        id: 'org_id',
+        rol: 'admin',
+        slg: 'org_slug',
+        per: 'read,manage',
+        fpm: '2,3',
+      },
+    });
+
+    expect(signedInAuthObject.orgPermissions?.sort()).toEqual(
+      ['org:impersonation:read', 'org:memberships:read', 'org:memberships:manage'].sort(),
+    );
+  });
+
+  test('if a feature is not mapped to any permissions it is added as is to the orgPermissions array', () => {
+    const { sessionClaims: v2Claims, ...signedInAuthObject } = JWTPayloadToAuthObjectProperties({
+      ...baseClaims,
+      v: 2,
+      fea: 'o:impersonation,o:memberships,o:feature3',
+      o: {
+        id: 'org_id',
+        rol: 'admin',
+        slg: 'org_slug',
+        per: 'read,manage',
+        fpm: '2,3',
+      },
+    });
+
+    expect(signedInAuthObject.orgPermissions?.sort()).toEqual(
+      ['org:impersonation:read', 'org:memberships:read', 'org:memberships:manage'].sort(),
+    );
+  });
+
+  test('includes both org and user scoped features', () => {
+    const { sessionClaims: v2Claims, ...signedInAuthObject } = JWTPayloadToAuthObjectProperties({
+      ...baseClaims,
+      v: 2,
+      fea: 'uo:impersonation,o:memberships,uo:feature3',
+      o: {
+        id: 'org_id',
+        rol: 'admin',
+        slg: 'org_slug',
+        per: 'read,manage',
+        fpm: '2,3,2',
+      },
+    });
+
+    expect(signedInAuthObject.orgPermissions?.sort()).toEqual(
+      ['org:impersonation:read', 'org:memberships:read', 'org:memberships:manage', 'org:feature3:read'].sort(),
+    );
+  });
+
+  test('feature are user scoped only', () => {
+    const { sessionClaims: v2Claims, ...signedInAuthObject } = JWTPayloadToAuthObjectProperties({
+      ...baseClaims,
+      v: 2,
+      fea: 'u:impersonation,u:memberships,u:feature3',
+      o: {
+        id: 'org_id',
+        rol: 'admin',
+        slg: 'org_slug',
+      },
+    });
+
+    expect(signedInAuthObject.orgPermissions?.sort()).toEqual([]);
+  });
+});

packages/shared/src/__tests__/jwtPayloadParser.test.ts

@@ -2,7 +2,6 @@ import type {
   ActClaim,
   CheckAuthorizationWithCustomPermissions,
   GetToken,
-  JwtPayload,
   OrganizationCustomPermissionKey,
   OrganizationCustomRoleKey,
   PendingSessionOptions,
@@ -13,6 +12,7 @@ import type {
   SignOut,
   UseAuthReturn,
 } from '@clerk/types';
+import { permission } from 'process';
 
 type TypesToConfig = Record<SessionVerificationTypes, Exclude<ReverificationConfig, SessionVerificationTypes>>;
 type AuthorizationOptions = {
@@ -273,77 +273,4 @@ const resolveAuthState = ({
   }
 };
 
-/**
- * @internal
- */
-type SignedInAuthObjectProperties = {
-  sessionClaims: JwtPayload;
-  sessionId: string;
-  sessionStatus: SessionStatusClaim | null;
-  actor: ActClaim | undefined;
-  userId: string;
-  orgId: string | undefined;
-  orgRole: OrganizationCustomRoleKey | undefined;
-  orgSlug: string | undefined;
-  orgPermissions: OrganizationCustomPermissionKey[] | undefined;
-  /**
-   * Factor Verification Age
-   * Each item represents the minutes that have passed since the last time a first or second factor were verified.
-   * [fistFactorAge, secondFactorAge]
-   */
-  factorVerificationAge: [firstFactorAge: number, secondFactorAge: number] | null;
-};
-
-/**
- * @experimental
- *
- * Resolves the signed-in auth state from JWT claims.
- */
-const __experimental_resolveSignedInAuthStateFromJWTClaims = (claims: JwtPayload): SignedInAuthObjectProperties => {
-  let orgId: string | undefined;
-  let orgRole: OrganizationCustomRoleKey | undefined;
-  let orgSlug: string | undefined;
-  let orgPermissions: OrganizationCustomPermissionKey[] | undefined;
-
-  // fva can be undefined for instances that have not opt-in
-  const factorVerificationAge = claims.fva ?? null;
-
-  // sts can be undefined for instances that have not opt-in
-  const sessionStatus = claims.sts ?? null;
-
-  switch (claims.v) {
-    case 2: {
-      orgId = claims.org?.id;
-      orgRole = claims.org?.rol;
-      orgSlug = claims.org?.slg;
-      orgPermissions = claims.org?.per?.split(',').map((permission: string) => permission.trim()) || undefined;
-      break;
-    }
-    default:
-      orgId = claims.org_id;
-      orgRole = claims.org_role;
-      orgSlug = claims.org_slug;
-      orgPermissions = claims.org_permissions;
-      break;
-  }
-
-  return {
-    sessionClaims: claims,
-    sessionId: claims.sid,
-    sessionStatus,
-    actor: claims.act,
-    userId: claims.sub,
-    orgId: orgId,
-    orgRole: orgRole,
-    orgSlug: orgSlug,
-    orgPermissions,
-    factorVerificationAge,
-  };
-};
-
-export {
-  createCheckAuthorization,
-  validateReverificationConfig,
-  resolveAuthState,
-  __experimental_resolveSignedInAuthStateFromJWTClaims,
-};
+export { createCheckAuthorization, validateReverificationConfig, resolveAuthState };