Merge branch 'main' into tm/sdki-982-apply-testing-tokens-to-e2e-tests

Author: tmilewski

.changeset/cool-socks-invite.md

@@ -0,0 +1,6 @@
+---
+'@clerk/shared': minor
+'@clerk/types': minor
+---
+
+Adding the new `o` claim that contains all organization related info for JWT v2 schema

.changeset/cyan-hairs-share.md

@@ -0,0 +1,6 @@
+---
+'@clerk/clerk-js': patch
+'@clerk/backend': patch
+---
+
+Uses the helper function `__experimental_JWTPayloadToAuthObjectProperties` from `@clerk/shared` to handle the new JWT v2 schema.

.changeset/deep-moose-slide.md

@@ -0,0 +1,5 @@
+---
+'@clerk/astro': patch
+---
+
+Fixes issue with `useAuth()` erroring due to missing auth context on static output.

.changeset/great-moons-occur.md

@@ -0,0 +1,7 @@
+---
+'@clerk/clerk-js': patch
+'@clerk/shared': patch
+'@clerk/types': patch
+---
+
+Add Payment Sources to `<OrgProfile />`, hook up all org-related payment source and checkout methods to the org-specific endpoints

.changeset/hot-cats-smell.md

@@ -0,0 +1,5 @@
+---
+'@clerk/clerk-js': patch
+---
+
+Fix issue where the SSO callback URL was incorrectly generated when using the transfer flow within a modal.

.changeset/tidy-dolls-join.md

@@ -0,0 +1,6 @@
+---
+'@clerk/clerk-js': patch
+'@clerk/types': patch
+---
+
+Optionally handle the `intent` parameter on SSO redirects to reload specific resources.

.github/workflows/ci.yml

@@ -179,7 +179,7 @@ jobs:
             next-version: '13'
           - test-name: 'nextjs'
             test-project: 'chrome'
-            next-version: '14.2.26'
+            next-version: '14'
           - test-name: 'nextjs'
             test-project: 'chrome'
             next-version: '15'

packages/astro/src/react/hooks.ts

@@ -1,4 +1,5 @@
 import { resolveAuthState } from '@clerk/shared/authorization';
+import { deriveState } from '@clerk/shared/deriveState';
 import type {
   CheckAuthorizationWithCustomPermissions,
   Clerk,
@@ -83,7 +84,7 @@ type UseAuth = (options?: PendingSessionOptions) => UseAuthReturn;
  * }
  */
 export const useAuth: UseAuth = ({ treatPendingAsSignedOut } = {}) => {
-  const authContext = useStore($authStore);
+  const authContext = useAuthStore();
   const clerkContext = useStore($clerkStore);
 
   const getToken: GetToken = useCallback(createGetToken(), []);
@@ -139,14 +140,18 @@ export const useAuth: UseAuth = ({ treatPendingAsSignedOut } = {}) => {
   return payload;
 };
 
+function useStore<T extends Store, SV extends StoreValue<T>>(store: T, getServerSnapshot?: () => SV): SV {
+  const get = store.get.bind(store);
+  return useSyncExternalStore<SV>(store.listen, get, getServerSnapshot || get);
+}
+
 /**
  * This implementation of `useStore` is an alternative solution to the hook exported by nanostores
  * Reference: https://github.com/nanostores/react/blob/main/index.js
  */
-function useStore<T extends Store, SV extends StoreValue<T>>(store: T): SV {
-  const get = store.get.bind(store);
-
-  return useSyncExternalStore<SV>(store.listen, get, () => {
+function useAuthStore() {
+  const get = $authStore.get.bind($authStore);
+  return useStore($authStore, () => {
     // Per react docs
     /**
      * optional getServerSnapshot:
@@ -160,7 +165,17 @@ function useStore<T extends Store, SV extends StoreValue<T>>(store: T): SV {
      * When this runs on the server we want to grab the content from the async-local-storage.
      */
     if (typeof window === 'undefined') {
-      return authAsyncStorage.getStore();
+      return deriveState(
+        false,
+        {
+          user: null,
+          session: null,
+          // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+          client: null!,
+          organization: null,
+        },
+        authAsyncStorage.getStore() as any,
+      );
     }
 
     /**

packages/backend/src/tokens/authObjects.ts

@@ -1,13 +1,11 @@
 import { createCheckAuthorization } from '@clerk/shared/authorization';
+import { __experimental_JWTPayloadToAuthObjectProperties } from '@clerk/shared/jwtPayloadParser';
 import type {
-  ActClaim,
   CheckAuthorizationFromSessionClaims,
   JwtPayload,
-  OrganizationCustomPermissionKey,
-  OrganizationCustomRoleKey,
   ServerGetToken,
   ServerGetTokenOptions,
-  SessionStatusClaim,
+  SharedSignedInAuthObjectProperties,
 } from '@clerk/types';
 
 import type { CreateBackendApiOptions } from '../api';
@@ -27,28 +25,7 @@ export type SignedInAuthObjectOptions = CreateBackendApiOptions & {
 /**
  * @internal
  */
-type SignedInAuthObjectProperties = {
-  sessionClaims: JwtPayload;
-  sessionId: string;
-  sessionStatus: SessionStatusClaim | null;
-  actor: ActClaim | undefined;
-  userId: string;
-  orgId: string | undefined;
-  orgRole: OrganizationCustomRoleKey | undefined;
-  orgSlug: string | undefined;
-  orgPermissions: OrganizationCustomPermissionKey[] | undefined;
-  /**
-   * Factor Verification Age
-   * Each item represents the minutes that have passed since the last time a first or second factor were verified.
-   * [fistFactorAge, secondFactorAge]
-   */
-  factorVerificationAge: [firstFactorAge: number, secondFactorAge: number] | null;
-};
-
-/**
- * @internal
- */
-export type SignedInAuthObject = SignedInAuthObjectProperties & {
+export type SignedInAuthObject = SharedSignedInAuthObjectProperties & {
   getToken: ServerGetToken;
   has: CheckAuthorizationFromSessionClaims;
   debug: AuthObjectDebug;
@@ -92,31 +69,6 @@ const createDebug = (data: AuthObjectDebugData | undefined) => {
   };
 };
 
-const generateSignedInAuthObjectProperties = (claims: JwtPayload): SignedInAuthObjectProperties => {
-  // fva can be undefined for instances that have not opt-in
-  const factorVerificationAge = claims.fva ?? null;
-
-  // sts can be undefined for instances that have not opt-in
-  const sessionStatus = claims.sts ?? null;
-
-  // TODO(jwt-v2): replace this when the new claim for org permissions is added, this will not break
-  // anything since the JWT v2 is not yet available
-  const orgPermissions = claims.org_permissions;
-
-  return {
-    sessionClaims: claims,
-    sessionId: claims.sid,
-    sessionStatus,
-    actor: claims.act,
-    userId: claims.sub,
-    orgId: claims.org_id,
-    orgRole: claims.org_role,
-    orgSlug: claims.org_slug,
-    orgPermissions,
-    factorVerificationAge,
-  };
-};
-
 /**
  * @internal
  */
@@ -126,14 +78,13 @@ export function signedInAuthObject(
   sessionClaims: JwtPayload,
 ): SignedInAuthObject {
   const { actor, sessionId, sessionStatus, userId, orgId, orgRole, orgSlug, orgPermissions, factorVerificationAge } =
-    generateSignedInAuthObjectProperties(sessionClaims);
+    __experimental_JWTPayloadToAuthObjectProperties(sessionClaims);
   const apiClient = createBackendApiClient(authenticateContext);
   const getToken = createGetToken({
     sessionId,
     sessionToken,
     fetcher: async (...args) => (await apiClient.sessions.getToken(...args)).jwt,
   });
-
   return {
     actor,
     sessionClaims,

packages/clerk-js/bundlewatch.config.json

@@ -1,9 +1,9 @@
 {
   "files": [
     { "path": "./dist/clerk.js", "maxSize": "590kB" },
-    { "path": "./dist/clerk.browser.js", "maxSize": "72.5KB" },
+    { "path": "./dist/clerk.browser.js", "maxSize": "73.21KB" },
     { "path": "./dist/clerk.headless*.js", "maxSize": "55KB" },
-    { "path": "./dist/ui-common*.js", "maxSize": "98KB" },
+    { "path": "./dist/ui-common*.js", "maxSize": "98.2KB" },
     { "path": "./dist/vendors*.js", "maxSize": "36KB" },
     { "path": "./dist/coinbase*.js", "maxSize": "35.5KB" },
     { "path": "./dist/createorganization*.js", "maxSize": "5KB" },
@@ -21,7 +21,7 @@
     { "path": "./dist/keylessPrompt*.js", "maxSize": "5.9KB" },
     { "path": "./dist/pricingTable*.js", "maxSize": "5KB" },
     { "path": "./dist/checkout*.js", "maxSize": "3KB" },
-    { "path": "./dist/paymentSources*.js", "maxSize": "8KB" },
+    { "path": "./dist/paymentSources*.js", "maxSize": "8.1KB" },
     { "path": "./dist/up-billing-page*.js", "maxSize": "1KB" },
     { "path": "./dist/op-billing-page*.js", "maxSize": "1KB" },
     { "path": "./dist/sessionTasks*.js", "maxSize": "1KB" }

packages/clerk-js/src/core/clerk.ts

@@ -1528,16 +1528,15 @@ export class Clerk implements ClerkInterface {
     // directs the opening page to navigate to the /sso-callback route), we need to reload the signIn and signUp resources
     // to ensure that we have the latest state. This operation can fail when we try reloading a resource that doesn't
     // exist (such as when reloading a signIn resource during a signUp attempt), but this can be safely ignored.
-    if (!window.opener) {
+    if (!window.opener && params.reloadResource) {
       try {
-        await signIn.reload();
-      } catch {
-        // This can be safely ignored
-      }
-      try {
-        await signUp.reload();
+        if (params.reloadResource === 'signIn') {
+          await signIn.reload();
+        } else if (params.reloadResource === 'signUp') {
+          await signUp.reload();
+        }
       } catch {
-        // This can be safely ignored
+        // This catch intentionally left blank.
       }
     }
 

packages/clerk-js/src/core/jwt-client.ts

@@ -1,3 +1,4 @@
+import { __experimental_JWTPayloadToAuthObjectProperties } from '@clerk/shared/jwtPayloadParser';
 import type {
   ClientJSON,
   OrganizationMembershipJSON,
@@ -43,47 +44,47 @@ export function createClientFromJwt(jwt: string | undefined | null): Client {
     } as unknown as ClientJSON);
   }
 
-  const { sid, sub, org_id, org_role, org_permissions, org_slug, fva } = token.jwt.claims;
-
-  // TODO(jwt-v2): when JWT version 2 is available, we should use the new claims instead of the old ones
+  const { sessionId, userId, orgId, orgRole, orgPermissions, orgSlug, factorVerificationAge } =
+    __experimental_JWTPayloadToAuthObjectProperties(token.jwt.claims);
 
+  // TODO(jwt-v2): when JWT version 2 is available, we should revise org permissions
   const defaultClient = {
     object: 'client',
-    last_active_session_id: sid,
+    last_active_session_id: sessionId,
     id: 'client_init',
     sessions: [
       {
         object: 'session',
-        id: sid,
+        id: sessionId,
         status: 'active',
-        last_active_organization_id: org_id || null,
+        last_active_organization_id: orgId || null,
         // @ts-expect-error - ts is not happy about `id:undefined`, but this is allowed and expected
         last_active_token: {
           id: undefined,
           object: 'token',
           jwt,
         } as TokenJSON,
-        factor_verification_age: fva || null,
+        factor_verification_age: factorVerificationAge || null,
         public_user_data: {
-          user_id: sub,
+          user_id: userId,
         } as PublicUserDataJSON,
         user: {
           object: 'user',
-          id: sub,
+          id: userId,
           organization_memberships:
-            org_id && org_slug && org_role
+            orgId && orgSlug && orgRole
               ? [
                   {
                     object: 'organization_membership',
-                    id: org_id,
-                    role: org_role,
-                    permissions: org_permissions || [],
+                    id: orgId,
+                    role: orgRole,
+                    permissions: orgPermissions || [],
                     organization: {
                       object: 'organization',
-                      id: org_id,
+                      id: orgId,
                       // Use slug as name for the organization, since name is not available in the token.
-                      name: org_slug,
-                      slug: org_slug,
+                      name: orgSlug,
+                      slug: orgSlug,
                       members_count: 1,
                       max_allowed_memberships: 1,
                     },

packages/clerk-js/src/core/modules/commerce/Commerce.ts

@@ -9,6 +9,7 @@ import type {
   ClerkPaginatedResponse,
 } from '@clerk/types';
 
+import { convertPageToOffsetSearchParams } from '../../../utils/convertPageToOffsetSearchParams';
 import {
   __experimental_CommerceInitializedPaymentSource,
   __experimental_CommercePaymentSource,
@@ -27,35 +28,42 @@ export class __experimental_Commerce implements __experimental_CommerceNamespace
   }
 
   initializePaymentSource = async (params: __experimental_InitializePaymentSourceParams) => {
+    const { orgId, ...rest } = params;
     const json = (
       await BaseResource._fetch({
-        path: `/me/commerce/payment_sources/initialize`,
+        path: orgId
+          ? `/organizations/${orgId}/commerce/payment_sources/initialize`
+          : `/me/commerce/payment_sources/initialize`,
         method: 'POST',
-        body: params as any,
+        body: rest as any,
       })
     )?.response as unknown as __experimental_CommerceInitializedPaymentSourceJSON;
     return new __experimental_CommerceInitializedPaymentSource(json);
   };
 
   addPaymentSource = async (params: __experimental_AddPaymentSourceParams) => {
+    const { orgId, ...rest } = params;
+
     const json = (
       await BaseResource._fetch({
-        path: `/me/commerce/payment_sources`,
+        path: orgId ? `/organizations/${orgId}/commerce/payment_sources` : `/me/commerce/payment_sources`,
         method: 'POST',
-        body: params as any,
+        body: rest as any,
       })
     )?.response as unknown as __experimental_CommercePaymentSourceJSON;
     return new __experimental_CommercePaymentSource(json);
   };
 
   getPaymentSources = async (params: __experimental_GetPaymentSourcesParams) => {
+    const { orgId, ...rest } = params;
+
     return await BaseResource._fetch({
-      path: `/me/commerce/payment_sources`,
+      path: orgId ? `/organizations/${orgId}/commerce/payment_sources` : `/me/commerce/payment_sources`,
       method: 'GET',
-      search: { orgId: params.orgId || '' },
+      search: convertPageToOffsetSearchParams(rest),
     }).then(res => {
       const { data: paymentSources, total_count } =
-        res as unknown as ClerkPaginatedResponse<__experimental_CommercePaymentSourceJSON>;
+        res?.response as unknown as ClerkPaginatedResponse<__experimental_CommercePaymentSourceJSON>;
       return {
         total_count,
         data: paymentSources.map(paymentSource => new __experimental_CommercePaymentSource(paymentSource)),