clerk/javascript @clerk/nextjs@6.21.0

on GitHub

Minor Changes

• Introduces machine authentication, supporting four token types: api_key, oauth_token, machine_token, and session_token. For backwards compatibility, session_token remains the default when no token type is specified. This enables machine-to-machine authentication and use cases such as API keys and OAuth integrations. Existing applications continue to work without modification. (#5689) by @wobsoriano

  You can specify which token types are allowed for a given route or handler using the acceptsToken property in the auth() helper, or the token property in the auth.protect() helper. Each can be set to a specific type, an array of types, or 'any' to accept all supported tokens.

  Example usage in Nextjs middleware:

  import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server';
  
  const isOAuthAccessible = createRouteMatcher(['/oauth(.*)']);
  const isApiKeyAccessible = createRouteMatcher(['/api(.*)']);
  const isMachineTokenAccessible = createRouteMatcher(['/m2m(.*)']);
  const isUserAccessible = createRouteMatcher(['/user(.*)']);
  const isAccessibleToAnyValidToken = createRouteMatcher(['/any(.*)']);
  
  export default clerkMiddleware(async (auth, req) => {
    if (isOAuthAccessible(req)) await auth.protect({ token: 'oauth_token' });
    if (isApiKeyAccessible(req)) await auth.protect({ token: 'api_key' });
    if (isMachineTokenAccessible(req)) await auth.protect({ token: 'machine_token' });
    if (isUserAccessible(req)) await auth.protect({ token: 'session_token' });
  
    if (isAccessibleToAnyValidToken(req)) await auth.protect({ token: 'any' });
  });
  
  export const config = {
    matcher: [
      '/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)',
      '/(api|trpc)(.*)',
    ],
  };

  Leaf node route protection:

  import { auth } from '@clerk/nextjs/server';
  
  // In this example, we allow users and oauth tokens with the "profile" scope
  // to access the data. Other types of tokens are rejected.
  function POST(req, res) {
    const authObject = await auth({ acceptsToken: ['session_token', 'oauth_token'] });
  
    if (authObject.tokenType === 'oauth_token' && !authObject.scopes?.includes('profile')) {
      throw new Error('Unauthorized: OAuth token missing the "profile" scope');
    }
  
    // get data from db using userId
    const data = db.select().from(user).where(eq(user.id, authObject.userId));
  
    return { data };
  }

• The svix dependency is no longer needed when using the verifyWebhook() function. verifyWebhook() was refactored to not rely on svix anymore while keeping the same functionality and behavior. (#6059) by @royanger

  If you previously installed svix to use verifyWebhook() you can uninstall it now:

  npm uninstall svix

Patch Changes

• Updated URL for 'auth() was called but Clerk can't detect usage of clerkMiddleware()' (#6035) by @royanger

• Introduce getAuthObjectFromJwt as internal utility function that centralizes the logic for generating auth objects from session JWTs. (#6053) by @LauraBeatris

• Updated dependencies [ea622ba, d8fa5d9, be2e89c, c656270, 5644d94, a3232c7, b578225, 918e2e0, 795d09a, 4f93634, 8838120]:

  • @clerk/backend@2.0.0
  • @clerk/types@4.60.0
  • @clerk/clerk-react@5.31.9
  • @clerk/shared@3.9.6