fix(clerk): add alternative decoder

packages/auth-providers/clerk/api/src/decoder.ts

@@ -1,5 +1,8 @@
 import { Decoder } from '@redwoodjs/api'
 
+/**
+ * @deprecated This function will be removed; it uses uses a rate-limited API. Use `jwtAuthDecoder` instead.
+ */
 export const authDecoder: Decoder = async (token: string, type: string) => {
   if (type !== 'clerk') {
     return null
@@ -34,3 +37,39 @@ export const authDecoder: Decoder = async (token: string, type: string) => {
     return Promise.reject(error)
   }
 }
+
+export const jwtAuthDecoder: Decoder = async (token: string, type: string) => {
+  if (type !== 'clerk') {
+    return null
+  }
+
+  const { verifyToken } = await import('@clerk/clerk-sdk-node')
+
+  try {
+    const issuer = (iss: string) =>
+      iss.startsWith('https://clerk.') || iss.includes('.clerk.accounts')
+
+    const jwtPayload = await verifyToken(token, {
+      issuer,
+      apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.dev',
+      jwtKey: process.env.CLERK_JWT_KEY,
+      apiKey: process.env.CLERK_API_KEY,
+      secretKey: process.env.CLERK_SECRET_KEY,
+    })
+
+    if (!jwtPayload.sub) {
+      return Promise.reject(new Error('Session invalid'))
+    }
+
+    // @ts-expect-error need to to type this
+    const roles = jwtPayload.sessionClaims.publicMetadata['roles'] ?? []
+
+    return {
+      ...jwtPayload,
+      roles: roles,
+    }
+  } catch (error) {
+    console.error(error)
+    return Promise.reject(error)
+  }
+}

packages/auth-providers/clerk/api/src/index.ts

@@ -1 +1 @@
-export { authDecoder } from './decoder'
+export { authDecoder, jwtAuthDecoder } from './decoder'

packages/auth-providers/clerk/setup/src/setupHandler.ts

@@ -13,7 +13,7 @@ export const handler = async ({ force: forceArg }: Args) => {
   standardAuthHandler({
     basedir: __dirname,
     forceArg,
-    authDecoderImport: `import { authDecoder } from '@redwoodjs/auth-clerk-api'`,
+    authDecoderImport: `import { jwtAuthDecoder as authDecoder } from '@redwoodjs/auth-clerk-api'`,
     provider: 'clerk',
     webPackages: [
       '@clerk/clerk-react@^4',
@@ -26,17 +26,14 @@ export const handler = async ({ force: forceArg }: Args) => {
       '```title=".env"',
       'CLERK_PUBLISHABLE_KEY="..."',
       'CLERK_SECRET_KEY="..."',
-      'CLERK_JWT_KEY="-----BEGIN PUBLIC KEY-----',
-      '...',
-      '-----END PUBLIC KEY-----"',
       '```',
       '',
       `You can find their values under "API Keys" on your Clerk app's dashboard.`,
       'Be sure to include `CLERK_PUBLISHABLE_KEY` in the `includeEnvironmentVariables` array in redwood.toml.',
       '',
       '```toml title="redwood.toml"',
       'includeEnvironmentVariables = [',
-      '  "CLERK_PUBLISHABLE_KEY"',
+      '  "CLERK_PUBLISHABLE_KEY,"',
       ']',
       '```',
       '',

packages/auth-providers/clerk/setup/src/templates/api/lib/auth.ts.template

@@ -27,16 +27,12 @@ export const getCurrentUser = async (
     return null
   }
 
-  const { roles } = parseJWT({ decoded })
+  const { roles, ...user } = parseJWT({ decoded })
 
-  // Remove privateMetadata property from CurrentUser as it should not be accessible on the web
-  const { privateMetadata, ...userWithoutPrivateMetadata } = decoded
-
-  if (roles) {
-    return { ...userWithoutPrivateMetadata, roles }
+  return {
+    ...user,
+    ...(roles && { roles })
   }
-
-  return { ...userWithoutPrivateMetadata }
 }
 
 /**