v5.3.2
Patch Release
Note Are you using Clerk for authentication and user management? Keep reading.
This patch adds a new auth decoder, clerkAuthDecoder
to the @redwoodjs/auth-clerk-api
package and deprecates the existing one, which is simply named authDecoder
. We recommend that everyone using Clerk migrate to the new auth decoder unless you’re already using a custom one. The current auth decoder is subject to rate limiting.
Background
First, a quick reminder on how auth works in Redwood. On a project's api side, there's two critical auth functions, authDecoder
and getCurrentUser
. They're both passed to createGraphQLHandler
in api/src/functions/graphql.{ts,js}
:
// api/src/functions/graphql.{ts,js}
import { authDecoder } from '@redwoodjs/auth-clerk-api'
import { createGraphQLHandler } from '@redwoodjs/graphql-server'
// ...
import { getCurrentUser } from 'src/lib/auth'
export const handler = createGraphQLHandler({
authDecoder,
getCurrentUser,
// ...
})
As the codeblock above shows, authDecoder
comes from one of Redwood's auth packages (but you can write it yourself if you want), while getCurrentUser
comes from the api/src/lib/auth.{ts,js}
file—it's a function that you own in your project.
These functions are used together internally by Redwood. While this is a simplification, basically authDecoder
's return value is the first argument to getCurrentUser
, like this:
// Internally, in Redwood. This is pseudocode.
const decoded = await authDecoder(token, ...otherArgs)
const currentUser = await getCurrentUser(decoded, ...otherArgs)
// Add the user to the context...
Migration Path
The last thing you want is your project's authDecoder
getting rate limited! Here's how to migrate:
- Upgrade to this version via
yarn rw upgrade
- In your project's GraphQL file,
api/src/functions/graphql.{ts,js}
, import the new auth decoder,clerkAuthDecoder
, as theauthDecoder
function from@redwoodjs/auth-clerk-api
:
// api/src/functions/graphql.{ts,js}
- import { authDecoder } from '@redwoodjs/auth-clerk-api'
+ import { clerkAuthDecoder as authDecoder } from '@redwoodjs/auth-clerk-api'
- In your project's api-side auth file,
api/src/lib/auth.{ts,js}
, modify thegetCurrentUser
function accordingly and customize the session token on your Clerk application's dashboard (see https://clerk.com/docs/request-authentication/customizing-session-tokens)
The modifications you'll have to make will be specific to your project. The getCurrentUser
function's first argument, decoded
, will be different. It'll still be an object, but by default, it has much fewer props than before. To illustrate the difference, let’s look at an example of what the decoded
parameter to the getCurrentUser
function is before and after:
// api/src/lib/auth.{ts,js}
export const getCurrentUser = async (
decoded, // 👈 This will be different, see below
// ...
) => {
if (!decoded) {
logger.warn('Missing decoded user')
return null
}
// Your custom logic...
}
old auth decoder (`authDecoder`) return value | new auth decoder (`clerkAuthDecoder`) return value |
---|---|
{
id: 'user_...',
passwordEnabled: true,
totpEnabled: false,
backupCodeEnabled: false,
twoFactorEnabled: false,
banned: false,
createdAt: ...,
updatedAt: ...,
profileImageUrl: 'https://...',
imageUrl: 'https://...',
gender: '',
birthday: '',
primaryEmailAddressId: 'idn_...',
primaryPhoneNumberId: null,
primaryWeb3WalletId: null,
lastSignInAt: ...,
externalId: null,
username: null,
firstName: null,
lastName: null,
publicMetadata: {},
privateMetadata: {},
unsafeMetadata: {},
emailAddresses: [...],
phoneNumbers: [],
web3Wallets: [],
externalAccounts: [],
roles: [],
} |
{
id: 'user_...',
azp: 'http://...',
exp: ...,
iat: ...,
iss: 'https://...',
jti: '...',
nbf: ...,
sid: 'sess_...',
sub: 'user_...',
} |
It’s unlikely that you were using all of its properties before. But if you were using Clerk for user management and not just for authentication, you were certainly using some. Luckily it's easy to add them back to the object—all you have to do is customize the session token on your Clerk application's dashboard. See Clerk's docs here: https://clerk.com/docs/request-authentication/customizing-session-tokens.
Changelog
- fix(clerk): add alternative decoder #8642 by @jtoar, @o0charlie0o, @asher-eastham
- Fix failing v5 codemod for DevFatalErrorPage #8661 by @Tobbe