Patch Release

Note Are you using Clerk for authentication and user management? Keep reading.

This patch adds a new auth decoder, clerkAuthDecoder to the @redwoodjs/auth-clerk-api package and deprecates the existing one, which is simply named authDecoder. We recommend that everyone using Clerk migrate to the new auth decoder unless you’re already using a custom one. The current auth decoder is subject to rate limiting.

Background

First, a quick reminder on how auth works in Redwood. On a project's api side, there's two critical auth functions, authDecoder and getCurrentUser. They're both passed to createGraphQLHandler in api/src/functions/graphql.{ts,js}:

// api/src/functions/graphql.{ts,js}

import { authDecoder } from '@redwoodjs/auth-clerk-api'
import { createGraphQLHandler } from '@redwoodjs/graphql-server'

// ...

import { getCurrentUser } from 'src/lib/auth'

export const handler = createGraphQLHandler({
  authDecoder,
  getCurrentUser,
  // ...
})

As the codeblock above shows, authDecoder comes from one of Redwood's auth packages (but you can write it yourself if you want), while getCurrentUser comes from the api/src/lib/auth.{ts,js} file—it's a function that you own in your project.

These functions are used together internally by Redwood. While this is a simplification, basically authDecoder's return value is the first argument to getCurrentUser, like this:

// Internally, in Redwood. This is pseudocode.

const decoded = await authDecoder(token, ...otherArgs)
const currentUser = await getCurrentUser(decoded, ...otherArgs)
// Add the user to the context...

Migration Path

The last thing you want is your project's authDecoder getting rate limited! Here's how to migrate:

Upgrade to this version via yarn rw upgrade
In your project's GraphQL file, api/src/functions/graphql.{ts,js}, import the new auth decoder, clerkAuthDecoder, as the authDecoder function from @redwoodjs/auth-clerk-api:

// api/src/functions/graphql.{ts,js}
- import { authDecoder } from '@redwoodjs/auth-clerk-api'
+ import { clerkAuthDecoder as authDecoder } from '@redwoodjs/auth-clerk-api'

In your project's api-side auth file, api/src/lib/auth.{ts,js}, modify the getCurrentUser function accordingly and customize the session token on your Clerk application's dashboard (see https://clerk.com/docs/request-authentication/customizing-session-tokens)

The modifications you'll have to make will be specific to your project. The getCurrentUser function's first argument, decoded, will be different. It'll still be an object, but by default, it has much fewer props than before. To illustrate the difference, let’s look at an example of what the decoded parameter to the getCurrentUser function is before and after:

// api/src/lib/auth.{ts,js}

export const getCurrentUser = async (
  decoded, // 👈 This will be different, see below
  // ...
) => {
  if (!decoded) {
    logger.warn('Missing decoded user')
    return null
  }

  // Your custom logic...
}

old auth decoder (`authDecoder`) return value	new auth decoder (`clerkAuthDecoder`) return value
{ id: 'user_...', passwordEnabled: true, totpEnabled: false, backupCodeEnabled: false, twoFactorEnabled: false, banned: false, createdAt: ..., updatedAt: ..., profileImageUrl: 'https://...', imageUrl: 'https://...', gender: '', birthday: '', primaryEmailAddressId: 'idn_...', primaryPhoneNumberId: null, primaryWeb3WalletId: null, lastSignInAt: ..., externalId: null, username: null, firstName: null, lastName: null, publicMetadata: {}, privateMetadata: {}, unsafeMetadata: {}, emailAddresses: [...], phoneNumbers: [], web3Wallets: [], externalAccounts: [], roles: [], }	{ id: 'user_...', azp: 'http://...', exp: ..., iat: ..., iss: 'https://...', jti: '...', nbf: ..., sid: 'sess_...', sub: 'user_...', }

old auth decoder (`authDecoder`) return value

new auth decoder (`clerkAuthDecoder`) return value

{
  id: 'user_...',
  passwordEnabled: true,
  totpEnabled: false,
  backupCodeEnabled: false,
  twoFactorEnabled: false,
  banned: false,
  createdAt: ...,
  updatedAt: ...,
  profileImageUrl: 'https://...',
  imageUrl: 'https://...',
  gender: '',
  birthday: '',
  primaryEmailAddressId: 'idn_...',
  primaryPhoneNumberId: null,
  primaryWeb3WalletId: null,
  lastSignInAt: ...,
  externalId: null,
  username: null,
  firstName: null,
  lastName: null,
  publicMetadata: {},
  privateMetadata: {},
  unsafeMetadata: {},
  emailAddresses: [...],
  phoneNumbers: [],
  web3Wallets: [],
  externalAccounts: [],
  roles: [],
}

{
  id: 'user_...',
  azp: 'http://...',
  exp: ...,
  iat: ...,
  iss: 'https://...',
  jti: '...',
  nbf: ...,
  sid: 'sess_...',
  sub: 'user_...',
}

It’s unlikely that you were using all of its properties before. But if you were using Clerk for user management and not just for authentication, you were certainly using some. Luckily it's easy to add them back to the object—all you have to do is customize the session token on your Clerk application's dashboard. See Clerk's docs here: https://clerk.com/docs/request-authentication/customizing-session-tokens.

Changelog

fix(clerk): add alternative decoder #8642 by @jtoar, @o0charlie0o, @asher-eastham
Fix failing v5 codemod for DevFatalErrorPage #8661 by @Tobbe

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v5.3.2

Patch Release

Background

Migration Path

Changelog

Contributors