Add networkless path for isAuthenticated #183
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
There was a problem hiding this comment.
Add docs too? Otherwise seems good.
Re: skipping the check when getting to token -- it's possible that someone does something like const isAuthenticated = (await convexAuthNextJsToken()) !== null and is sad. But I think the common case will be to feed the token into a function that will throw / return nothing if the token is invalid.
| // First, try using the JWKS from the environment variable to do token | ||
| // verification locally (networkless mode). | ||
| try { | ||
| const envJwks = process.env.CONVEX_AUTH_JWKS |
There was a problem hiding this comment.
I was going to ask if this is possible to configure via an argument in the provider or middleware, but I think the answer is "no" since these get wrapped in things that are imported directly.
| const envJwks = process.env.CONVEX_AUTH_JWKS | ||
| if (envJwks) { | ||
| const jwkSet = createLocalJWKSet(JSON.parse(envJwks)) | ||
| const verifiedToken = await jwtVerify(token, jwkSet); |
There was a problem hiding this comment.
Can we put this + the JSON.parse in a try/catch (idk if jwtVerify can throw, but JSON.parse definitely can)
There was a problem hiding this comment.
Also I forget whether we should be checking the expiration time of this token here? I believe previously this would return false for expired tokens
| return !!verifiedToken.payload.sub; | ||
| } | ||
| } catch (error: any) { | ||
| console.error("Error verifying token", error); |
There was a problem hiding this comment.
| console.error("Error verifying token", error); | |
| console.error("Error verifying token using process.env.CONVEX_AUTH_JWKS", error); |
(we could also say something like "make sure this matches the value set in your Convex JWKS environment variable")
Following Clerk's lead, add an optional environment variable that lets developers configure Next to not require hitting Convex for validating its token.
Verification is a little more permissive than https://github.com/get-convex/convex-backend/blob/main/crates/authentication/src/lib.rs#L188 but I think it's okay to not check that the issuer and audience match. We can add both of these checks via another environment variable if needed.
Question: Should I add this verification to the methods like
convexAuthNextjsTokenthat pull out the token from cookies? I think it's fine to only check when we're making a decision (i.e.isAuthenticated) but I'm curious what y'all think.