Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add networkless path for isAuthenticated #183

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add networkless path for isAuthenticated #183

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions src/nextjs/server/index.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import {
setAuthCookiesInMiddleware,
} from "./utils.js";
import { IsAuthenticatedQuery } from "../../server/implementation/index.js";
import { jwtVerify, createLocalJWKSet } from "jose"

/**
* Wrap your app with this provider in your root `layout.tsx`.
Expand Down Expand Up @@ -302,6 +303,21 @@ async function isAuthenticated(token: string | null): Promise<boolean> {
if (!token) {
return false;
}

// First, try using the JWKS from the environment variable to do token
// verification locally (networkless mode).
try {
const envJwks = process.env.CONVEX_AUTH_JWKS
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was going to ask if this is possible to configure via an argument in the provider or middleware, but I think the answer is "no" since these get wrapped in things that are imported directly.

if (envJwks) {
const jwkSet = createLocalJWKSet(JSON.parse(envJwks))
const verifiedToken = await jwtVerify(token, jwkSet);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we put this + the JSON.parse in a try/catch (idk if jwtVerify can throw, but JSON.parse definitely can)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also I forget whether we should be checking the expiration time of this token here? I believe previously this would return false for expired tokens

return !!verifiedToken.payload.sub;
}
} catch (error: any) {
console.error("Error verifying token", error);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
console.error("Error verifying token", error);
console.error("Error verifying token using process.env.CONVEX_AUTH_JWKS", error);

(we could also say something like "make sure this matches the value set in your Convex JWKS environment variable")

}

// Fallback to asking the server to do verification.
try {
return await fetchQuery(
"auth:isAuthenticated" as any as IsAuthenticatedQuery,
Expand Down
Loading