feat(clerk): Switch to @clerk/backend SDK (#102)

The @clerk/clerk-sdk-node package has reached its [end of
support](https://clerk.com/changelog/2025-01-10-node-sdk-eol) back in
January. This PR updates the Clerk auth provider to use the recommended
JS Backend SDK (@clerk/backend).

This also removes the deprecated authDecoder function which used the
rate-limited API and relied on the now unsupported Node SDK.

Huge shoutout to @wobsoriano for getting started on this over in
redwoodjs/graphql#11953

Author: Tobbe

.changesets/102.md

@@ -0,0 +1,13 @@
+- feat(clerk): Switch to `@clerk/backend` SDK (#102) by @Tobbe
+
+The @clerk/clerk-sdk-node package has reached its
+[end of support](https://clerk.com/changelog/2025-01-10-node-sdk-eol) back in
+January. This PR updates the Clerk auth provider to use the recommended JS
+Backend SDK (@clerk/backend).
+
+# Breaking changes
+
+- Removes the deprecated `authDecoder` function which used the rate-limited API
+  and relied on the now unsupported Node SDK.
+- You now have to specify `process.env.CLERK_API_URL`, it no longer has a
+  default fallback

packages/auth-providers/clerk/api/package.json

@@ -39,7 +39,7 @@
     "test:watch": "vitest watch"
   },
   "dependencies": {
-    "@clerk/clerk-sdk-node": "5.0.52"
+    "@clerk/backend": "1.33.1"
   },
   "devDependencies": {
     "@arethetypeswrong/cli": "0.18.1",

packages/auth-providers/clerk/api/src/__tests__/clerk.test.ts

@@ -1,14 +1,14 @@
 import type { APIGatewayProxyEvent, Context as LambdaContext } from 'aws-lambda'
 import { beforeAll, afterAll, describe, test, expect } from 'vitest'
 
-import { authDecoder, clerkAuthDecoder } from '../decoder'
+import { clerkAuthDecoder } from '../decoder'
 
 const req = {
   event: {} as APIGatewayProxyEvent,
   context: {} as LambdaContext,
 }
 
-let consoleError
+let consoleError: typeof console.error
 
 beforeAll(() => {
   consoleError = console.error
@@ -19,20 +19,6 @@ afterAll(() => {
   console.error = consoleError
 })
 
-describe('deprecated authDecoder', () => {
-  test('returns null for unsupported type', async () => {
-    const decoded = await authDecoder('token', 'netlify', req)
-
-    expect(decoded).toBe(null)
-  })
-
-  test('rejects when the token is invalid', async () => {
-    process.env.CLERK_JWT_KEY = 'jwt-key'
-
-    await expect(authDecoder('invalid-token', 'clerk', req)).rejects.toThrow()
-  })
-})
-
 describe('clerkAuthDecoder', () => {
   test('returns null for unsupported type', async () => {
     const decoded = await clerkAuthDecoder('token', 'netlify', req)

packages/auth-providers/clerk/api/src/decoder.ts

@@ -1,44 +1,5 @@
 import type { Decoder } from '@cedarjs/api'
 
-/**
- * @deprecated This function will be removed; it uses a rate-limited API. Use `clerkAuthDecoder` instead.
- */
-export const authDecoder: Decoder = async (token: string, type: string) => {
-  if (type !== 'clerk') {
-    return null
-  }
-
-  const { createClerkClient, verifyToken } = await import(
-    '@clerk/clerk-sdk-node'
-  )
-
-  try {
-    const options = {
-      apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.dev',
-      jwtKey: process.env.CLERK_JWT_KEY,
-      secretKey: process.env.CLERK_SECRET_KEY,
-    }
-
-    const jwtPayload = await verifyToken(token, options)
-
-    if (!jwtPayload.sub) {
-      return Promise.reject(new Error('Session invalid'))
-    }
-
-    const clerkClient = createClerkClient(options)
-
-    const user = await clerkClient.users.getUser(jwtPayload.sub)
-
-    return {
-      ...user,
-      roles: user.publicMetadata['roles'] ?? [],
-    }
-  } catch (error) {
-    console.error(error)
-    return Promise.reject(error)
-  }
-}
-
 export const clerkAuthDecoder: Decoder = async (
   token: string,
   type: string,
@@ -47,11 +8,11 @@ export const clerkAuthDecoder: Decoder = async (
     return null
   }
 
-  const { verifyToken } = await import('@clerk/clerk-sdk-node')
+  const { verifyToken } = await import('@clerk/backend')
 
   try {
     const jwtPayload = await verifyToken(token, {
-      apiUrl: process.env.CLERK_API_URL || 'https://api.clerk.dev',
+      apiUrl: process.env.CLERK_API_URL,
       jwtKey: process.env.CLERK_JWT_KEY,
       secretKey: process.env.CLERK_SECRET_KEY,
     })

packages/auth-providers/clerk/api/src/index.ts

@@ -1 +1 @@
-export { authDecoder, clerkAuthDecoder } from './decoder'
+export { clerkAuthDecoder } from './decoder'

yarn.lock

@@ -2173,7 +2173,7 @@ __metadata:
     "@arethetypeswrong/cli": "npm:0.18.1"
     "@cedarjs/api": "workspace:*"
     "@cedarjs/framework-tools": "workspace:*"
-    "@clerk/clerk-sdk-node": "npm:5.0.52"
+    "@clerk/backend": "npm:1.33.1"
     "@types/aws-lambda": "npm:8.10.145"
     concurrently: "npm:8.2.2"
     publint: "npm:0.3.12"
@@ -3662,16 +3662,21 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@clerk/backend@npm:1.14.1":
-  version: 1.14.1
-  resolution: "@clerk/backend@npm:1.14.1"
+"@clerk/backend@npm:1.33.1":
+  version: 1.33.1
+  resolution: "@clerk/backend@npm:1.33.1"
   dependencies:
-    "@clerk/shared": "npm:2.9.2"
-    "@clerk/types": "npm:4.26.0"
-    cookie: "npm:0.7.0"
-    snakecase-keys: "npm:5.4.4"
-    tslib: "npm:2.4.1"
-  checksum: 10c0/056d89dadb4789601574c064f1c937e8440eab25bc7996a2942b9dd543814957f902de5be1b6103ae1d2277efa53c70d47d19903cead6e84a3c37dc9b31413e8
+    "@clerk/shared": "npm:^3.9.4"
+    "@clerk/types": "npm:^4.59.2"
+    cookie: "npm:1.0.2"
+    snakecase-keys: "npm:8.0.1"
+    tslib: "npm:2.8.1"
+  peerDependencies:
+    svix: ^1.62.0
+  peerDependenciesMeta:
+    svix:
+      optional: true
+  checksum: 10c0/9158047d3ee156ce7aa26c9771302d7c0b406b73fc25bebbb6cc5cd2d0355c67854a21be11a5661354b7f2b52c0ed6354f1db44b8dc6af81a362e250aeee3718
   languageName: node
   linkType: hard
 
@@ -3689,39 +3694,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@clerk/clerk-sdk-node@npm:5.0.52":
-  version: 5.0.52
-  resolution: "@clerk/clerk-sdk-node@npm:5.0.52"
-  dependencies:
-    "@clerk/backend": "npm:1.14.1"
-    "@clerk/shared": "npm:2.9.2"
-    "@clerk/types": "npm:4.26.0"
-    tslib: "npm:2.4.1"
-  checksum: 10c0/5044c1a2600a9183a8b5db22437cf21c5f11e25cfeebe0449939eaadfc753b34e18bb868bde03fb69b5f2fcc277168812e75c3d4e15928ce4d9e428fefc1c121
-  languageName: node
-  linkType: hard
-
-"@clerk/shared@npm:2.9.2":
-  version: 2.9.2
-  resolution: "@clerk/shared@npm:2.9.2"
-  dependencies:
-    "@clerk/types": "npm:4.26.0"
-    glob-to-regexp: "npm:0.4.1"
-    js-cookie: "npm:3.0.5"
-    std-env: "npm:^3.7.0"
-    swr: "npm:^2.2.0"
-  peerDependencies:
-    react: ">=18 || >=19.0.0-beta"
-    react-dom: ">=18 || >=19.0.0-beta"
-  peerDependenciesMeta:
-    react:
-      optional: true
-    react-dom:
-      optional: true
-  checksum: 10c0/5d8022dbce5d34d6087d1f74673fa3804c8eb4708d64e02fb004bc8e0d466ec1b1708aa4de273bd1a62e1522e6e3fbae2abb6055319f8ccb4926cca8d9c04a2d
-  languageName: node
-  linkType: hard
-
 "@clerk/shared@npm:^3.9.4":
   version: 3.9.4
   resolution: "@clerk/shared@npm:3.9.4"
@@ -3744,15 +3716,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@clerk/types@npm:4.26.0":
-  version: 4.26.0
-  resolution: "@clerk/types@npm:4.26.0"
-  dependencies:
-    csstype: "npm:3.1.1"
-  checksum: 10c0/ad71935ea18604150605f8ab1f7287edce23bc3fd5085f662c1c69f670d8ce914dd019bf9f046d1c113c5919cbf700de39b88e8fe7ed6bad372d9fe4d1ded28c
-  languageName: node
-  linkType: hard
-
 "@clerk/types@npm:4.59.2, @clerk/types@npm:^4.59.2":
   version: 4.59.2
   resolution: "@clerk/types@npm:4.59.2"
@@ -14531,13 +14494,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"cookie@npm:0.7.0":
-  version: 0.7.0
-  resolution: "cookie@npm:0.7.0"
-  checksum: 10c0/15c20c9b85431c8565b1750f9bccff0bd289b943d956e25fffce3b146e57934075965c8305a4e3a65a70622c9ed483e013daf9159d9c50f5c3f97f2e7c8117ac
-  languageName: node
-  linkType: hard
-
 "cookie@npm:0.7.1":
   version: 0.7.1
   resolution: "cookie@npm:0.7.1"
@@ -14940,13 +14896,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"csstype@npm:3.1.1":
-  version: 3.1.1
-  resolution: "csstype@npm:3.1.1"
-  checksum: 10c0/7c8b8c5923049d84132581c13bae6e1faf999746fe3998ba5f3819a8e1cdc7512ace87b7d0a4a69f0f4b8ba11daf835d4f1390af23e09fc4f0baad52c084753a
-  languageName: node
-  linkType: hard
-
 "csstype@npm:3.1.3, csstype@npm:^3.0.2":
   version: 3.1.3
   resolution: "csstype@npm:3.1.3"
@@ -27159,14 +27108,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"snakecase-keys@npm:5.4.4":
-  version: 5.4.4
-  resolution: "snakecase-keys@npm:5.4.4"
+"snakecase-keys@npm:8.0.1":
+  version: 8.0.1
+  resolution: "snakecase-keys@npm:8.0.1"
   dependencies:
     map-obj: "npm:^4.1.0"
     snake-case: "npm:^3.0.4"
-    type-fest: "npm:^2.5.2"
-  checksum: 10c0/72afc51818d9f8cee00b4ccdc3b83bb26e48de21c4ef77d28d0d70b431bec17e48aa3e64c2c418fd9f2b70ac0a8afce24b4e615238877c4ee451b5212b983fb0
+    type-fest: "npm:^4.15.0"
+  checksum: 10c0/3615126462e413fe5e1637c945362e99c3ac497bc49d867397547ab1a87ff2827ae890d1aa022ef06c27cb3924bcb3714db2f4e76770e6ebd3625f3e16d79d27
   languageName: node
   linkType: hard
 
@@ -27462,7 +27411,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"std-env@npm:^3.7.0, std-env@npm:^3.8.0, std-env@npm:^3.9.0":
+"std-env@npm:^3.8.0, std-env@npm:^3.9.0":
   version: 3.9.0
   resolution: "std-env@npm:3.9.0"
   checksum: 10c0/4a6f9218aef3f41046c3c7ecf1f98df00b30a07f4f35c6d47b28329bc2531eef820828951c7d7b39a1c5eb19ad8a46e3ddfc7deb28f0a2f3ceebee11bab7ba50
@@ -27981,7 +27930,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"swr@npm:^2.2.0, swr@npm:^2.3.3":
+"swr@npm:^2.3.3":
   version: 2.3.3
   resolution: "swr@npm:2.3.3"
   dependencies:
@@ -28604,13 +28553,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tslib@npm:2.4.1, tslib@npm:~2.4.0":
-  version: 2.4.1
-  resolution: "tslib@npm:2.4.1"
-  checksum: 10c0/9ac0e4fd1033861f0b4f0d848dc3009ebcc3aa4757a06e8602a2d8a7aed252810e3540e54e70709f06c0f95311faa8584f769bcbede48aff785eb7e4d399b9ec
-  languageName: node
-  linkType: hard
-
 "tslib@npm:2.8.1, tslib@npm:^2.0.0, tslib@npm:^2.0.1, tslib@npm:^2.0.3, tslib@npm:^2.1.0, tslib@npm:^2.2.0, tslib@npm:^2.3.0, tslib@npm:^2.3.1, tslib@npm:^2.4.0, tslib@npm:^2.5.0, tslib@npm:^2.5.2, tslib@npm:^2.6.2, tslib@npm:^2.6.3, tslib@npm:^2.8.1":
   version: 2.8.1
   resolution: "tslib@npm:2.8.1"
@@ -28625,6 +28567,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"tslib@npm:~2.4.0":
+  version: 2.4.1
+  resolution: "tslib@npm:2.4.1"
+  checksum: 10c0/9ac0e4fd1033861f0b4f0d848dc3009ebcc3aa4757a06e8602a2d8a7aed252810e3540e54e70709f06c0f95311faa8584f769bcbede48aff785eb7e4d399b9ec
+  languageName: node
+  linkType: hard
+
 "tslib@npm:~2.5.0":
   version: 2.5.3
   resolution: "tslib@npm:2.5.3"
@@ -28789,7 +28738,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"type-fest@npm:^2.19.0, type-fest@npm:^2.5.2, type-fest@npm:~2.19":
+"type-fest@npm:^2.19.0, type-fest@npm:~2.19":
   version: 2.19.0
   resolution: "type-fest@npm:2.19.0"
   checksum: 10c0/a5a7ecf2e654251613218c215c7493574594951c08e52ab9881c9df6a6da0aeca7528c213c622bc374b4e0cb5c443aa3ab758da4e3c959783ce884c3194e12cb
@@ -28803,10 +28752,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"type-fest@npm:^4.18.2":
-  version: 4.40.1
-  resolution: "type-fest@npm:4.40.1"
-  checksum: 10c0/590cb7d4dcd3da83efe49b5b52cd041661f6fa29f18cb76650fe1fdeb4090688e92955656e9d981e606abb13d25c0418be8c6c6504d80e87fe18dc9ca0888392
+"type-fest@npm:^4.15.0, type-fest@npm:^4.18.2":
+  version: 4.41.0
+  resolution: "type-fest@npm:4.41.0"
+  checksum: 10c0/f5ca697797ed5e88d33ac8f1fec21921839871f808dc59345c9cf67345bfb958ce41bd821165dbf3ae591cedec2bf6fe8882098dfdd8dc54320b859711a2c1e4
   languageName: node
   linkType: hard