WIP

Author: jakobevangelista

packages/nextjs/src/app-router/server/auth.ts

@@ -1,5 +1,6 @@
 import type { AuthObject } from '@clerk/backend';
-import { constants, createClerkRequest, createRedirect, type RedirectFun } from '@clerk/backend/internal';
+import type { RedirectFun, SignedInAuthObject, SignedOutAuthObject } from '@clerk/backend/internal';
+import { constants, createClerkRequest, createRedirect } from '@clerk/backend/internal';
 import { notFound, redirect } from 'next/navigation';
 
 import { PUBLISHABLE_KEY, SIGN_IN_URL, SIGN_UP_URL } from '../../server/constants';
@@ -12,18 +13,33 @@ import { buildRequestLike } from './utils';
 
 type Auth = AuthObject & { redirectToSignIn: RedirectFun<ReturnType<typeof redirect>> };
 
+type MachineAuth = Exclude<AuthObject, SignedInAuthObject | SignedOutAuthObject> & {
+  redirectToSignIn: RedirectFun<ReturnType<typeof redirect>>;
+};
+
+type AuthOptions = { entity?: 'user' | 'machine' };
+
 export interface AuthFn {
   (): Promise<Auth>;
   protect: AuthProtect;
 }
 
-export const auth: AuthFn = async () => {
+export interface MachineAuthFn {
+  (options?: AuthOptions): Promise<MachineAuth>;
+  protect: AuthProtect;
+}
+
+export function auth(options?: AuthOptions & { entity: 'user' }): Promise<Auth>;
+export function auth(options?: AuthOptions & { entity: 'machine' }): Promise<MachineAuth>;
+export async function auth(options?: AuthOptions): Promise<Auth>;
+export async function auth(options?: AuthOptions) {
   require('server-only');
 
   const request = await buildRequestLike();
   const authObject = createGetAuth({
     debugLoggerName: 'auth()',
     noAuthStatusMessage: authAuthHeaderMissing(),
+    options,
   })(request);
 
   const clerkUrl = getAuthKeyFromRequest(request, 'ClerkUrl');
@@ -50,7 +66,7 @@ export const auth: AuthFn = async () => {
   };
 
   return Object.assign(authObject, { redirectToSignIn });
-};
+}
 
 auth.protect = async (...args: any[]) => {
   require('server-only');

packages/nextjs/src/server/clerkMiddleware.ts

@@ -1,6 +1,7 @@
 import type { AuthObject, ClerkClient } from '@clerk/backend';
 import type { AuthenticateRequestOptions, ClerkRequest, RedirectFun, RequestState } from '@clerk/backend/internal';
 import { AuthStatus, constants, createClerkRequest, createRedirect } from '@clerk/backend/internal';
+import { decodeJwt } from '@clerk/backend/jwt';
 import { eventMethodCalled } from '@clerk/shared/telemetry';
 import { notFound as nextjsNotFound } from 'next/navigation';
 import type { NextMiddleware, NextRequest } from 'next/server';
@@ -131,6 +132,13 @@ export const clerkMiddleware: ClerkMiddleware = (...args: unknown[]) => {
         logger.enable();
       }
       const clerkRequest = createClerkRequest(request);
+      const headers = JSON.parse(clerkRequest.toJSON().headers);
+      const authorization = headers.authorization;
+      if (authorization) {
+        const bearerToken = decodeJwt(authorization.split(' ')[1]);
+        const { payload } = bearerToken;
+        payload.sub.startsWith('mch_') ? (options.entity = 'machine') : null;
+      }
       logger.debug('options', options);
       logger.debug('url', () => clerkRequest.toJSON());
 

packages/nextjs/src/server/createGetAuth.ts

@@ -1,20 +1,30 @@
 import type { AuthObject } from '@clerk/backend';
+import type {
+  AuthenticatedMachineObject,
+  SignedInAuthObject,
+  SignedOutAuthObject,
+  UnauthenticatedMachineObject,
+} from '@clerk/backend/internal';
 import { constants } from '@clerk/backend/internal';
 import { decodeJwt } from '@clerk/backend/jwt';
 import { isTruthy } from '@clerk/shared/underscore';
 
 import { withLogger } from '../utils/debugLogger';
-import { getAuthDataFromRequest } from './data/getAuthDataFromRequest';
+import type { GetAuthDataFromRequestOptions } from './data/getAuthDataFromRequest';
+import { getAuthDataFromRequest as getAuthDataFromRequestOriginal } from './data/getAuthDataFromRequest';
 import { getAuthAuthHeaderMissing } from './errors';
 import type { RequestLike } from './types';
 import { assertAuthStatus, getCookie, getHeader } from './utils';
 
+type GetAuthOptions = { entity?: 'user' | 'machine' };
 export const createGetAuth = ({
   noAuthStatusMessage,
   debugLoggerName,
+  options,
 }: {
   debugLoggerName: string;
   noAuthStatusMessage: string;
+  options?: GetAuthOptions;
 }) =>
   withLogger(debugLoggerName, logger => {
     return (req: RequestLike, opts?: { secretKey?: string }): AuthObject => {
@@ -24,7 +34,21 @@ export const createGetAuth = ({
 
       assertAuthStatus(req, noAuthStatusMessage);
 
-      return getAuthDataFromRequest(req, { ...opts, logger });
+      // Explicitly declare overloads at the top level
+      function getAuthDataFromRequest(
+        req: RequestLike,
+        opts: GetAuthDataFromRequestOptions & { entity: 'machine' },
+      ): Exclude<AuthObject, SignedInAuthObject | SignedOutAuthObject>;
+      function getAuthDataFromRequest(
+        req: RequestLike,
+        opts: GetAuthDataFromRequestOptions & { entity: 'user' },
+      ): Exclude<AuthObject, AuthenticatedMachineObject | UnauthenticatedMachineObject>;
+      function getAuthDataFromRequest(req: RequestLike, opts: GetAuthDataFromRequestOptions): AuthObject;
+      function getAuthDataFromRequest(req: RequestLike, opts: GetAuthDataFromRequestOptions) {
+        // Ensure you spread and pass the correct options, including the logger
+        return getAuthDataFromRequestOriginal(req, { ...opts, logger, entity: options?.entity });
+      }
+      return getAuthDataFromRequest(req, { ...opts, logger, entity: options?.entity });
     };
   });
 

packages/nextjs/src/server/data/getAuthDataFromRequest.ts

@@ -1,5 +1,18 @@
 import type { AuthObject } from '@clerk/backend';
-import { AuthStatus, constants, signedInAuthObject, signedOutAuthObject } from '@clerk/backend/internal';
+import type {
+  AuthenticatedMachineObject,
+  SignedInAuthObject,
+  SignedOutAuthObject,
+  UnauthenticatedMachineObject,
+} from '@clerk/backend/internal';
+import {
+  authenticatedMachineObject,
+  AuthStatus,
+  constants,
+  signedInAuthObject,
+  signedOutAuthObject,
+  unauthenticatedMachineObject,
+} from '@clerk/backend/internal';
 import { decodeJwt } from '@clerk/backend/jwt';
 
 import type { LoggerNoCommit } from '../../utils/debugLogger';
@@ -11,10 +24,21 @@ import { assertTokenSignature, decryptClerkRequestData, getAuthKeyFromRequest, g
  * Given a request object, builds an auth object from the request data. Used in server-side environments to get access
  * to auth data for a given request.
  */
+export type GetAuthDataFromRequestOptions = {
+  secretKey?: string;
+  logger?: LoggerNoCommit;
+  entity?: 'user' | 'machine';
+};
 export function getAuthDataFromRequest(
   req: RequestLike,
-  opts: { secretKey?: string; logger?: LoggerNoCommit } = {},
-): AuthObject {
+  opts: GetAuthDataFromRequestOptions & { entity: 'machine' },
+): Exclude<AuthObject, SignedInAuthObject | SignedOutAuthObject>;
+export function getAuthDataFromRequest(
+  req: RequestLike,
+  opts: GetAuthDataFromRequestOptions & { entity: 'user' },
+): Exclude<AuthObject, AuthenticatedMachineObject | UnauthenticatedMachineObject>;
+export function getAuthDataFromRequest(req: RequestLike, opts?: GetAuthDataFromRequestOptions): AuthObject;
+export function getAuthDataFromRequest(req: RequestLike, opts: GetAuthDataFromRequestOptions = {}) {
   const authStatus = getAuthKeyFromRequest(req, 'AuthStatus');
   const authToken = getAuthKeyFromRequest(req, 'AuthToken');
   const authMessage = getAuthKeyFromRequest(req, 'AuthMessage');
@@ -39,7 +63,16 @@ export function getAuthDataFromRequest(
   opts.logger?.debug('auth options', options);
 
   let authObject;
-  if (!authStatus || authStatus !== AuthStatus.SignedIn) {
+  if (opts.entity === 'machine' && (!authStatus || authStatus !== AuthStatus.MachineAuthenticated)) {
+    authObject = unauthenticatedMachineObject(options);
+  } else if (opts.entity === 'machine' && authStatus === AuthStatus.MachineAuthenticated) {
+    assertTokenSignature(authToken as string, options.secretKey, authSignature);
+
+    const jwt = decodeJwt(authToken as string);
+
+    opts.logger?.debug('jwt', jwt.raw);
+    authObject = authenticatedMachineObject(jwt.raw.text, jwt.payload);
+  } else if (!authStatus || authStatus !== AuthStatus.SignedIn) {
     authObject = signedOutAuthObject(options);
   } else {
     assertTokenSignature(authToken as string, options.secretKey, authSignature);