chore(repo,backend): Add machine-to-machine integration tests #6500
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
🦋 Changeset detectedLatest commit: 53a9eb8 The changes in this PR will be included in the next version bump. This PR includes changesets to release 11 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
wobsoriano
changed the title
wobsoriano
changed the title
@clerk/agent-toolkit
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/elements
@clerk/clerk-expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/clerk-react
@clerk/react-router
@clerk/remix
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/themes
@clerk/types
@clerk/upgrade
@clerk/vue
commit: |
📝 WalkthroughWalkthroughAdds a new long-running app preset id "withMachine.express.vite". Introduces an integration test suite for machine-to-machine (M2M) auth that creates machines, issues/revokes M2M tokens, validates token handling and dynamic scope grants, and performs setup/teardown. Exports two new public types/resources (Machine, M2MToken) from @clerk/backend and adds a CreateM2MTokenParams field secondsUntilExpiration?: number | null. Adds package.json script Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (3)
integration/presets/longRunningApps.ts (1)
50-55: Consider implementing the TODO and organizing machine auth apps together.The TODO comment suggests grouping machine auth apps together. Since you're adding this section now, consider:
- Moving the existing API keys app (line 34:
next.appRouter.withAPIKeys) to this new section- Creating a clearer separation for machine auth apps
This would improve code organization and make it easier to find related configurations.
integration/tests/machine-auth/m2m.test.ts (2)
49-57: Use explicit return statement for clarity.While the current code works, using an explicit return statement improves code clarity.
app.get('/api/protected', (req, res) => { const { machineId } = getAuth(req, { acceptsToken: 'm2m_token' }); if (!machineId) { - res.status(401).send('Unauthorized'); - return; + return res.status(401).send('Unauthorized'); } - res.send('Protected response'); + return res.send('Protected response'); });
19-94: Consider adding error handling for setup operations.While the current implementation will fail tests if setup fails, adding try-catch blocks would make debugging easier when setup operations fail.
test.beforeAll(async () => { + try { const fakeCompanyName = faker.company.name(); // ... rest of the setup code ... + } catch (error) { + console.error('Failed to set up M2M test environment:', error); + throw error; + } });
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (5)
integration/presets/longRunningApps.ts(1 hunks)integration/tests/machine-auth/m2m.test.ts(1 hunks)package.json(1 hunks)packages/backend/src/index.ts(1 hunks)turbo.json(1 hunks)
🧰 Additional context used
📓 Path-based instructions (12)
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)
**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels
Files:
integration/presets/longRunningApps.tspackages/backend/src/index.tsintegration/tests/machine-auth/m2m.test.ts
**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}
📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)
Use Prettier for consistent code formatting
Files:
integration/presets/longRunningApps.tspackages/backend/src/index.tspackage.jsonintegration/tests/machine-auth/m2m.test.tsturbo.json
**/*.{ts,tsx}
📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)
Use proper TypeScript error types
**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoidanytype - preferunknownwhen type is uncertain, then narrow with type guards
Useinterfacefor object shapes that might be extended
Usetypefor unions, primitives, and computed types
Preferreadonlyproperties for immutable data structures
Useprivatefor internal implementation details
Useprotectedfor inheritance hierarchies
Usepublicexplicitly for clarity in public APIs
Preferreadonlyfor properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Useconst assertionsfor literal types:as const
Usesatisfiesoperator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports:import type { ... } from ...
Noanytypes without justification
Proper error handling with typed errors
Consistent use ofreadonlyfor immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)
Files:
integration/presets/longRunningApps.tspackages/backend/src/index.tsintegration/tests/machine-auth/m2m.test.ts
integration/**
📄 CodeRabbit Inference Engine (.cursor/rules/global.mdc)
Framework integration templates and E2E tests should be placed under the integration/ directory
Files:
integration/presets/longRunningApps.tsintegration/tests/machine-auth/m2m.test.ts
integration/**/*
📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)
End-to-end tests and integration templates must be located in the 'integration/' directory.
Files:
integration/presets/longRunningApps.tsintegration/tests/machine-auth/m2m.test.ts
**/*.{js,ts,tsx,jsx}
📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)
Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.
Files:
integration/presets/longRunningApps.tspackages/backend/src/index.tsintegration/tests/machine-auth/m2m.test.ts
**/*
⚙️ CodeRabbit Configuration File
If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.
Files:
integration/presets/longRunningApps.tspackages/backend/src/index.tspackage.jsonintegration/tests/machine-auth/m2m.test.tsturbo.json
packages/**/*.{ts,tsx}
📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)
TypeScript is required for all packages
Files:
packages/backend/src/index.ts
packages/**/*.{ts,tsx,d.ts}
📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)
Packages should export TypeScript types alongside runtime code
Files:
packages/backend/src/index.ts
packages/**/index.{js,ts}
📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)
Use tree-shaking friendly exports
Files:
packages/backend/src/index.ts
**/index.ts
📄 CodeRabbit Inference Engine (.cursor/rules/react.mdc)
Use index.ts files for clean imports but avoid deep barrel exports
Avoid barrel files (index.ts re-exports) as they can cause circular dependencies
Files:
packages/backend/src/index.ts
integration/**/*.{test,spec}.{js,ts}
📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)
Integration tests should use Playwright.
Files:
integration/tests/machine-auth/m2m.test.ts
🔇 Additional comments (6)
package.json (1)
45-45: LGTM! Script follows established patterns.The new integration test script correctly follows the naming convention and structure of other integration test scripts in the file.
packages/backend/src/index.ts (1)
129-130: Exports Verified: Machine and M2MToken definitions existMachine and M2MToken are implemented as classes in the resources module and match the new exports.
• packages/backend/src/api/resources/Machine.ts →
export class Machine
• packages/backend/src/api/resources/M2MToken.ts →export class M2MTokenturbo.json (1)
348-359: LGTM! Turbo task configuration is consistent.The new integration test task follows the established pattern and includes all necessary dependencies for the M2M tests.
integration/tests/machine-auth/m2m.test.ts (3)
1-18: LGTM! Test structure and imports are well organized.Good use of parallel mode for test performance and proper tagging with @machine for test filtering.
96-110: Excellent cleanup implementation.The cleanup properly revokes tokens before deleting machines and ensures all resources are cleaned up in the correct order.
112-177: Comprehensive test coverage for M2M authentication scenarios.The tests properly cover:
- Invalid token rejection
- Access control based on machine scopes
- Dynamic scope grants
Good practice cleaning up the temporary token in the authorized access test.
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/ci.yml(1 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/*.yml
📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)
CI/CD must be configured with GitHub Actions.
Files:
.github/workflows/ci.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (25)
- GitHub Check: Integration Tests (nextjs, chrome, 14)
- GitHub Check: Integration Tests (nuxt, chrome)
- GitHub Check: Integration Tests (machine, chrome)
- GitHub Check: Integration Tests (nextjs, chrome, 15)
- GitHub Check: Integration Tests (astro, chrome)
- GitHub Check: Integration Tests (vue, chrome)
- GitHub Check: Integration Tests (billing, chrome)
- GitHub Check: Integration Tests (tanstack-react-router, chrome)
- GitHub Check: Integration Tests (localhost, chrome)
- GitHub Check: Integration Tests (expo-web, chrome)
- GitHub Check: Integration Tests (react-router, chrome)
- GitHub Check: Integration Tests (tanstack-react-start, chrome)
- GitHub Check: Integration Tests (quickstart, chrome)
- GitHub Check: Integration Tests (generic, chrome)
- GitHub Check: Integration Tests (ap-flows, chrome)
- GitHub Check: Integration Tests (elements, chrome)
- GitHub Check: Integration Tests (sessions, chrome)
- GitHub Check: Integration Tests (express, chrome)
- GitHub Check: Publish with pkg-pr-new
- GitHub Check: Unit Tests (22, **)
- GitHub Check: Unit Tests (18, --filter=@clerk/astro --filter=@clerk/backend --filter=@clerk/express --filter=@c...
- GitHub Check: Static analysis
- GitHub Check: semgrep/ci
- GitHub Check: Analyze (javascript-typescript)
- GitHub Check: semgrep-cloud-platform/scan
wobsoriano
changed the title
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
.changeset/nasty-colts-travel.md(1 hunks)integration/tests/machine-auth/m2m.test.ts(1 hunks)packages/backend/src/api/endpoints/M2MTokenApi.ts(1 hunks)
✅ Files skipped from review due to trivial changes (1)
- packages/backend/src/api/endpoints/M2MTokenApi.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- integration/tests/machine-auth/m2m.test.ts
🧰 Additional context used
📓 Path-based instructions (1)
.changeset/**
📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)
Automated releases must use Changesets.
Files:
.changeset/nasty-colts-travel.md
🔇 Additional comments (1)
.changeset/nasty-colts-travel.md (1)
1-3: Changeset frontmatter looks validPackage name and release type are correctly specified and properly quoted.
| "@clerk/backend": patch | ||
| --- | ||
|
|
||
| Exports `Machine` and `M2MToken` resource classes |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Clarify wording and verify “classes” vs “types”; double-check semver level
The body currently says “resource classes,” while the PR summary mentions exporting “types.” Ensure the note matches the actual exports (classes vs types). Also, adding new public exports is often considered a minor release per SemVer, not a patch—confirm if “patch” is intended.
If the intent is generic and accurate regardless of implementation detail, you can update the copy to avoid ambiguity:
-Exports `Machine` and `M2MToken` resource classes
+Expose `Machine` and `M2MToken` as public exports.Optionally, if this is a minor release:
-"@clerk/backend": patch
+"@clerk/backend": minorRun this script to verify the nature of the exports and ensure the wording is accurate:
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Checking export statements in packages/backend/src/index.ts..."
rg -n -A2 -B2 'export .* (Machine|M2MToken)' packages/backend/src/index.ts || true
echo
echo "Searching for declarations to determine if they are classes or types..."
rg -n -A2 -B2 'export (class|type|interface) (Machine|M2MToken)' packages/backend/src || trueLength of output: 6239
Update semver to minor for new exports
The term “resource classes” is accurate—both Machine and M2MToken are declared as export class in packages/backend/src/api/resources. However, exposing new public API requires a minor bump, not a patch.
- .changeset/nasty-colts-travel.md
--- a/.changeset/nasty-colts-travel.md
- "@clerk/backend": patch
+ "@clerk/backend": minor📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Exports `Machine` and `M2MToken` resource classes | |
| --- | |
| "@clerk/backend": minor | |
| --- | |
| Exports `Machine` and `M2MToken` resource classes |
🤖 Prompt for AI Agents
In .changeset/nasty-colts-travel.md around line 5, the changeset currently marks
the package bump as a patch despite adding new exported resource classes; edit
the changeset to change the version bump from "patch" to "minor" (i.e., update
the bump level in the file header or package entry to "minor"), save and commit
the updated changeset so the release tooling will perform a minor version bump.
There was a problem hiding this comment.
Actionable comments posted: 0
🔭 Outside diff range comments (3)
packages/backend/src/api/endpoints/M2MTokenApi.ts (3)
60-76: Validate secondsUntilExpiration at the SDK boundary and add explicit return typePer guidelines, validate inputs and provide explicit return types for public APIs. Guarding here avoids cryptic backend 4xxs and gives developers actionable messages.
Apply:
- async create(params?: CreateM2MTokenParams) { + async create(params?: CreateM2MTokenParams): Promise<M2MToken> { const { claims = null, machineSecretKey, secondsUntilExpiration = null } = params || {}; + if (secondsUntilExpiration != null) { + if (!Number.isInteger(secondsUntilExpiration) || secondsUntilExpiration <= 0) { + throw new TypeError('secondsUntilExpiration must be a positive integer (seconds).'); + } + } const requestOptions = this.#createRequestOptions( { method: 'POST', path: basePath, bodyParams: { secondsUntilExpiration, claims, }, }, machineSecretKey, ); return this.request<M2MToken>(requestOptions); }
78-95: Add explicit return type to revoke()Aligns with “explicit return types for public APIs”.
- async revoke(params: RevokeM2MTokenParams) { + async revoke(params: RevokeM2MTokenParams): Promise<M2MToken> {
97-110: Add explicit return type to verifySecret()Aligns with “explicit return types for public APIs”.
- async verifySecret(params: VerifyM2MTokenParams) { + async verifySecret(params: VerifyM2MTokenParams): Promise<M2MToken> {
🧹 Nitpick comments (4)
.changeset/nasty-colts-travel.md (1)
5-5: Expand the changeset description for clarityBriefly call out that you’re adding new public resource classes (runtime exports), and reference any relevant files (e.g., packages/backend/src/index.ts) to aid changelog readers.
Here’s a clearer description you can use:
Exports the Machine and M2MToken resource classes from @clerk/backend (public API). No breaking changes.packages/backend/src/api/endpoints/M2MTokenApi.ts (3)
13-17: Clarify TTL semantics in JSDoc (positive integer and null behavior)Specify that the value must be a positive integer in seconds and that null means "no expiration".
Apply this doc tweak:
/** - * Number of seconds until the token expires. - * - * @default null - Token does not expire + * Number of seconds until the token expires. + * Must be a positive integer (seconds). Use `null` for non-expiring tokens. + * @default null */
45-58: Add explicit return type to private helper for stronger typingImproves readability and type safety.
- #createRequestOptions(options: ClerkBackendApiRequestOptions, machineSecretKey?: string) { + #createRequestOptions( + options: ClerkBackendApiRequestOptions, + machineSecretKey?: string, + ): ClerkBackendApiRequestOptions {
60-76: Consider adding an integration test for token expiration (TTL)New TTL input is not obviously covered by the added tests. Add an integration test that issues a short-lived token via secondsUntilExpiration, verifies it works immediately, then verifies it fails after expiry.
I can draft a test that:
- Issues a token with secondsUntilExpiration: 1
- Verifies access succeeds right away
- Sleeps ~2s
- Verifies the same token is now rejected (expired)
Want me to prepare the test scaffold under integration/tests/machine-auth?
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
.changeset/nasty-colts-travel.md(1 hunks)integration/tests/machine-auth/m2m.test.ts(1 hunks)packages/backend/src/api/endpoints/M2MTokenApi.ts(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- integration/tests/machine-auth/m2m.test.ts
🧰 Additional context used
📓 Path-based instructions (8)
.changeset/**
📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)
Automated releases must use Changesets.
Files:
.changeset/nasty-colts-travel.md
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)
**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels
Files:
packages/backend/src/api/endpoints/M2MTokenApi.ts
**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}
📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)
Use Prettier for consistent code formatting
Files:
packages/backend/src/api/endpoints/M2MTokenApi.ts
packages/**/*.{ts,tsx}
📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)
TypeScript is required for all packages
Files:
packages/backend/src/api/endpoints/M2MTokenApi.ts
packages/**/*.{ts,tsx,d.ts}
📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)
Packages should export TypeScript types alongside runtime code
Files:
packages/backend/src/api/endpoints/M2MTokenApi.ts
**/*.{ts,tsx}
📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)
Use proper TypeScript error types
**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoidanytype - preferunknownwhen type is uncertain, then narrow with type guards
Useinterfacefor object shapes that might be extended
Usetypefor unions, primitives, and computed types
Preferreadonlyproperties for immutable data structures
Useprivatefor internal implementation details
Useprotectedfor inheritance hierarchies
Usepublicexplicitly for clarity in public APIs
Preferreadonlyfor properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Useconst assertionsfor literal types:as const
Usesatisfiesoperator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports:import type { ... } from ...
Noanytypes without justification
Proper error handling with typed errors
Consistent use ofreadonlyfor immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)
Files:
packages/backend/src/api/endpoints/M2MTokenApi.ts
**/*.{js,ts,tsx,jsx}
📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)
Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.
Files:
packages/backend/src/api/endpoints/M2MTokenApi.ts
**/*
⚙️ CodeRabbit Configuration File
If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.
Files:
packages/backend/src/api/endpoints/M2MTokenApi.ts
🔇 Additional comments (1)
.changeset/nasty-colts-travel.md (1)
2-2: Bump level should be minor, not patch, for new public exportsExporting new public resource classes is a feature addition to the public API surface and warrants a minor version bump per semver.
Apply this diff:
-"@clerk/backend": patch +"@clerk/backend": minorIf this export is intentionally treated as a patch under your release policy, please confirm.
| @@ -293,6 +293,7 @@ jobs: | |||
| 'nuxt', | |||
| 'react-router', | |||
| 'billing', | |||
| 'machine' | |||
There was a problem hiding this comment.
🙃
| 'machine' | |
| 'm2m' |
There was a problem hiding this comment.
So there's a follow up PR for this that will group all "machine" related tests (api keys, m2m)
| "@clerk/testing#build", | ||
| "@clerk/clerk-js#build", | ||
| "@clerk/backend#build", | ||
| "@clerk/nextjs#build", |
There was a problem hiding this comment.
We are testing against nextjs, right ?
There was a problem hiding this comment.
Related to my comment above, the api keys test needs nextjs
Co-authored-by: panteliselef <[email protected]>
Description
This PR adds E2E tests for the machine-to-machine SDK support
Checklist
pnpm testruns as expected.pnpm buildruns as expected.Type of change
Summary by CodeRabbit
New Features
Tests
Chores