tstepro
tstepro2y ago

Authed Http Actions

Are there any best practices for authenticating http actions? I'm currently using clerk. I can grab a token from clerk on the F/E. Any recommendations on how to verify/use that token on the B/E?
13 Replies
sshader
sshader2y ago
I believe setting the Authorization header to Bearer <clerk token> should mean that ctx.auth.getUserIdentity() within the HTTP action returns the user identity for the corresponding clerk user?
tstepro
tsteproOP2y ago
Ooh awesome! So we kinda get that for free? I’ll play around with it 🙏
sshader
sshader2y ago
Let me know if it works / if you run into any issues! I haven't tried this for a while
tstepro
tsteproOP2y ago
Is this documented anywhere? Just for future reference?
Michal Srb
Michal Srb2y ago
We’ll work on documenting this soon. I’ll post here when the docs have been upgraded.
tstepro
tsteproOP2y ago
I've tried pulling this out of the auth in the ctx but I don't think this is currently working.
tstepro
tsteproOP2y ago
So on my F/E (with clerk), I'm currently using https://clerk.com/docs/request-authentication/cross-origin#using-fetch-with-react
Cross-Origin Requests | Clerk
This guide presents various ways to make authenticated cross-origin requests to the backend using the Clerk SDK.
tstepro
tsteproOP2y ago
When I observe the token that's passed into the websocket for convex and the token generated by "useAuth" I notice a difference The JWT headers are the same 
{
  "alg": "RS256",
  "kid": "ins_<SOMETHING>",
  "typ": "JWT"
}
{
  "alg": "RS256",
  "kid": "ins_<SOMETHING>",
  "typ": "JWT"
}
But the JWT payload differs: The auth token I see in the websocket for convex: 
{
  "aud": "convex",
  "azp": "http://localhost:3001",
  "email": "<MY EMAIL>",
  "exp": 1690304196,
  "external_uid": "<EXTRA STUFF I ADDED>",
  "iat": 1690300596,
  "iss": "<CLERK ISSUER>",
  "jti": "<>",
  "nbf": 1690300591,
  "sub": "user_<ID>",
  "uid": "user_<ID>",
  "updated_at": 1689918779
}
{
  "aud": "convex",
  "azp": "http://localhost:3001",
  "email": "<MY EMAIL>",
  "exp": 1690304196,
  "external_uid": "<EXTRA STUFF I ADDED>",
  "iat": 1690300596,
  "iss": "<CLERK ISSUER>",
  "jti": "<>",
  "nbf": 1690300591,
  "sub": "user_<ID>",
  "uid": "user_<ID>",
  "updated_at": 1689918779
}
When I directly call getToken from useAuth from Clerk's react lib: 
{
  "azp": "http://localhost:3001",
  "exp": 1690300922,
  "iat": 1690300862,
  "iss": "<SAME ISSUER AS EARLIER>",
  "nbf": 1690300852,
  "sid": "<SESSION ID>",
  "sub": "<SUBJECT>"
}
{
  "azp": "http://localhost:3001",
  "exp": 1690300922,
  "iat": 1690300862,
  "iss": "<SAME ISSUER AS EARLIER>",
  "nbf": 1690300852,
  "sid": "<SESSION ID>",
  "sub": "<SUBJECT>"
}
ballingt
ballingt2y ago
I think I've seen separate network requests to clerk for each of these tokens
tstepro
tsteproOP2y ago
Okay, what token should I use in order to get the auth context to include the user correctly? Another thing I should add, I can see the auth header in the http action. I can pull that out of the request.hearers. So I’m sure that it’s getting passed in
ballingt
ballingt2y ago
I'm not sure, does getToken() take arguments? We call a similar one with template: "convex" https://github.com/get-convex/convex-js/blob/541ca6507a5d62b38f46de967db220b0edabebaf/src/react-clerk/ConvexProviderWithClerk.tsx#L63-L66
Michal Srb
Michal Srb2y ago
@ballingt is right, you need to call clerk with the correct arguments to get your token using the JWT template you set up.
tstepro
tsteproOP2y ago
Okay, this was the token call I made on the f/e in order to successfully get the user in the auth context: 
const token = await getToken({
  template: "convex",
});
const token = await getToken({
  template: "convex",
});
Thanks everyone for your help! 🙏

Did you find this page helpful?