feat(clerk-js,clerk-react,types,nextjs): Support assurance in has() (#4118)

Author: panteliselef

.changeset/red-pens-rest.md

@@ -0,0 +1,20 @@
+---
+"@clerk/clerk-js": minor
+"@clerk/backend": minor
+"@clerk/shared": minor
+"@clerk/clerk-react": minor
+"@clerk/types": minor
+---
+
+Experimental support for `has()` with assurance.
+Example usage:
+```ts
+has({ 
+  __experimental_assurance: {
+    level: 'L2.secondFactor',
+    maxAge: 'A1.10min'
+  }
+})
+```
+
+Created a shared utility called `createCheckAuthorization` exported from `@clerk/shared`

packages/backend/src/tokens/authObjects.ts

@@ -1,3 +1,4 @@
+import { createCheckAuthorization } from '@clerk/shared/authorization';
 import type {
   ActClaim,
   CheckAuthorizationWithCustomPermissions,
@@ -123,7 +124,7 @@ export function signedInAuthObject(
     orgPermissions,
     __experimental_factorVerificationAge,
     getToken,
-    has: createHasAuthorization({ orgId, orgRole, orgPermissions, userId }),
+    has: createCheckAuthorization({ orgId, orgRole, orgPermissions, userId, __experimental_factorVerificationAge }),
     debug: createDebug({ ...authenticateContext, sessionToken }),
   };
 }
@@ -182,34 +183,3 @@ const createGetToken: CreateGetToken = params => {
     return sessionToken;
   };
 };
-
-const createHasAuthorization = (options: {
-  userId: string;
-  orgId: string | undefined;
-  orgRole: string | undefined;
-  orgPermissions: string[] | undefined;
-}): CheckAuthorizationWithCustomPermissions => {
-  const { orgId, orgRole, userId, orgPermissions } = options;
-
-  return params => {
-    if (!params?.permission && !params?.role) {
-      throw new Error(
-        'Missing parameters. `has` from `auth` or `getAuth` requires a permission or role key to be passed. Example usage: `has({permission: "org:posts:edit"`',
-      );
-    }
-
-    if (!orgId || !userId || !orgRole || !orgPermissions) {
-      return false;
-    }
-
-    if (params.permission) {
-      return orgPermissions.includes(params.permission);
-    }
-
-    if (params.role) {
-      return orgRole === params.role;
-    }
-
-    return false;
-  };
-};

packages/clerk-js/src/core/resources/Session.ts

@@ -1,4 +1,5 @@
 import { runWithExponentialBackOff } from '@clerk/shared';
+import { createCheckAuthorization } from '@clerk/shared/authorization';
 import { is4xxError } from '@clerk/shared/error';
 import type {
   __experimental_SessionVerificationJSON,
@@ -88,31 +89,15 @@ export class Session extends BaseResource implements SessionResource {
   };
 
   checkAuthorization: CheckAuthorization = params => {
-    // if there is no active organization user can not be authorized
-    if (!this.lastActiveOrganizationId || !this.user) {
-      return false;
-    }
-
-    // loop through organizationMemberships from client piggybacking
-    const orgMemberships = this.user.organizationMemberships || [];
+    const orgMemberships = this.user?.organizationMemberships || [];
     const activeMembership = orgMemberships.find(mem => mem.organization.id === this.lastActiveOrganizationId);
-
-    // Based on FAPI this should never happen, but we handle it anyway
-    if (!activeMembership) {
-      return false;
-    }
-
-    const activeOrganizationPermissions = activeMembership.permissions;
-    const activeOrganizationRole = activeMembership.role;
-
-    if (params.permission) {
-      return activeOrganizationPermissions.includes(params.permission);
-    }
-    if (params.role) {
-      return activeOrganizationRole === params.role;
-    }
-
-    return false;
+    return createCheckAuthorization({
+      userId: this.user?.id,
+      __experimental_factorVerificationAge: this.__experimental_factorVerificationAge,
+      orgId: activeMembership?.id,
+      orgRole: activeMembership?.role,
+      orgPermissions: activeMembership?.permissions,
+    })(params);
   };
 
   #hydrateCache = (token: TokenResource | null) => {

packages/clerk-js/src/core/resources/__tests__/Session.test.ts

@@ -128,10 +128,10 @@ export const createExternalAccount = (params?: Partial<ExternalAccountJSON>): Ex
   } as ExternalAccountJSON;
 };
 
-export const createUser = (params: WithUserParams): UserJSON => {
+export const createUser = (params?: WithUserParams): UserJSON => {
   const res = {
     object: 'user',
-    id: params.id,
+    id: params?.id || 'user_123',
     primary_email_address_id: '',
     primary_phone_number_id: '',
     primary_web3_wallet_id: '',
@@ -152,16 +152,16 @@ export const createUser = (params: WithUserParams): UserJSON => {
     updated_at: new Date().getTime(),
     created_at: new Date().getTime(),
     ...params,
-    email_addresses: (params.email_addresses || []).map(e =>
+    email_addresses: (params?.email_addresses || []).map(e =>
       typeof e === 'string' ? createEmail({ email_address: e }) : createEmail(e),
     ),
-    phone_numbers: (params.phone_numbers || []).map(n =>
+    phone_numbers: (params?.phone_numbers || []).map(n =>
       typeof n === 'string' ? createPhoneNumber({ phone_number: n }) : createPhoneNumber(n),
     ),
-    external_accounts: (params.external_accounts || []).map(p =>
+    external_accounts: (params?.external_accounts || []).map(p =>
       typeof p === 'string' ? createExternalAccount({ provider: p }) : createExternalAccount(p),
     ),
-    organization_memberships: (params.organization_memberships || []).map(o =>
+    organization_memberships: (params?.organization_memberships || []).map(o =>
       typeof o === 'string' ? createOrganizationMembership({ name: o }) : createOrganizationMembership(o),
     ),
   } as UserJSON;

packages/clerk-js/src/core/test/fixtures.ts

@@ -0,0 +1,87 @@
+import { expectTypeOf } from 'expect-type';
+
+import type { useAuth } from '../useAuth';
+
+type HasFunction = Exclude<ReturnType<typeof useAuth>['has'], undefined>;
+type ParamsOfHas = Parameters<HasFunction>[0];
+
+describe('useAuth type tests', () => {
+  describe('has', () => {
+    it('has({}) is allowed', () => {
+      expectTypeOf({} as const).toMatchTypeOf<ParamsOfHas>();
+    });
+
+    it('has({role: string}) is allowed', () => {
+      expectTypeOf({ role: 'org:admin' }).toMatchTypeOf<ParamsOfHas>();
+    });
+
+    it('has({role: string, permission: string}) is NOT allowed', () => {
+      expectTypeOf({ role: 'org:admin', permission: 'some-perm' }).not.toMatchTypeOf<ParamsOfHas>();
+    });
+
+    it('has with role and assurance is allowed', () => {
+      expectTypeOf({
+        role: 'org:admin',
+        __experimental_assurance: {
+          level: 'L1.firstFactor',
+          maxAge: 'A1.10min',
+        },
+      } as const).toMatchTypeOf<ParamsOfHas>();
+    });
+
+    it('has with permission and assurance is allowed', () => {
+      expectTypeOf({
+        permission: 'org:edit:posts',
+        __experimental_assurance: {
+          level: 'L1.firstFactor',
+          maxAge: 'A1.10min',
+        },
+      } as const).toMatchTypeOf<ParamsOfHas>();
+    });
+
+    it('has({assurance: {level, maxAge}}) is allowed', () => {
+      expectTypeOf({
+        __experimental_assurance: {
+          level: 'L1.firstFactor',
+          maxAge: 'A1.10min',
+        },
+      } as const).toMatchTypeOf<ParamsOfHas>();
+    });
+
+    it('assurance with other strings as maxAge should throw', () => {
+      expectTypeOf({
+        __experimental_assurance: {
+          level: 'L1.firstFactor',
+          maxAge: 'some-value',
+        },
+      } as const).not.toMatchTypeOf<ParamsOfHas>();
+    });
+
+    it('assurance with number as maxAge should throw', () => {
+      expectTypeOf({
+        __experimental_assurance: {
+          level: 'L1.firstFactor',
+          maxAge: 1000,
+        },
+      } as const).not.toMatchTypeOf<ParamsOfHas>();
+    });
+
+    it('assurance with other strings as level should throw', () => {
+      expectTypeOf({
+        __experimental_assurance: {
+          level: 'some-factor',
+          maxAge: 'A1.10min',
+        },
+      } as const).not.toMatchTypeOf<ParamsOfHas>();
+    });
+
+    it('assurance with number as level should throw', () => {
+      expectTypeOf({
+        __experimental_assurance: {
+          level: 2,
+          maxAge: 'A1.10min',
+        },
+      } as const).not.toMatchTypeOf<ParamsOfHas>();
+    });
+  });
+});

packages/react/src/hooks/__tests__/useAuth.test.ts

@@ -1,3 +1,4 @@
+import { createCheckAuthorization } from '@clerk/shared/authorization';
 import type {
   ActJWTClaim,
   CheckAuthorizationWithCustomPermissions,
@@ -10,12 +11,12 @@ import { useCallback } from 'react';
 import { useAuthContext } from '../contexts/AuthContext';
 import { useIsomorphicClerkContext } from '../contexts/IsomorphicClerkContext';
 import { errorThrower } from '../errors/errorThrower';
-import { invalidStateError, useAuthHasRequiresRoleOrPermission } from '../errors/messages';
+import { invalidStateError } from '../errors/messages';
 import { useAssertWrappedByClerkProvider } from './useAssertWrappedByClerkProvider';
 import { createGetToken, createSignOut } from './utils';
 
 type CheckAuthorizationSignedOut = undefined;
-type CheckAuthorizationWithoutOrgOrUser = (params?: Parameters<CheckAuthorizationWithCustomPermissions>[0]) => false;
+type CheckAuthorizationWithoutOrgOrUser = (params: Parameters<CheckAuthorizationWithCustomPermissions>[0]) => false;
 
 type UseAuthReturn =
   | {
@@ -53,7 +54,7 @@ type UseAuthReturn =
       orgId: null;
       orgRole: null;
       orgSlug: null;
-      has: CheckAuthorizationWithoutOrgOrUser;
+      has: CheckAuthorizationWithCustomPermissions;
       signOut: SignOut;
       getToken: GetToken;
     }
@@ -112,33 +113,24 @@ type UseAuth = () => UseAuthReturn;
 export const useAuth: UseAuth = () => {
   useAssertWrappedByClerkProvider('useAuth');
 
-  const { sessionId, userId, actor, orgId, orgRole, orgSlug, orgPermissions } = useAuthContext();
+  const { sessionId, userId, actor, orgId, orgRole, orgSlug, orgPermissions, __experimental_factorVerificationAge } =
+    useAuthContext();
   const isomorphicClerk = useIsomorphicClerkContext();
 
   const getToken: GetToken = useCallback(createGetToken(isomorphicClerk), [isomorphicClerk]);
   const signOut: SignOut = useCallback(createSignOut(isomorphicClerk), [isomorphicClerk]);
 
   const has = useCallback(
     (params: Parameters<CheckAuthorizationWithCustomPermissions>[0]) => {
-      if (!params?.permission && !params?.role) {
-        errorThrower.throw(useAuthHasRequiresRoleOrPermission);
-      }
-
-      if (!orgId || !userId || !orgRole || !orgPermissions) {
-        return false;
-      }
-
-      if (params.permission) {
-        return orgPermissions.includes(params.permission);
-      }
-
-      if (params.role) {
-        return orgRole === params.role;
-      }
-
-      return false;
+      return createCheckAuthorization({
+        userId,
+        orgId,
+        orgRole,
+        orgPermissions,
+        __experimental_factorVerificationAge,
+      })(params);
     },
-    [orgId, orgRole, userId, orgPermissions],
+    [userId, __experimental_factorVerificationAge, orgId, orgRole, orgPermissions],
   );
 
   if (sessionId === undefined && userId === undefined) {
@@ -199,7 +191,7 @@ export const useAuth: UseAuth = () => {
       orgId: null,
       orgRole: null,
       orgSlug: null,
-      has: () => false,
+      has,
       signOut,
       getToken,
     };

packages/react/src/hooks/useAuth.ts

@@ -0,0 +1,132 @@
+import type {
+  __experimental_SessionVerificationLevel,
+  __experimental_SessionVerificationMaxAge,
+  CheckAuthorizationWithCustomPermissions,
+  OrganizationCustomPermissionKey,
+  OrganizationCustomRoleKey,
+} from '@clerk/types';
+
+type MaxAgeMap = Record<__experimental_SessionVerificationMaxAge, number>;
+type AuthorizationOptions = {
+  userId: string | null | undefined;
+  orgId: string | null | undefined;
+  orgRole: string | null | undefined;
+  orgPermissions: string[] | null | undefined;
+  __experimental_factorVerificationAge: [number, number] | null;
+};
+
+type CheckOrgAuthorization = (
+  params: { role?: OrganizationCustomRoleKey; permission?: OrganizationCustomPermissionKey },
+  { orgId, orgRole, orgPermissions }: AuthorizationOptions,
+) => boolean | null;
+
+type CheckStepUpAuthorization = (
+  params: {
+    __experimental_assurance?: {
+      level: __experimental_SessionVerificationLevel;
+      maxAge: __experimental_SessionVerificationMaxAge;
+    };
+  },
+  { __experimental_factorVerificationAge }: AuthorizationOptions,
+) => boolean | null;
+
+const MAX_AGE_TO_MINUTES: MaxAgeMap = {
+  'A1.10min': 10,
+  'A2.1hr': 60,
+  'A3.4hr': 240, //4 * 60
+  'A4.1day': 1440, //24 * 60,
+  'A5.1wk': 10080, //7 * 24 * 60,
+};
+
+const ALLOWED_MAX_AGES = new Set<__experimental_SessionVerificationMaxAge>(
+  Object.keys(MAX_AGE_TO_MINUTES) as __experimental_SessionVerificationMaxAge[],
+);
+const ALLOWED_LEVELS = new Set<__experimental_SessionVerificationLevel>([
+  'L1.firstFactor',
+  'L2.secondFactor',
+  'L3.multiFactor',
+]);
+
+// Helper functions
+const isValidMaxAge = (maxAge: __experimental_SessionVerificationMaxAge) => ALLOWED_MAX_AGES.has(maxAge);
+const isValidLevel = (level: __experimental_SessionVerificationLevel) => ALLOWED_LEVELS.has(level);
+
+/**
+ * Checks if a user has the required organization-level authorization.
+ * Verifies if the user has the specified role or permission within their organization.
+ * @returns null, if unable to determine due to missing data or unspecified role/permission.
+ */
+const checkOrgAuthorization: CheckOrgAuthorization = (params, options) => {
+  const { orgId, orgRole, orgPermissions } = options;
+  if (!params.role && !params.permission) {
+    return null;
+  }
+  if (!orgId || !orgRole || !orgPermissions) {
+    return null;
+  }
+
+  if (params.permission) {
+    return orgPermissions.includes(params.permission);
+  }
+  if (params.role) {
+    return orgRole === params.role;
+  }
+  return null;
+};
+
+/**
+ * Evaluates if the user meets step-up authentication requirements.
+ * Compares the user's factor verification ages against the specified maxAge.
+ * Handles different verification levels (first factor, second factor, multi-factor).
+ * @returns null, if requirements or verification data are missing.
+ */
+const checkStepUpAuthorization: CheckStepUpAuthorization = (params, { __experimental_factorVerificationAge }) => {
+  if (!params.__experimental_assurance || !__experimental_factorVerificationAge) {
+    return null;
+  }
+  const { level, maxAge } = params.__experimental_assurance;
+
+  if (!isValidLevel(level) || !isValidMaxAge(maxAge)) {
+    return null;
+  }
+
+  const [factor1Age, factor2Age] = __experimental_factorVerificationAge;
+  const maxAgeInMinutes = MAX_AGE_TO_MINUTES[maxAge];
+
+  // -1 indicates the factor group (1fa,2fa) is not enabled
+  // -1 for 1fa is not a valid scenario, but we need to make sure we handle it properly
+  const isValidFactor1 = factor1Age !== -1 ? maxAgeInMinutes > factor1Age : null;
+  const isValidFactor2 = factor2Age !== -1 ? maxAgeInMinutes > factor2Age : null;
+
+  switch (level) {
+    case 'L1.firstFactor':
+      return isValidFactor1;
+    case 'L2.secondFactor':
+      return factor2Age !== -1 ? isValidFactor2 : isValidFactor1;
+    case 'L3.multiFactor':
+      return factor2Age === -1 ? isValidFactor1 : isValidFactor1 && isValidFactor2;
+  }
+};
+
+/**
+ * Creates a function for comprehensive user authorization checks.
+ * Combines organization-level and step-up authentication checks.
+ * The returned function authorizes if both checks pass, or if at least one passes
+ * when the other is indeterminate. Fails if userId is missing.
+ */
+export const createCheckAuthorization = (options: AuthorizationOptions): CheckAuthorizationWithCustomPermissions => {
+  return (params): boolean => {
+    if (!options.userId) {
+      return false;
+    }
+
+    const orgAuthorization = checkOrgAuthorization(params, options);
+    const stepUpAuthorization = checkStepUpAuthorization(params, options);
+
+    if ([orgAuthorization, stepUpAuthorization].some(a => a === null)) {
+      return [orgAuthorization, stepUpAuthorization].some(a => a === true);
+    }
+
+    return [orgAuthorization, stepUpAuthorization].every(a => a === true);
+  };
+};

packages/shared/src/authorization.ts

@@ -2,6 +2,7 @@
 // We have to polyfill our "exports" subpaths :cry:
 
 export const subpathNames = [
+  'authorization',
   'browser',
   'callWithRetry',
   'color',

packages/shared/subpaths.mjs

@@ -28,27 +28,44 @@ export type CheckAuthorizationFn<Params> = (isAuthorizedParams: Params) => boole
 export type CheckAuthorizationWithCustomPermissions =
   CheckAuthorizationFn<CheckAuthorizationParamsWithCustomPermissions>;
 
-export type CheckAuthorizationParamsWithCustomPermissions =
+export type CheckAuthorizationParamsWithCustomPermissions = (
   | {
       role: OrganizationCustomRoleKey;
       permission?: never;
     }
   | {
       role?: never;
       permission: OrganizationCustomPermissionKey;
-    };
+    }
+  | { role?: never; permission?: never }
+) & {
+  __experimental_assurance?: {
+    level: __experimental_SessionVerificationLevel;
+    maxAge: __experimental_SessionVerificationMaxAge;
+  };
+};
 
 export type CheckAuthorization = CheckAuthorizationFn<CheckAuthorizationParams>;
 
-type CheckAuthorizationParams =
+type CheckAuthorizationParams = (
   | {
       role: OrganizationCustomRoleKey;
       permission?: never;
     }
   | {
       role?: never;
       permission: OrganizationPermissionKey;
-    };
+    }
+  | {
+      role?: never;
+      permission?: never;
+    }
+) & {
+  __experimental_assurance?: {
+    level: __experimental_SessionVerificationLevel;
+    maxAge: __experimental_SessionVerificationMaxAge;
+  };
+};
 
 export interface SessionResource extends ClerkResource {
   id: string;