Ability to skip cookie validation in middleware

[odannyc]

We currently use graphql for all of our requests from frontend (nextjs and react native) to our backend (Go).
We explicitly add the Authorization header to all those requests, so no need to do the cookie verification in the middleware. This is also causing issues for us because when we use graphiql everything comes back as 401 and we're unable to send debug requests through that tool.

Ideally we could simply add an "Option" (WithSkipCookieVerification): https://github.com/clerkinc/clerk-sdk-go/blob/98a655dfd24721353e05027bece746304748399b/clerk/middleware_v2.go#L46

Thanks

[dimkl]

Hello @odannyc
Checking the middleware_v2.go file (from the link you provided in the description) you can see that the 1st check the middleware does is for authentication header and then checks for cookies.
If you have added an Authorization header to the request (the cookies wont be processed) and it will only return 401 if the verification fails for the provided token.
Is it possible that you provide an expired or invalid token in your debug requests?
If you want to send un-authorized requests for debugging purposes then i would suggest you move the endpoints to another route that the middleware does not run or use a wrapper of middleware to conditional trigger the Clerk middleware based on the route.
I cannot find a reason for WithSkipCookieVerification to be implemented. Could you provide a code example of the issue described and more information?

[odannyc]

With GraphQL I only have 1 endpoint (/graph). That endpoint can accept unauthorized requests (Without the Authorization header), and this is when it fails always, because it can't find the auth header and it cant find the session cookies. I don't want the middleware to fail my requests if the cookie isn't found.

[IGassmann]

We're encountering the same issue.

With GraphQL I only have 1 endpoint (/graph). That endpoint can accept unauthorized requests (Without the Authorization header), and this is when it fails always, because it can't find the auth header and it cant find the session cookies. I don't want the middleware to fail my requests if the cookie isn't found.

[gkats]

I'm not sure if this helps, but the new v2 version of the library provides a middleware that only checks for bearer token authentication, with the Authorization header.

https://pkg.go.dev/github.com/clerk/clerk-sdk-go/v2/http

[matthewshirley]

Are there plans to support cookies again?

[gkats]

Are there plans to support cookies again?

Hi, @matthewshirley, yes, we do have plans for supporting cookie-based authentication again in v2.

We decided to release v2 without it because usage wasn't that high. It's definitely on our roadmap though.

If you don't mind me asking, what's your setup like?

[matthewshirley]

@gkats That's great, thank you! The setup is an SSR Go app using HTMX.

[zakpaw]

Hi @gkats, I have the same scenario with SRR go app, would you mind sharing what's the progress on cookie-based auth for v2? Should I just use v1?

[gkats]

would you mind sharing what's the progress on cookie-based auth for v2?

Hi @zakpaw, unfortunately priorities have shifted and cookie based support for v2 of our Go SDK is not at the top of the list.

I don't think I can provide an ETA, so in the meantime my suggestion would be to use v1. Really sorry I don't have better news to share.

[mattbrandman]

Just wanted to say I'm also using this with HTMX and lack of cookie support is blocking. Understand priorities shift but hopefully this is on a near term roadmap, not being able to use native forms submission auth feels odd for an auth library to be missing.

[jpc0]

For those interested you can use the http.AuthorizationJWTExtractor option to add your own extractor and get the JWT from the session cookie. This is an example of how to do so:

clerkhttp.RequireHeaderAuthorization(
    clerkhttp.AuthorizationJWTExtractor(
        utils.AuthorizationOrCookieJWTExtractor),
)

and the code for the utils.AuthorizationOrCookieJWTExtractor can be found in this gist: https://gist.github.com/jpc0/a2fad5a0347852a75c097b33844af15a

[crhntr]

Thanks @jpc0,

I continued to extend the extractor. I added some code to handle local development (by handling the handshake query param).

func authorizationOrCookieJWTExtractor(req *http.Request) (string, bool) {
	ctx := req.Context()

	if bearer, ok := parseHeader(req); ok {
		return bearer, ok
	}

	if sessionCookie, err := req.Cookie("__session"); err != nil {
		slog.Debug("failed to get session cookie", slog.String("error", err.Error()))
	} else {
		return sessionCookie.Value, true
	}

	if token, ok := parseHandshake(req, ctx); ok {
		return token, true
	}

	return "", false
}

func parseHeader(req *http.Request) (string, bool) {
	authorization := strings.TrimSpace(req.Header.Get("Authorization"))
	authorization = strings.TrimPrefix(authorization, "Bearer ")
	return authorization, authorization != ""
}

func parseHandshake(req *http.Request, ctx context.Context) (string, bool) {
	if !req.URL.Query().Has("__clerk_handshake") {
		return "", false
	}
	param := req.URL.Query().Get("__clerk_handshake")
	decoded, err := jwt.Decode(ctx, &jwt.DecodeParams{Token: param})
	if err != nil {
		slog.Debug("failed to decode handshake", slog.String("error", err.Error()))
		return "", false
	}
	handshake, ok := decoded.Extra["handshake"]
	if !ok {
		slog.Debug("missing handshake claim")
		return "", false
	}
	cookies, ok := handshake.([]any)
	if !ok {
		slog.Debug("handshake claim is not a slice of strings", slog.String("handshake_type", reflect.TypeOf(handshake).String()))
		return "", false
	}
	for _, elem := range cookies {
		cookie, ok := elem.(string)
		if !ok {
			continue
		}
		name, value, ok := strings.Cut(cookie, "=")
		if ok && name == "__session" {
			token, _, ok := strings.Cut(value, ";")
			if !ok {
				continue
			}
			return token, true
		}
	}
	return "", false
}