fix: avoid Clerk user cache collisions#3298
Conversation
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughClerk session authentication now parses multiple JWT claim shapes into user identity, updates RBAC from mapped roles, caches users with a shorter TTL, and prefers ChangesClerk session auth flow
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@auth/clerk_client.go`:
- Around line 192-193: The RBAC update path in clerk auth is returning the raw
error from updateRole, which drops Clerk/user request context. In the auth flow
around updateRole and clerkRole, wrap the failure with ctx.Oops().Wrapf(err,
"failed to update role for Clerk user %s", dbUser.ID.String()) (or equivalent
request context) before returning, so AuthResult failures carry actionable
context while preserving the original error.
- Around line 160-170: The Clerk claims validation in the auth flow is returning
plain fmt.Errorf values, which loses the EINVALID contract for malformed input.
Update the error returns in the validation path around clerkOrgID(claims),
clerkUserID(claims), and the orgID checks to use
dutyAPI.Errorf(dutyAPI.EINVALID, "...") instead of fmt.Errorf so callers receive
typed validation errors consistently.
- Around line 461-465: The callbackSessionToken path is reading
clerk_session_token too broadly via ec.FormValue, which allows query-string
values to be accepted outside the POST body. Update
ClerkCredentialChecker.callbackSessionToken to only read the token from the POST
body using the echo context’s POST-form accessor, then fall back to
handler.extractSessionToken(ec) when absent. Add a regression test covering a
query-string clerk_session_token to ensure it is ignored.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 36f5c52d-c9e3-407e-8672-52813b88c7f3
📒 Files selected for processing (2)
auth/clerk_client.goauth/clerk_client_test.go
f7a7889 to
eee0d0e
Compare
Clerk Backend JWT template tokens can omit sid. The previous code coerced missing sid/user claims with fmt.Sprint and cached users under <nil>, so sid-less direct or OIDC tokens could reuse another user's cache entry and complete MCP login as that user. Validate the Clerk org before cache lookup, require user_id/sub, and cache Clerk users by org/user with a short TTL. sid is still returned when present, but it is not part of user cache identity. Prefer the explicitly relayed Clerk callback token over ambient browser credentials, and accept relayed Clerk tokens from the POST body only.
eee0d0e to
c1e81ae
Compare
Clerk Backend JWT template tokens can omit
sid, which caused missing claims to be coerced into shared cache keys.This could make sid-less direct/OIDC Clerk auth reuse another user's cached identity during MCP login. Validate org/user claims before cache lookup, namespace cache keys by org/session/user, short-cache sid-less tokens, and prefer the relayed Clerk callback token over ambient credentials.
Summary by CodeRabbit