fix(auth): cache Clerk JWKS instead of nil-panic on fetch failure

[adityathebe]

Problem

A transient network blip reaching Clerk's JWKS endpoint (context deadline exceeded fetching .../.well-known/jwks.json) caused a nil-pointer panic in the auth flow, taking down request goroutines and the OIDC callback:

[coderabbitai]

Warning

Review limit reached

@moshloop, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 18 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 54f0ac7b-6ab3-4e34-bf38-7b2fa6993292

📥 Commits

Reviewing files that changed from the base of the PR and between 623d042 and e3432d4.

📒 Files selected for processing (2)

• auth/clerk_client.go
• auth/tokens.go

Walkthrough

getJWTKeyFunc in auth/tokens.go is renamed to newClerkKeyfunc and updated to return (jwt.Keyfunc, error) instead of using logger.Fatalf. A new jwksCache struct in auth/clerk_client.go lazily initializes and memoizes the keyfunc using a sync.Mutex, replacing the per-request call pattern in ClerkHandler.

Changes

Lazy JWKS keyfunc caching

Layer / File(s)	Summary
newClerkKeyfunc helper auth/tokens.go	Renames getJWTKeyFunc to newClerkKeyfunc, changes return type to (jwt.Keyfunc, error), and replaces logger.Fatalf with a wrapped error return on JWKS fetch failure.
jwksCache and ClerkHandler wiring auth/clerk_client.go	Adds sync import, introduces jwksCache with mutex-guarded lazy initialization of the keyfunc, and updates NewClerkHandler and parseJWTToken to use h.jwks.keyfunc() instead of calling the helper per request.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the main fix: caching Clerk JWKS and preventing nil-pointer panics on fetch failure.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/clerk-jwks-nil-panic

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/clerk-jwks-nil-panic

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}