fix: interstitial of failed token verification (#103)

* fix: Change signed-out & interstitial request state conditions Set signed-out as default request state and return interstitial ONLY when the token verification fails with expired or invalid_iat errors. * chore: Add codeowners
clerk · Mar 10, 2023 · 827a001 · 827a001
1 parent b63396c
commit 827a001
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1 @@
+* @clerkinc/backend-team
diff --git a/clerk/middleware_v2.go b/clerk/middleware_v2.go
@@ -2,12 +2,15 @@ package clerk
 
 import (
 	"context"
+	"errors"
 	"net"
 	"net/http"
 	"net/url"
 	"regexp"
 	"strconv"
 	"strings"
+
+	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 var urlSchemeRe = regexp.MustCompile(`(^\w+:|^)\/\/`)
@@ -130,13 +133,26 @@ func WithSessionV2(client Client, verifyTokenOptions ...VerifyTokenOption) func(
 			}
 
 			claims, err := client.VerifyToken(cookieToken.Value, verifyTokenOptions...)
-			if err == nil && claims.IssuedAt != nil && clientUatTs <= int64(*claims.IssuedAt) {
-				ctx := context.WithValue(r.Context(), ActiveSessionClaims, claims)
-				next.ServeHTTP(w, r.WithContext(ctx))
+
+			if err == nil {
+				if claims.IssuedAt != nil && clientUatTs <= int64(*claims.IssuedAt) {
+					ctx := context.WithValue(r.Context(), ActiveSessionClaims, claims)
+					next.ServeHTTP(w, r.WithContext(ctx))
+					return
+				}
+
+				renderInterstitial(client, w)
 				return
 			}
 
-			renderInterstitial(client, w)
+			if errors.Is(err, jwt.ErrExpired) || errors.Is(err, jwt.ErrIssuedInTheFuture) {
+				renderInterstitial(client, w)
+				return
+			}
+
+			// signed out
+			next.ServeHTTP(w, r)
+			return
 		})
 	}
 }