Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to skip cookie validation in middleware #129

Open
odannyc opened this issue May 20, 2023 · 9 comments
Open

Ability to skip cookie validation in middleware #129

odannyc opened this issue May 20, 2023 · 9 comments

Comments

@odannyc
Copy link

odannyc commented May 20, 2023

We currently use graphql for all of our requests from frontend (nextjs and react native) to our backend (Go).
We explicitly add the Authorization header to all those requests, so no need to do the cookie verification in the middleware. This is also causing issues for us because when we use graphiql everything comes back as 401 and we're unable to send debug requests through that tool.

Ideally we could simply add an "Option" (WithSkipCookieVerification): https://github.com/clerkinc/clerk-sdk-go/blob/98a655dfd24721353e05027bece746304748399b/clerk/middleware_v2.go#L46

Thanks
@dimkl
Copy link
Contributor

dimkl commented May 22, 2023

Hello @odannyc
Checking the middleware_v2.go file (from the link you provided in the description) you can see that the 1st check the middleware does is for authentication header and then checks for cookies.
If you have added an Authorization header to the request (the cookies wont be processed) and it will only return 401 if the verification fails for the provided token.
Is it possible that you provide an expired or invalid token in your debug requests?
If you want to send un-authorized requests for debugging purposes then i would suggest you move the endpoints to another route that the middleware does not run or use a wrapper of middleware to conditional trigger the Clerk middleware based on the route.
I cannot find a reason for WithSkipCookieVerification to be implemented. Could you provide a code example of the issue described and more information?

@dimkl dimkl self-assigned this May 22, 2023
@odannyc
Copy link
Author

odannyc commented May 22, 2023

With GraphQL I only have 1 endpoint (/graph). That endpoint can accept unauthorized requests (Without the Authorization header), and this is when it fails always, because it can't find the auth header and it cant find the session cookies. I don't want the middleware to fail my requests if the cookie isn't found.

@dimkl dimkl removed their assignment Jun 8, 2023
@IGassmann
Copy link
Contributor

We're encountering the same issue.

With GraphQL I only have 1 endpoint (/graph). That endpoint can accept unauthorized requests (Without the Authorization header), and this is when it fails always, because it can't find the auth header and it cant find the session cookies. I don't want the middleware to fail my requests if the cookie isn't found.

@gkats
Copy link
Member

gkats commented Feb 22, 2024

I'm not sure if this helps, but the new v2 version of the library provides a middleware that only checks for bearer token authentication, with the Authorization header.

https://pkg.go.dev/github.com/clerk/clerk-sdk-go/v2/http

@matthewshirley
Copy link

Are there plans to support cookies again?

@gkats
Copy link
Member

gkats commented Mar 16, 2024

Are there plans to support cookies again?

Hi, @matthewshirley, yes, we do have plans for supporting cookie-based authentication again in v2.

We decided to release v2 without it because usage wasn't that high. It's definitely on our roadmap though.

If you don't mind me asking, what's your setup like?

@matthewshirley
Copy link

@gkats That's great, thank you! The setup is an SSR Go app using HTMX.

@zakpaw
Copy link

zakpaw commented Jun 5, 2024
edited
Loading

Hi @gkats, I have the same scenario with SRR go app, would you mind sharing what's the progress on cookie-based auth for v2? Should I just use v1?

@gkats
Copy link
Member

gkats commented Jun 12, 2024

would you mind sharing what's the progress on cookie-based auth for v2?

Hi @zakpaw, unfortunately priorities have shifted and cookie based support for v2 of our Go SDK is not at the top of the list.

I don't think I can provide an ETA, so in the meantime my suggestion would be to use v1. Really sorry I don't have better news to share.

4cecoder added a commit to 4cecoder/clerk-sdk-go that referenced this issue Aug 8, 2024
@4cecoder
Add option to skip cookie verification in middleware
22d2f45 
Related to clerk#129

Add an option to skip cookie verification in the middleware.

* Add a new `Options` struct to hold middleware options and a `WithSkipCookieVerification` function to set the `SkipCookieVerification` option in `clerk/middleware_v2.go`.
* Modify the `WithSessionV2` function in `clerk/middleware_v2.go` to check for the `WithSkipCookieVerification` option and skip cookie verification if set.
* Add tests in `clerk/middleware_v2_test.go` to verify the functionality of the `WithSkipCookieVerification` option, covering both scenarios: with and without the option.
* Update the example in `examples/middleware/main.go` to demonstrate the usage of the `WithSkipCookieVerification` option.

---

For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/clerk/clerk-sdk-go/issues/129?shareId=XXXX-XXXX-XXXX-XXXX).
@4cecoder 4cecoder mentioned this issue Aug 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@matthewshirley @gkats @dimkl @IGassmann @odannyc @zakpaw