DarrenBaldwin07
commented
9 months ago Hey @camilomcatasus, appreciate you opening an issue for this! Your assumption is correct for same-origin requests. The validator portion of this crate is based on the NodeJS SDK that is provided by the Clerk team and this library has logic that checks for the __session cookie first and than falls-back to the Authorization header. I have plans to implement this but Im totally open to PRs :)
To my understanding, for same-origin requests, authorization headers do not need to be passed because all the information is located in the __session cookie. So clerk_authorize should probably check to see if you have a session cookie or maybe check based off of some sort of configuration.
My assumption is that this will be worked on at some point. Honestly this repo is a godsend, just wondering if I'm correct and that this will be changed or if I have to make own Middleware.