search

redwoodjs / redwood

The App Framework for Startups
https://redwoodjs.com
MIT License
17.08k stars 980 forks source link

Clerk and cross-origin requests #4459

Open domvernon opened 2 years ago

domvernon commented 2 years ago

Maintainer Update

update Feb 15, 2022 There is a roadmap to update the Clerk Auth provider to v2, which would support cross-site architectures. See the comment here: https://github.com/redwoodjs/redwood/issues/4459#issuecomment-1039481414

The Clerk point of contact is @devchampian

Original Message

👋 Hi, I've run into a small hitch using Clerk! I've been trying to deploy the web side with Cloudflare Pages, and the backend with AWS (API Gateway, Lambda). As a result the front end needs to make cross-origin requests to the backend. As detailed in the Clerk docs (here and here), it appears that these situations should be handled differently.

I can actually see this in my front end, in that instead of a cookie, Clerk is sending an authorization header with the required session token (authorization: Bearer sess_<Redacted>). The Clerk decoder does not handle this. As a result, the backend throws the expected error of: Clerk __session token is not set.

I would think the logic just needs updating to look at the authorization header, which I'm happy to have a go at if that's the preferred option.

thedavidprice commented 2 years ago

Hi @domvernon

First off, I'm really interested in the results of this hosting solution:

I've been trying to deploy the web side with Cloudflare Pages, and the backend with AWS (API Gateway, Lambda)

I'm a big fan of Cloudflare. This seems like a great choice all around if/when you get it working.

Wondering if you used the newly updated Serverless deploy setup for Redwood to handle the API side?

Clerk and CORS

I need to defer all things Clerk to @devchampian from the Clerk team.

Curious if there's anything coming that will help with this via #4443

Ian, please let us know if there's anything we need to discuss about the Redwood Auth internals if/when applicable.

devchampian commented 2 years ago

Hi @domvernon (and thanks @thedavidprice for bringing this to my attention),

You are correct that the Clerk decoder does not currently support cross-site architectures. We would need to update the decoder to support the newer Auth v2 strategies.

If you are interested in taking a stab at making the updates for Redwood, go for it. You could reference the implementation code we used for Next.js.

The Clerk team does plan on revisiting the Redwood integration but likely won't be able to tackle it for another few weeks. Feel free to reach out in our Discord or to support@clerk.dev if you have additional questions.

@thedavidprice This is unrelated to my current PR #4443, but I will follow up when we make the additional auth updates that might require input from the Redwood team.

thedavidprice commented 2 years ago

Thank you @devchampian All that makes sense. I've updated this Issue Title and OP accordingly.

No rush from anyone on these steps. But we're here to help as needed.

domvernon commented 2 years ago

@thedavidprice Yes, I used the CLI and then modified the output for what I wanted to achieve. It would be nice to specify if you just want the API or web side, but other than that it worked really well. At some point I'll probably look at it further to see if I can optimise it further for my setup. Cloudflare was really just as simple as Netlify to set up, just connect to the repo, set any environment variables and you are away. the only thing I have noticed so far is that builds take longer to intialise.

@devchampian thanks for the response

I'd like to take a look at this, but don't think it will be before the weekend. I'll see what I can do an let you both know if I have any questions.