search

timothymiller / t4-app

A powerful cross-platform UI toolkit for building actually native iOS, Android, macOS, Windows, Linux, and Progressive Web Apps with React (Native).
https://t4stack.com
MIT License
1.39k stars 75 forks source link

Question about auth with Clerk #4

Closed uicowboy closed 1 year ago

uicowboy commented 1 year ago

Hey there! Thank you for open sourcing this and all the effort you've clearly put into the project!

Could you please explain how the Cloudflare Workers server uses Clerk to verify the user is authenticated? I'm interested in both of these technologies but haven't used them yet, so apologies if the answer seems obvious. I see that on the api package there's this dependency @clerk/backend but it's not used. Instead the @tsndr/cloudflare-worker-jwt lib is used. I was expecting the server would hit Clerk's API with the session from the client to verify the user?

Separate comment: it looks like the invite to the Discord served expired.

Thanks again @timothymiller

timothymiller commented 1 year ago

Hello @uicrafts,

Thanks for your interest in the project and for your question!

Regarding your first question, the Cloudflare Workers server indeed uses the Clerk service for user authentication. However, it does not directly call the Clerk's API as you might expect. Instead, it uses the @tsndr/cloudflare-worker-jwt library to verify the JWT (JSON Web Token) that is issued by Clerk when a user logs in.

Here's a brief overview of the flow:

  1. A user logs in using Clerk and receives a JWT.
  2. When the user makes a request to the Cloudflare Workers server, this JWT is sent along in the Authorization header.
  3. The @tsndr/cloudflare-worker-jwt library on the server extracts and verifies the token, ensuring that it is correctly signed and hasn't expired.
  4. If the token is valid, the request proceeds; otherwise, it is rejected.

The @clerk/backend library is part of Clerk's suite of tools and could be used for more complex operations (e.g., fetching user profiles, managing sessions, etc.), but in this case, it isn't used since we only need to verify the JWT.

As for the Discord server invite link, I apologize for the inconvenience caused. I've updated the README file with a new, non-expiring invite link. If you have further questions or discussions, feel free to join and ask there!

Thanks again for your question, and I hope this helps!

Best, @timothymiller

uicowboy commented 1 year ago

@timothymiller Thank you for explaining that so eloquently!

I read more through the Expo side of the code and saw how you're sending the token via the Authorization header with every request from tRPC as you mentioned.

The key here is that all the server has to do is validate that the token is signed and not expired, since the frontend already hit Clerk's servers as part of the auth process in the client and doing so again with every request from the Cloudflare Workers side would be unnecessary.

No worries about the Discord server! Cheers.