Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to skip cookie validation in middleware #129

Open
odannyc opened this issue May 20, 2023 · 10 comments
Open

Ability to skip cookie validation in middleware #129

odannyc opened this issue May 20, 2023 · 10 comments

Comments

@odannyc
Copy link

odannyc commented May 20, 2023

We currently use graphql for all of our requests from frontend (nextjs and react native) to our backend (Go).
We explicitly add the Authorization header to all those requests, so no need to do the cookie verification in the middleware. This is also causing issues for us because when we use graphiql everything comes back as 401 and we're unable to send debug requests through that tool.

Ideally we could simply add an "Option" (WithSkipCookieVerification): https://github.com/clerkinc/clerk-sdk-go/blob/98a655dfd24721353e05027bece746304748399b/clerk/middleware_v2.go#L46

Thanks

@dimkl
Copy link
Contributor

dimkl commented May 22, 2023

Hello @odannyc
Checking the middleware_v2.go file (from the link you provided in the description) you can see that the 1st check the middleware does is for authentication header and then checks for cookies.
If you have added an Authorization header to the request (the cookies wont be processed) and it will only return 401 if the verification fails for the provided token.
Is it possible that you provide an expired or invalid token in your debug requests?
If you want to send un-authorized requests for debugging purposes then i would suggest you move the endpoints to another route that the middleware does not run or use a wrapper of middleware to conditional trigger the Clerk middleware based on the route.
I cannot find a reason for WithSkipCookieVerification to be implemented. Could you provide a code example of the issue described and more information?

@dimkl dimkl self-assigned this May 22, 2023
@odannyc
Copy link
Author

odannyc commented May 22, 2023

With GraphQL I only have 1 endpoint (/graph). That endpoint can accept unauthorized requests (Without the Authorization header), and this is when it fails always, because it can't find the auth header and it cant find the session cookies. I don't want the middleware to fail my requests if the cookie isn't found.

@dimkl dimkl removed their assignment Jun 8, 2023
@IGassmann
Copy link
Contributor

We're encountering the same issue.

With GraphQL I only have 1 endpoint (/graph). That endpoint can accept unauthorized requests (Without the Authorization header), and this is when it fails always, because it can't find the auth header and it cant find the session cookies. I don't want the middleware to fail my requests if the cookie isn't found.

@gkats
Copy link
Member

gkats commented Feb 22, 2024

I'm not sure if this helps, but the new v2 version of the library provides a middleware that only checks for bearer token authentication, with the Authorization header.

https://pkg.go.dev/github.com/clerk/clerk-sdk-go/v2/http

@matthewshirley
Copy link

Are there plans to support cookies again?

@gkats
Copy link
Member

gkats commented Mar 16, 2024

Are there plans to support cookies again?

Hi, @matthewshirley, yes, we do have plans for supporting cookie-based authentication again in v2.

We decided to release v2 without it because usage wasn't that high. It's definitely on our roadmap though.

If you don't mind me asking, what's your setup like?

@matthewshirley
Copy link

@gkats That's great, thank you! The setup is an SSR Go app using HTMX.

@zakpaw
Copy link

zakpaw commented Jun 5, 2024

Hi @gkats, I have the same scenario with SRR go app, would you mind sharing what's the progress on cookie-based auth for v2? Should I just use v1?

@gkats
Copy link
Member

gkats commented Jun 12, 2024

would you mind sharing what's the progress on cookie-based auth for v2?

Hi @zakpaw, unfortunately priorities have shifted and cookie based support for v2 of our Go SDK is not at the top of the list.

I don't think I can provide an ETA, so in the meantime my suggestion would be to use v1. Really sorry I don't have better news to share.

@mattbrandman
Copy link

Just wanted to say I'm also using this with HTMX and lack of cookie support is blocking. Understand priorities shift but hopefully this is on a near term roadmap, not being able to use native forms submission auth feels odd for an auth library to be missing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants