Merge pull request #122 from speakeasy-sdks/ms/clerk-v2-jwt

speakeasybot · web-flow · commit 8cb83d932328 · 2025-05-13T00:08:56.000+10:00
Handle V2 JWT format
diff --git a/pyproject.toml b/pyproject.toml
@@ -3,7 +3,7 @@ name = "clerk-backend-api"
 version = "2.1.0"
 description = "Python Client SDK for clerk.dev"
 authors = [{ name = "Clerk" },]
-readme = "README-PYPI.md"
+readme = "README.md"
 requires-python = ">=3.9"
 dependencies = [
     "cryptography (>=43.0.1,<44.0.0)",
diff --git a/src/clerk_backend_api/jwks_helpers/authenticaterequest.py b/src/clerk_backend_api/jwks_helpers/authenticaterequest.py
@@ -79,6 +79,51 @@ class AuthenticateRequestOptions:
     clock_skew_in_ms: int = 5000
 
 def authenticate_request(request: Requestish, options: AuthenticateRequestOptions) -> RequestState:
+
+    def __compute_org_permissions(claims: Dict[str, Any]) -> List[str]:
+        features_str = claims.get("fea")
+        if features_str is None:
+            return []
+
+        org_claims = claims.get("o", {})
+        permissions_str = org_claims.get("per")
+        mappings_str = org_claims.get("fpm")
+
+        if not all(isinstance(s, str) for s in [permissions_str, mappings_str]):
+            return []
+
+        features = features_str.split(",")
+        permissions = permissions_str.split(",")
+        mappings = mappings_str.split(",")
+
+        org_permissions = []
+
+        for idx in range(len(mappings)):
+            if idx >= len(features):
+                continue
+
+            mapping = mappings[idx]
+            feature_parts = features[idx].split(":")
+            if len(feature_parts) != 2:
+                continue
+
+            scope, feature = feature_parts
+            if "o" not in scope:
+                continue
+
+            try:
+                binary = bin(int(mapping))[2:].lstrip("0")
+            except ValueError:
+                continue
+
+            reversed_binary = binary[::-1]
+
+            for i, bit in enumerate(reversed_binary):
+                if bit == "1" and i < len(permissions):
+                    org_permissions.append(f"org:{feature}:{permissions[i]}")
+
+        return org_permissions
+
     """ Authenticates the session token. Networkless if the options.jwt_key is provided.
     Otherwise, performs a network call to retrieve the JWKS from Clerk's Backend API.
     """
@@ -104,25 +149,53 @@ def get_session_token(request: Requestish) -> Optional[str]:
 
 
     session_token = get_session_token(request)
+
     if session_token is None:
         return RequestState(status=AuthStatus.SIGNED_OUT, reason=AuthErrorReason.SESSION_TOKEN_MISSING)
 
-    if options.secret_key is None:
-        return RequestState(status=AuthStatus.SIGNED_OUT, reason=AuthErrorReason.SECRET_KEY_MISSING)
-
     try:
-        payload = verify_token(
-            session_token,
-            VerifyTokenOptions(
-                audience=options.audience,
-                authorized_parties=options.authorized_parties,
-                secret_key=options.secret_key,
-                clock_skew_in_ms=options.clock_skew_in_ms,
-                jwt_key=options.jwt_key,
-            ),
-        )
+        if options.secret_key:
+            payload = verify_token(
+                session_token,
+                VerifyTokenOptions(
+                    audience=options.audience,
+                    authorized_parties=options.authorized_parties,
+                    secret_key=options.secret_key,
+                    clock_skew_in_ms=options.clock_skew_in_ms,
+                    jwt_key=None,
+                ),
+            )
+        elif options.jwt_key:
+            payload = verify_token(
+                session_token,
+                VerifyTokenOptions(
+                    audience=options.audience,
+                    authorized_parties=options.authorized_parties,
+                    secret_key=None,
+                    clock_skew_in_ms=options.clock_skew_in_ms,
+                    jwt_key=options.jwt_key,
+                ),
+            )
+        else:
+            return RequestState(status=AuthStatus.SIGNED_OUT, reason=AuthErrorReason.SECRET_KEY_MISSING)
+
+        if payload is not None and payload.get("v") == 2:
+            org_claims = payload.get("o", {})
+            if org_claims:
+                payload["org_id"] = org_claims.get("id")
+                payload["org_slug"] = org_claims.get("slg")
+                payload["org_role"] = org_claims.get("rol")
+
+                org_permissions = __compute_org_permissions(payload)
+                if org_permissions:
+                    payload["org_permissions"] = org_permissions
 
         return RequestState(status=AuthStatus.SIGNED_IN, token=session_token, payload=payload)
 
     except TokenVerificationError as e:
         return RequestState(status=AuthStatus.SIGNED_OUT, reason=e.reason)
+
+
+
+
+
diff --git a/tests/test_authenticate_request.py b/tests/test_authenticate_request.py
