allow custom machine secret key per method

Author: wobsoriano

packages/backend/src/api/__tests__/MachineTokenApi.test.ts

@@ -60,14 +60,29 @@ describe('MachineTokenAPI', () => {
         http.post(
           'https://api.clerk.test/m2m_tokens',
           validateHeaders(() => {
-            return HttpResponse.json(mockM2MToken);
+            return HttpResponse.json(
+              {
+                errors: [
+                  {
+                    message:
+                      'The provided Machine Secret Key is invalid. Make sure that your Machine Secret Key is correct.',
+                    code: 'machine_secret_key_invalid',
+                  },
+                ],
+              },
+              { status: 401 },
+            );
           }),
         ),
       );
 
-      const response = await apiClient.machineTokens.create().catch(err => err);
+      const errResponse = await apiClient.machineTokens.create().catch(err => err);
 
-      expect(response.message).toBe('Missing Clerk Machine Secret Key.');
+      expect(errResponse.status).toBe(401);
+      expect(errResponse.errors[0].code).toBe('machine_secret_key_invalid');
+      expect(errResponse.errors[0].message).toBe(
+        'The provided Machine Secret Key is invalid. Make sure that your Machine Secret Key is correct.',
+      );
     });
   });
 

packages/backend/src/api/endpoints/MachineTokenApi.ts

@@ -1,61 +1,90 @@
+import type { ClerkBackendApiRequestOptions } from '../../api/request';
 import { joinPaths } from '../../util/path';
 import type { MachineToken } from '../resources/MachineToken';
 import { AbstractAPI } from './AbstractApi';
 
 const basePath = '/m2m_tokens';
 
 type CreateMachineTokenParams = {
+  machineSecretKey?: string;
   secondsUntilExpiration?: number | null;
   claims?: Record<string, unknown> | null;
 };
 
 type RevokeMachineTokenParams = {
+  machineSecretKey?: string;
   m2mTokenId: string;
   revocationReason?: string | null;
 };
 
 type VerifyMachineTokenParams = {
+  machineSecretKey?: string;
   secret: string;
 };
 
 export class MachineTokenApi extends AbstractAPI {
+  #createRequestOptions(options: ClerkBackendApiRequestOptions, machineSecretKey?: string) {
+    if (machineSecretKey) {
+      return {
+        ...options,
+        headerParams: {
+          Authorization: `Bearer ${machineSecretKey}`,
+        },
+      };
+    }
+
+    return options;
+  }
+
   async create(params?: CreateMachineTokenParams) {
-    const { claims = null, secondsUntilExpiration = null } = params || {};
-
-    return this.request<MachineToken>({
-      method: 'POST',
-      path: basePath,
-      bodyParams: {
-        secondsUntilExpiration,
-        claims,
-      },
-      options: {
-        requireMachineSecretKey: true,
+    const { claims = null, machineSecretKey, secondsUntilExpiration = null } = params || {};
+
+    const requestOptions = this.#createRequestOptions(
+      {
+        method: 'POST',
+        path: basePath,
+        bodyParams: {
+          secondsUntilExpiration,
+          claims,
+        },
       },
-    });
+      machineSecretKey,
+    );
+
+    return this.request<MachineToken>(requestOptions);
   }
 
   async revoke(params: RevokeMachineTokenParams) {
-    const { m2mTokenId, revocationReason = null } = params;
+    const { m2mTokenId, revocationReason = null, machineSecretKey } = params;
 
     this.requireId(m2mTokenId);
 
-    return this.request<MachineToken>({
-      method: 'POST',
-      path: joinPaths(basePath, m2mTokenId, 'revoke'),
-      bodyParams: {
-        revocationReason,
+    const requestOptions = this.#createRequestOptions(
+      {
+        method: 'POST',
+        path: joinPaths(basePath, m2mTokenId, 'revoke'),
+        bodyParams: {
+          revocationReason,
+        },
       },
-    });
+      machineSecretKey,
+    );
+
+    return this.request<MachineToken>(requestOptions);
   }
 
   async verifySecret(params: VerifyMachineTokenParams) {
-    const { secret } = params;
+    const { secret, machineSecretKey } = params;
+
+    const requestOptions = this.#createRequestOptions(
+      {
+        method: 'POST',
+        path: joinPaths(basePath, 'verify'),
+        bodyParams: { secret },
+      },
+      machineSecretKey,
+    );
 
-    return this.request<MachineToken>({
-      method: 'POST',
-      path: joinPaths(basePath, 'verify'),
-      bodyParams: { secret },
-    });
+    return this.request<MachineToken>(requestOptions);
   }
 }

packages/backend/src/api/request.ts

@@ -4,7 +4,7 @@ import snakecaseKeys from 'snakecase-keys';
 
 import { API_URL, API_VERSION, constants, SUPPORTED_BAPI_VERSION, USER_AGENT } from '../constants';
 import { runtime } from '../runtime';
-import { assertValidMachineSecretKey, assertValidSecretKey } from '../util/optionsAssertions';
+import { assertValidSecretKey } from '../util/optionsAssertions';
 import { joinPaths } from '../util/path';
 import { deserialize } from './resources/Deserializer';
 
@@ -27,18 +27,12 @@ type ClerkBackendApiRequestOptionsBodyParams =
          * @default false
          */
         deepSnakecaseBodyParamKeys?: boolean;
-        /**
-         * If true, requires a machine secret key to be provided.
-         * @default false
-         */
-        requireMachineSecretKey?: boolean;
       };
     }
   | {
       bodyParams?: never;
       options?: {
         deepSnakecaseBodyParamKeys?: boolean;
-        requireMachineSecretKey?: boolean;
       };
     };
 
@@ -116,16 +110,12 @@ export function buildRequest(options: BuildRequestOptions) {
       skipApiVersionInUrl = false,
     } = options;
     const { path, method, queryParams, headerParams, bodyParams, formData, options: opts } = requestOptions;
-    const { deepSnakecaseBodyParamKeys = false, requireMachineSecretKey = false } = opts || {};
+    const { deepSnakecaseBodyParamKeys = false } = opts || {};
 
     if (requireSecretKey) {
       assertValidSecretKey(secretKey);
     }
 
-    if (requireMachineSecretKey) {
-      assertValidMachineSecretKey(machineSecretKey);
-    }
-
     const url = skipApiVersionInUrl ? joinPaths(apiUrl, path) : joinPaths(apiUrl, apiVersion, path);
 
     // Build final URL with search parameters
@@ -150,12 +140,14 @@ export function buildRequest(options: BuildRequestOptions) {
       ...headerParams,
     });
 
-    // When useMachineSecretKey is true and machineSecretKey is provided, use machine auth
-    // Otherwise, fall back to regular secretKey auth for all existing APIs
-    if (useMachineSecretKey && machineSecretKey) {
-      headers.set(constants.Headers.Authorization, `Bearer ${machineSecretKey}`);
-    } else if (secretKey) {
-      headers.set(constants.Headers.Authorization, `Bearer ${secretKey}`);
+    // If Authorization header already exists, preserve it.
+    // Otherwise, use machine secret key if enabled, or fall back to regular secret key
+    if (!headers.has(constants.Headers.Authorization)) {
+      if (useMachineSecretKey && machineSecretKey) {
+        headers.set(constants.Headers.Authorization, `Bearer ${machineSecretKey}`);
+      } else if (secretKey) {
+        headers.set(constants.Headers.Authorization, `Bearer ${secretKey}`);
+      }
     }
 
     let res: Response | undefined;

packages/backend/src/util/optionsAssertions.ts

@@ -11,9 +11,3 @@ export function assertValidSecretKey(val: unknown): asserts val is string {
 export function assertValidPublishableKey(val: unknown): asserts val is string {
   parsePublishableKey(val as string | undefined, { fatal: true });
 }
-
-export function assertValidMachineSecretKey(val: unknown): asserts val is string {
-  if (!val || typeof val !== 'string') {
-    throw Error('Missing Clerk Machine Secret Key.');
-  }
-}