chore: cherry-pick machine auth verification methods rename and API keys hook fix

Author: wobsoriano

integration/tests/machine-auth/component.test.ts

@@ -285,6 +285,43 @@ testAgainstRunningApps({
     await u.page.unrouteAll();
   });
 
+  test('UserProfile API keys uses user ID as subject even when organization is active', async ({ page, context }) => {
+    const u = createTestUtils({ app, page, context });
+
+    const admin = await u.services.users.getUser({ email: fakeAdmin.email });
+    expect(admin).toBeDefined();
+    const userId = admin.id;
+
+    await u.po.signIn.goTo();
+    await u.po.signIn.waitForMounted();
+    await u.po.signIn.signInWithEmailAndInstantPassword({ email: fakeAdmin.email, password: fakeAdmin.password });
+    await u.po.expect.toBeSignedIn();
+
+    await u.po.organizationSwitcher.goTo();
+    await u.po.organizationSwitcher.waitForMounted();
+    await u.po.organizationSwitcher.waitForAnOrganizationToSelected();
+
+    let capturedSubject: string | null = null;
+    const apiKeyRequestPromise = u.page.waitForRequest(request => {
+      if (request.url().includes('api_keys')) {
+        const url = new URL(request.url());
+        capturedSubject = url.searchParams.get('subject');
+        return true;
+      }
+      return false;
+    });
+
+    await u.po.page.goToRelative('/user');
+    await u.po.userProfile.waitForMounted();
+    await u.po.userProfile.switchToAPIKeysTab();
+
+    await apiKeyRequestPromise;
+
+    // Verify the subject parameter is the user ID, not the organization ID
+    expect(capturedSubject).toBe(userId);
+    expect(capturedSubject).not.toBe(fakeOrganization.organization.id);
+  });
+
   test('standalone API keys component in user context based on user_api_keys_enabled', async ({ page, context }) => {
     const u = createTestUtils({ app, page, context });
 

packages/backend/src/api/__tests__/M2MTokenApi.test.ts

@@ -206,7 +206,7 @@ describe('M2MToken', () => {
     });
   });
 
-  describe('verifyToken', () => {
+  describe('verify', () => {
     it('verifies a m2m token using machine secret', async () => {
       const apiClient = createBackendApiClient({
         apiUrl: 'https://api.clerk.test',
@@ -223,7 +223,7 @@ describe('M2MToken', () => {
         ),
       );
 
-      const response = await apiClient.m2m.verifyToken({
+      const response = await apiClient.m2m.verify({
         token: m2mSecret,
       });
 
@@ -249,7 +249,7 @@ describe('M2MToken', () => {
         ),
       );
 
-      const response = await apiClient.m2m.verifyToken({
+      const response = await apiClient.m2m.verify({
         token: m2mSecret,
       });
 
@@ -274,7 +274,7 @@ describe('M2MToken', () => {
       );
 
       const errResponse = await apiClient.m2m
-        .verifyToken({
+        .verify({
           token: m2mSecret,
         })
         .catch(err => err);

packages/backend/src/api/__tests__/factory.test.ts

@@ -325,7 +325,7 @@ describe('api.client', () => {
         ),
       );
 
-      const response = await apiClient.m2m.verifyToken({
+      const response = await apiClient.m2m.verify({
         machineSecretKey: 'ak_test_in_header_params', // this will be added to headerParams.Authorization
         token: 'mt_secret_test',
       });
@@ -353,7 +353,7 @@ describe('api.client', () => {
         ),
       );
 
-      const response = await apiClient.m2m.verifyToken({
+      const response = await apiClient.m2m.verify({
         token: 'mt_secret_test',
       });
       expect(response.id).toBe('mt_test');
@@ -425,7 +425,7 @@ describe('api.client', () => {
         ),
       );
 
-      const response = await apiClient.m2m.verifyToken({
+      const response = await apiClient.m2m.verify({
         token: 'mt_secret_test',
       });
       expect(response.id).toBe('mt_test');

packages/backend/src/api/endpoints/APIKeysApi.ts

@@ -2,6 +2,7 @@ import type { ClerkPaginationRequest } from '@clerk/shared/types';
 
 import type { PaginatedResourceResponse } from '../../api/resources/Deserializer';
 import { joinPaths } from '../../util/path';
+import { deprecated } from '../../util/shared';
 import type { APIKey } from '../resources/APIKey';
 import { AbstractAPI } from './AbstractApi';
 
@@ -88,11 +89,19 @@ export class APIKeysAPI extends AbstractAPI {
     });
   }
 
-  async verifySecret(secret: string) {
+  async verify(secret: string) {
     return this.request<APIKey>({
       method: 'POST',
       path: joinPaths(basePath, 'verify'),
       bodyParams: { secret },
     });
   }
+
+  /**
+   * @deprecated Use `verify()` instead. This method will be removed in the next major release.
+   */
+  async verifySecret(secret: string) {
+    deprecated('apiKeys.verifySecret()', 'Use `apiKeys.verify()` instead.');
+    return this.verify(secret);
+  }
 }

packages/backend/src/api/endpoints/IdPOAuthAccessTokenApi.ts

@@ -1,15 +1,24 @@
 import { joinPaths } from '../../util/path';
+import { deprecated } from '../../util/shared';
 import type { IdPOAuthAccessToken } from '../resources';
 import { AbstractAPI } from './AbstractApi';
 
 const basePath = '/oauth_applications/access_tokens';
 
 export class IdPOAuthAccessTokenApi extends AbstractAPI {
-  async verifyAccessToken(accessToken: string) {
+  async verify(accessToken: string) {
     return this.request<IdPOAuthAccessToken>({
       method: 'POST',
       path: joinPaths(basePath, 'verify'),
       bodyParams: { access_token: accessToken },
     });
   }
+
+  /**
+   * @deprecated Use `verify()` instead. This method will be removed in the next major release.
+   */
+  async verifyAccessToken(accessToken: string) {
+    deprecated('idPOAuthAccessToken.verifyAccessToken()', 'Use `idPOAuthAccessToken.verify()` instead.');
+    return this.verify(accessToken);
+  }
 }

packages/backend/src/api/endpoints/M2MTokenApi.ts

@@ -1,4 +1,5 @@
 import { joinPaths } from '../../util/path';
+import { deprecated } from '../../util/shared';
 import type { ClerkBackendApiRequestOptions } from '../request';
 import type { M2MToken } from '../resources/M2MToken';
 import { AbstractAPI } from './AbstractApi';
@@ -94,7 +95,7 @@ export class M2MTokenApi extends AbstractAPI {
     return this.request<M2MToken>(requestOptions);
   }
 
-  async verifyToken(params: VerifyM2MTokenParams) {
+  async verify(params: VerifyM2MTokenParams) {
     const { token, machineSecretKey } = params;
 
     const requestOptions = this.#createRequestOptions(
@@ -108,4 +109,12 @@ export class M2MTokenApi extends AbstractAPI {
 
     return this.request<M2MToken>(requestOptions);
   }
+
+  /**
+   * @deprecated Use `verify()` instead. This method will be removed in the next major release.
+   */
+  async verifyToken(params: VerifyM2MTokenParams) {
+    deprecated('m2m.verifyToken()', 'Use `m2m.verify()` instead.');
+    return this.verify(params);
+  }
 }

packages/backend/src/tokens/verify.ts

@@ -198,7 +198,7 @@ async function verifyM2MToken(
 ): Promise<MachineTokenReturnType<M2MToken, MachineTokenVerificationError>> {
   try {
     const client = createBackendApiClient(options);
-    const verifiedToken = await client.m2m.verifyToken({ token });
+    const verifiedToken = await client.m2m.verify({ token });
     return { data: verifiedToken, tokenType: TokenType.M2MToken, errors: undefined };
   } catch (err: any) {
     return handleClerkAPIError(TokenType.M2MToken, err, 'Machine token not found');
@@ -211,7 +211,7 @@ async function verifyOAuthToken(
 ): Promise<MachineTokenReturnType<IdPOAuthAccessToken, MachineTokenVerificationError>> {
   try {
     const client = createBackendApiClient(options);
-    const verifiedToken = await client.idPOAuthAccessToken.verifyAccessToken(accessToken);
+    const verifiedToken = await client.idPOAuthAccessToken.verify(accessToken);
     return { data: verifiedToken, tokenType: TokenType.OAuthToken, errors: undefined };
   } catch (err: any) {
     return handleClerkAPIError(TokenType.OAuthToken, err, 'OAuth token not found');
@@ -224,7 +224,7 @@ async function verifyAPIKey(
 ): Promise<MachineTokenReturnType<APIKey, MachineTokenVerificationError>> {
   try {
     const client = createBackendApiClient(options);
-    const verifiedToken = await client.apiKeys.verifySecret(secret);
+    const verifiedToken = await client.apiKeys.verify(secret);
     return { data: verifiedToken, tokenType: TokenType.ApiKey, errors: undefined };
   } catch (err: any) {
     return handleClerkAPIError(TokenType.ApiKey, err, 'API key not found');

packages/shared/src/react/hooks/useAPIKeys.rq.tsx

@@ -93,7 +93,9 @@ export function useAPIKeys<T extends UseAPIKeysParams>(params?: T): UseAPIKeysRe
   const isEnabled = (safeValues.enabled ?? true) && clerk.loaded;
 
   return usePagesOrInfinite({
-    fetcher: clerk.apiKeys?.getAll ? (params: GetAPIKeysParams) => clerk.apiKeys.getAll(params) : undefined,
+    fetcher: clerk.apiKeys?.getAll
+      ? (params: GetAPIKeysParams) => clerk.apiKeys.getAll({ ...params, subject: safeValues.subject })
+      : undefined,
     config: {
       keepPreviousData: safeValues.keepPreviousData,
       infinite: safeValues.infinite,

packages/shared/src/react/hooks/useAPIKeys.swr.tsx

@@ -96,7 +96,9 @@ export function useAPIKeys<T extends UseAPIKeysParams>(params?: T): UseAPIKeysRe
   const isEnabled = (safeValues.enabled ?? true) && clerk.loaded;
 
   const result = usePagesOrInfinite({
-    fetcher: clerk.apiKeys?.getAll ? (params: GetAPIKeysParams) => clerk.apiKeys.getAll(params) : undefined,
+    fetcher: clerk.apiKeys?.getAll
+      ? (params: GetAPIKeysParams) => clerk.apiKeys.getAll({ ...params, subject: safeValues.subject })
+      : undefined,
     config: {
       keepPreviousData: safeValues.keepPreviousData,
       infinite: safeValues.infinite,

packages/testing/src/playwright/unstable/page-objects/userProfile.ts

@@ -17,6 +17,9 @@ export const createUserProfileComponentPageObject = (testArgs: { page: EnhancedP
     switchToBillingTab: async () => {
       await page.getByText(/Billing/i).click();
     },
+    switchToAPIKeysTab: async () => {
+      await page.getByText(/API keys/i).click();
+    },
     waitForMounted: () => {
       return page.waitForSelector('.cl-userProfile-root', { state: 'attached' });
     },