Merge branch 'vaggelis/user-4002-implement-the-aio-components-new-flow-and-session-task' into vaggelis/user-4007-dont-allow-untrusted-passwords-to-be-able-to-sign-in

# Conflicts:
#	packages/clerk-js/src/ui/components/SessionTasks/index.tsx
#	packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/index.tsx
#	packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/withTaskGuard.ts
#	packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskResetPassword/index.tsx
#	packages/clerk-js/src/ui/components/SessionTasks/tasks/shared/withTaskGuard.ts
#	packages/clerk-js/src/ui/components/SessionTasks/tasks/withTaskGuard.ts
#	packages/clerk-js/src/ui/contexts/ClerkUIComponentsContext.tsx
#	packages/clerk-js/src/ui/contexts/components/SessionTasks.ts

Author: octoper

.changeset/warm-phones-compete.md

@@ -0,0 +1,2 @@
+---
+---

integration/tests/machine-auth/oauth.test.ts

@@ -0,0 +1,180 @@
+import { randomBytes } from 'node:crypto';
+
+import type { OAuthApplication } from '@clerk/backend';
+import { createClerkClient } from '@clerk/backend';
+import { TokenType } from '@clerk/backend/internal';
+import { expect, test } from '@playwright/test';
+
+import type { Application } from '../../models/application';
+import { appConfigs } from '../../presets';
+import type { FakeUser } from '../../testUtils';
+import { createTestUtils } from '../../testUtils';
+
+test.describe('OAuth machine authentication @machine', () => {
+  test.describe.configure({ mode: 'parallel' });
+  let app: Application;
+  let fakeUser: FakeUser;
+  let oAuthApp: OAuthApplication;
+
+  test.beforeAll(async () => {
+    test.setTimeout(120_000);
+
+    app = await appConfigs.next.appRouter
+      .clone()
+      .addFile(
+        'src/app/api/protected/route.ts',
+        () => `
+        import { auth } from '@clerk/nextjs/server';
+
+        export async function GET() {
+          const { userId, tokenType } = await auth({ acceptsToken: 'oauth_token' });
+
+          if (!userId) {
+            return Response.json({ error: 'Unauthorized' }, { status: 401 });
+          }
+
+          return Response.json({ userId, tokenType });
+        }
+        `,
+      )
+      .addFile(
+        'src/app/oauth/callback/route.ts',
+        () => `
+        import { NextResponse } from 'next/server';
+
+        export async function GET() {
+          return NextResponse.json({ message: 'OAuth callback received' });
+        }
+        `,
+      )
+      .commit();
+
+    await app.setup();
+    await app.withEnv(appConfigs.envs.withEmailCodes);
+    await app.dev();
+
+    // Test user that will authorize the OAuth application
+    const u = createTestUtils({ app });
+    fakeUser = u.services.users.createFakeUser();
+    await u.services.users.createBapiUser(fakeUser);
+
+    const clerkClient = createClerkClient({
+      secretKey: app.env.privateVariables.get('CLERK_SECRET_KEY'),
+      publishableKey: app.env.publicVariables.get('CLERK_PUBLISHABLE_KEY'),
+    });
+
+    // Create an OAuth application via the BAPI
+    oAuthApp = await clerkClient.oauthApplications.create({
+      name: `Integration Test OAuth App - ${Date.now()}`,
+      redirectUris: [`${app.serverUrl}/oauth/callback`],
+      scopes: 'profile email',
+    });
+  });
+
+  test.afterAll(async () => {
+    const clerkClient = createClerkClient({
+      secretKey: app.env.privateVariables.get('CLERK_SECRET_KEY'),
+      publishableKey: app.env.publicVariables.get('CLERK_PUBLISHABLE_KEY'),
+    });
+
+    if (oAuthApp.id) {
+      await clerkClient.oauthApplications.delete(oAuthApp.id);
+    }
+
+    await fakeUser.deleteIfExists();
+    await app.teardown();
+  });
+
+  test('verifies valid OAuth access token obtained through authorization flow', async ({ page, context }) => {
+    const u = createTestUtils({ app, page, context });
+
+    // Build the authorization URL
+    const state = randomBytes(16).toString('hex');
+    const redirectUri = `${app.serverUrl}/oauth/callback`;
+    const authorizeUrl = new URL(oAuthApp.authorizeUrl);
+    authorizeUrl.searchParams.set('client_id', oAuthApp.clientId);
+    authorizeUrl.searchParams.set('redirect_uri', redirectUri);
+    authorizeUrl.searchParams.set('response_type', 'code');
+    authorizeUrl.searchParams.set('scope', 'profile email');
+    authorizeUrl.searchParams.set('state', state);
+
+    // Navigate to Clerk's authorization endpoint
+    await u.page.goto(authorizeUrl.toString());
+
+    // Sign in on Account Portal
+    await u.po.signIn.waitForMounted();
+    await u.po.signIn.signInWithEmailAndInstantPassword({
+      email: fakeUser.email,
+      password: fakeUser.password,
+    });
+
+    // Accept consent screen
+    // Per https://clerk.com/docs/guides/configure/auth-strategies/oauth/how-clerk-implements-oauth#consent-screen-management
+    const consentButton = u.page.getByRole('button', { name: 'Allow' });
+    await consentButton.waitFor({ timeout: 10000 });
+    await consentButton.click();
+
+    // Wait for the redirect to complete
+    await u.page.waitForURL(/oauth\/callback/, { timeout: 10000 });
+
+    // Extract the authorization code from the callback URL
+    const currentUrl = u.page.url();
+    const urlObj = new URL(currentUrl);
+    const finalAuthCode = urlObj.searchParams.get('code');
+
+    expect(finalAuthCode).toBeTruthy();
+
+    // Exchange authorization code for access token
+    expect(oAuthApp.clientSecret).toBeTruthy();
+
+    const tokenResponse = await u.page.request.post(oAuthApp.tokenFetchUrl, {
+      data: new URLSearchParams({
+        grant_type: 'authorization_code',
+        code: finalAuthCode,
+        redirect_uri: redirectUri,
+        client_id: oAuthApp.clientId,
+        client_secret: oAuthApp.clientSecret,
+      }).toString(),
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+    });
+
+    expect(tokenResponse.status()).toBe(200);
+    const tokenResponseBody = await tokenResponse.text();
+
+    const tokenData = JSON.parse(tokenResponseBody) as { access_token?: string };
+    const accessToken = tokenData.access_token;
+
+    expect(accessToken).toBeTruthy();
+
+    // Use the access token to authenticate a request to our protected route
+    const protectedRouteUrl = new URL('/api/protected', app.serverUrl);
+    const protectedResponse = await u.page.request.get(protectedRouteUrl.toString(), {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    });
+
+    expect(protectedResponse.status()).toBe(200);
+    const authData = await protectedResponse.json();
+    expect(authData.userId).toBeDefined();
+    expect(authData.tokenType).toBe(TokenType.OAuthToken);
+  });
+
+  test('rejects request without OAuth token', async ({ request }) => {
+    const url = new URL('/api/protected', app.serverUrl);
+    const res = await request.get(url.toString());
+    expect(res.status()).toBe(401);
+  });
+
+  test('rejects request with invalid OAuth token', async ({ request }) => {
+    const url = new URL('/api/protected', app.serverUrl);
+    const res = await request.get(url.toString(), {
+      headers: {
+        Authorization: 'Bearer invalid_oauth_token',
+      },
+    });
+    expect(res.status()).toBe(401);
+  });
+});

package.json

@@ -152,7 +152,7 @@
     "yalc": "1.0.0-pre.53",
     "zx": "catalog:repo"
   },
-  "packageManager": "[email protected]",
+  "packageManager": "[email protected]+sha512.17c560fca4867ae9473a3899ad84a88334914f379be46d455cbf92e5cf4b39d34985d452d2583baf19967fa76cb5c17bc9e245529d0b98745721aa7200ecaf7a",
   "engines": {
     "node": ">=18.17.0",
     "pnpm": ">=10.17.1"

packages/clerk-js/src/ui/components/SessionTasks/index.tsx

@@ -1,6 +1,5 @@
 import { useClerk } from '@clerk/shared/react';
 import { eventComponentMounted } from '@clerk/shared/telemetry';
-import type { SessionResource } from '@clerk/shared/types';
 import { useEffect, useRef } from 'react';
 
 import { Flow } from '@/ui/customizables';
@@ -86,7 +85,8 @@ type SessionTasksProps = {
  */
 export const SessionTasks = withCardStateProvider(({ redirectUrlComplete }: SessionTasksProps) => {
   const clerk = useClerk();
-  const { navigate, matches } = useRouter();
+  const { navigate } = useRouter();
+
   const currentTaskContainer = useRef<HTMLDivElement>(null);
 
   // If there are no pending tasks, navigate away from the tasks flow.
@@ -103,7 +103,7 @@ export const SessionTasks = withCardStateProvider(({ redirectUrlComplete }: Sess
     }
 
     clerk.telemetry?.record(eventComponentMounted('SessionTask', { task: task.key }));
-  }, [clerk, matches, navigate, redirectUrlComplete]);
+  }, [clerk, navigate, redirectUrlComplete]);
 
   if (!clerk.session?.currentTask) {
     return (
@@ -120,17 +120,8 @@ export const SessionTasks = withCardStateProvider(({ redirectUrlComplete }: Sess
     );
   }
 
-  const navigateOnSetActive = async ({ session }: { session: SessionResource }) => {
-    const currentTask = session.currentTask;
-    if (!currentTask) {
-      return navigate(redirectUrlComplete);
-    }
-
-    return navigate(`./${INTERNAL_SESSION_TASK_ROUTE_BY_KEY[currentTask.key]}`);
-  };
-
   return (
-    <SessionTasksContext.Provider value={{ redirectUrlComplete, currentTaskContainer, navigateOnSetActive }}>
+    <SessionTasksContext.Provider value={{ redirectUrlComplete }}>
       <SessionTasksRoutes />
     </SessionTasksContext.Provider>
   );

packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/ChooseOrganizationScreen.tsx

@@ -16,7 +16,7 @@ import {
   sharedMainIdentifierSx,
 } from '@/ui/common/organizations/OrganizationPreview';
 import { organizationListParams, populateCacheUpdateItem } from '@/ui/components/OrganizationSwitcher/utils';
-import { useTaskChooseOrganizationContext } from '@/ui/contexts/components/SessionTasks';
+import { useSessionTasksContext, useTaskChooseOrganizationContext } from '@/ui/contexts/components/SessionTasks';
 import { Col, descriptors, localizationKeys, Text, useLocalizations } from '@/ui/customizables';
 import { Action, Actions } from '@/ui/elements/Actions';
 import { Card } from '@/ui/elements/Card';
@@ -25,7 +25,6 @@ import { Header } from '@/ui/elements/Header';
 import { OrganizationPreview } from '@/ui/elements/OrganizationPreview';
 import { useOrganizationListInView } from '@/ui/hooks/useOrganizationListInView';
 import { Add } from '@/ui/icons';
-import { useRouter } from '@/ui/router';
 import { handleError } from '@/ui/utils/errorHandler';
 
 type ChooseOrganizationScreenProps = {
@@ -107,7 +106,7 @@ export const ChooseOrganizationScreen = (props: ChooseOrganizationScreenProps) =
 const MembershipPreview = (props: { organization: OrganizationResource }) => {
   const { user } = useUser();
   const card = useCardState();
-  const { navigate } = useRouter();
+  const { navigateOnSetActive } = useSessionTasksContext();
   const { redirectUrlComplete } = useTaskChooseOrganizationContext();
   const { isLoaded, setActive } = useOrganizationList();
   const { t } = useLocalizations();
@@ -121,9 +120,8 @@ const MembershipPreview = (props: { organization: OrganizationResource }) => {
       try {
         await setActive({
           organization,
-          navigate: async () => {
-            // TODO(after-auth) ORGS-779 - Handle next tasks
-            await navigate(redirectUrlComplete);
+          navigate: async ({ session }) => {
+            await navigateOnSetActive?.({ session, redirectUrlComplete });
           },
         });
       } catch (err) {

packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/CreateOrganizationScreen.tsx

@@ -2,14 +2,13 @@ import { useOrganizationList } from '@clerk/shared/react';
 import type { CreateOrganizationParams } from '@clerk/shared/types';
 
 import { useEnvironment } from '@/ui/contexts';
-import { useTaskChooseOrganizationContext } from '@/ui/contexts/components/SessionTasks';
+import { useSessionTasksContext, useTaskChooseOrganizationContext } from '@/ui/contexts/components/SessionTasks';
 import { localizationKeys } from '@/ui/customizables';
 import { useCardState } from '@/ui/elements/contexts';
 import { Form } from '@/ui/elements/Form';
 import { FormButtonContainer } from '@/ui/elements/FormButtons';
 import { FormContainer } from '@/ui/elements/FormContainer';
 import { Header } from '@/ui/elements/Header';
-import { useRouter } from '@/ui/router';
 import { createSlug } from '@/ui/utils/createSlug';
 import { handleError } from '@/ui/utils/errorHandler';
 import { useFormControl } from '@/ui/utils/useFormControl';
@@ -22,7 +21,7 @@ type CreateOrganizationScreenProps = {
 
 export const CreateOrganizationScreen = (props: CreateOrganizationScreenProps) => {
   const card = useCardState();
-  const { navigate } = useRouter();
+  const { navigateOnSetActive } = useSessionTasksContext();
   const { redirectUrlComplete } = useTaskChooseOrganizationContext();
   const { createOrganization, isLoaded, setActive } = useOrganizationList({
     userMemberships: organizationListParams.userMemberships,
@@ -60,9 +59,8 @@ export const CreateOrganizationScreen = (props: CreateOrganizationScreenProps) =
 
       await setActive({
         organization,
-        navigate: async () => {
-          // TODO(after-auth) ORGS-779 - Handle next tasks
-          await navigate(redirectUrlComplete);
+        navigate: async ({ session }) => {
+          await navigateOnSetActive?.({ session, redirectUrlComplete });
         },
       });
     } catch (err) {

packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/index.tsx

@@ -8,9 +8,9 @@ import { withCardStateProvider } from '@/ui/elements/contexts';
 import { useMultipleSessions } from '@/ui/hooks/useMultipleSessions';
 import { useOrganizationListInView } from '@/ui/hooks/useOrganizationListInView';
 
+import { withTaskGuard } from '../shared';
 import { ChooseOrganizationScreen } from './ChooseOrganizationScreen';
 import { CreateOrganizationScreen } from './CreateOrganizationScreen';
-import { withTaskGuard } from './withTaskGuard';
 
 const TaskChooseOrganizationInternal = () => {
   const { signOut } = useClerk();
@@ -105,5 +105,5 @@ const TaskChooseOrganizationFlows = withCardStateProvider((props: TaskChooseOrga
 });
 
 export const TaskChooseOrganization = withCoreSessionSwitchGuard(
-  withTaskGuard(withCardStateProvider(TaskChooseOrganizationInternal)),
+  withTaskGuard(withCardStateProvider(TaskChooseOrganizationInternal), 'choose-organization'),
 );