From fbfaeac76f61eccae676bce4cd9e675ce7a4d3a1 Mon Sep 17 00:00:00 2001 From: vi Date: Mon, 6 Jan 2025 17:17:38 -0500 Subject: [PATCH 1/3] pass authorizedParties to clerkMiddleware --- docs/references/sdk/backend-only.mdx | 4 +++- docs/references/sdk/fullstack.mdx | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/references/sdk/backend-only.mdx b/docs/references/sdk/backend-only.mdx index 26ed2bbd9b..661ed8fd41 100644 --- a/docs/references/sdk/backend-only.mdx +++ b/docs/references/sdk/backend-only.mdx @@ -80,7 +80,9 @@ You can manually create a wrapper library around the [BAPI OpenAPI](https://cler return async (context, next) => { const clerkClient = options.clerkClient || defaultClerkClient - const requestState = await clerkClient.authenticateRequest(context.req) + const requestState = await clerkClient.authenticateRequest(context.req, { + authorizedParties: ['https://example.com'], + }) context.set('clerkAuth', requestState.toAuth()) context.set('clerk', clerkClient) diff --git a/docs/references/sdk/fullstack.mdx b/docs/references/sdk/fullstack.mdx index de63c85293..be5f16f5a0 100644 --- a/docs/references/sdk/fullstack.mdx +++ b/docs/references/sdk/fullstack.mdx @@ -42,7 +42,9 @@ In addition to these instructions, you'll need to go through the following steps return async (context, next) => { const clerkClient = options.clerkClient || defaultClerkClient - const requestState = await clerkClient.authenticateRequest(context.req) + const requestState = await clerkClient.authenticateRequest(context.req, { + authorizedParties: ['https://example.com'], + }) if (requestState.headers) { // This adds observability headers to the res From 9f12df7c63fdad048bd239c45cd475721a2c9a51 Mon Sep 17 00:00:00 2001 From: vi Date: Mon, 6 Jan 2025 18:01:04 -0500 Subject: [PATCH 2/3] add section about authorizedParties --- docs/deployments/overview.mdx | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/docs/deployments/overview.mdx b/docs/deployments/overview.mdx index 1fe1f00ecc..3940c16123 100644 --- a/docs/deployments/overview.mdx +++ b/docs/deployments/overview.mdx @@ -59,6 +59,32 @@ When you set a root domain for your production deployment, Clerk's authenticatio To share sessions and authentication across two different domains with the same Clerk application, see the [Authentication across different domains guide](/docs/advanced-usage/satellite-domains). + +## Configure `authorizedParties` for secure request authorization +For enhanced security, it's highly recommended to explicitly set the `authorizedParties` option when authorizing requests. This option acts as an allowlist of origins to verify against, protecting your application from subdomain cookie leaking attacks. Without this setting, if an app on another subdomain of the same root domain as your Clerk app is compromised, that app could potentially generate valid sessions for your Clerk app. + +The `authorizedParties` value should include a list of domains allowed to make requests to your application. Omitting this setting can expose your application to [CSRF attacks](https://owasp.org/www-community/attacks/csrf). + +### Examples + +The following examples show how to set `authorizedParties` with different Clerk middleware functions. + +#### Set `authorizedParties` with `clerkMiddleware()` + +```typescript +clerkMiddleware({ + authorizedParties: ['https://example.com'] +}) +``` + +#### Set `authorizedParties` with `authenticateRequest()` + +```typescript +clerkClient.authenticateRequest(req, { + authorizedParties: ['https://example.com'], +}) +``` + ## Deploy certificates The Clerk Dashboard home page will tell you what steps are still required to deploy your production instance. Once you have completed all of the necessary steps, a **Deploy certificates** button will appear. Selecting this button will deploy your production instance. From 2e25a1ff86a9b390424cc4d2965f8a645a55c70a Mon Sep 17 00:00:00 2001 From: Alexis Aguilar <98043211+alexisintech@users.noreply.github.com> Date: Thu, 9 Jan 2025 15:16:12 -0500 Subject: [PATCH 3/3] Update docs/deployments/overview.mdx --- docs/deployments/overview.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deployments/overview.mdx b/docs/deployments/overview.mdx index 3940c16123..7415fb5c5f 100644 --- a/docs/deployments/overview.mdx +++ b/docs/deployments/overview.mdx @@ -67,7 +67,7 @@ The `authorizedParties` value should include a list of domains allowed to make r ### Examples -The following examples show how to set `authorizedParties` with different Clerk middleware functions. +The following examples show how to set `authorizedParties` with different Clerk helpers. #### Set `authorizedParties` with `clerkMiddleware()`