feat(backend): Validate cat header when verifying M2M JWTs#9038
Conversation
🦋 Changeset detectedLatest commit: 1b98fad The changes in this PR will be included in the next version bump. This PR includes changesets to release 10 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
📝 WalkthroughWalkthroughAdds a ChangesM2M JWT category header verification
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
Comment |
API Changes Report
Summary
No API Changes DetectedAll packages have stable APIs with no detected changes. Report generated by Break Check Last ran on |
78a8ca2 to
c00c34f
Compare
c00c34f to
d4d14e7
Compare
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/electron
@clerk/electron-passkeys
@clerk/eslint-plugin
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/hono
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
…-verification-of-m2m-jwt-after
Description
The backend SDK verifies M2M JWTs networklessly, so it never hits the bapi-proxy
/m2m_tokens/verifygate added in clerk/cloudflare-workers#2013. This adds the samecat(token-category) check toverifyM2MJwt.M2M JWTs now carry
cat: cl_B7d4PD333AAA(JWT_CATEGORY_M2M_TOKEN) in their protected header. The check rejects a JWT whosecatbelongs to another class (session, jwt-template) signed by the same instance key, closing a masquerade where a non-M2M JWT with asubstartingmch_would verify as M2M.This is non-breaking. Absent
catis still accepted because tokens minted before the workers rollout (2026-05-27) have none, and M2M tokens can be non-expiring.Resolves USER-5437
Checklist
pnpm testruns as expected.pnpm buildruns as expected.Type of change
Summary by CodeRabbit