Merge pull request #63 from topcoder-04/main

M2M token support

Author: logangingerich

src/Clerk/BackendAPI/Helpers/AuthenticateRequest.cs

@@ -40,6 +40,7 @@ public static async Task<RequestState> AuthenticateRequestAsync(
         {
             TokenType.SessionToken => "session_token",
             TokenType.MachineToken => "machine_token",
+            TokenType.MachineTokenV2 => "m2m_token",
             TokenType.OAuthToken => "oauth_token",
             TokenType.ApiKey => "api_key",
             _ => tokenType.ToString().ToLowerInvariant()
@@ -48,18 +49,31 @@ public static async Task<RequestState> AuthenticateRequestAsync(
         // Check if token type is accepted
         if (!options.AcceptsToken.Contains("any") && !options.AcceptsToken.Contains(tokenTypeName))
         {
-            return RequestState.SignedOut(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED);
+            // Special case: if acceptsToken contains "machine_token", accept both MachineToken and MachineTokenV2
+            bool isAccepted = false;
+            if (options.AcceptsToken.Contains("machine_token") && 
+                (tokenType == TokenType.MachineToken || tokenType == TokenType.MachineTokenV2))
+            {
+                isAccepted = true;
+            }
+            
+            if (!isAccepted)
+            {
+                return RequestState.SignedOut(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED);
+            }
         }
 
         VerifyTokenOptions verifyTokenOptions;
 
         if (TokenTypeHelper.IsMachineToken(sessionToken))
         {
-            // Machine tokens require secret key for API verification
-            if (options.SecretKey == null)
+            if (options.SecretKey == null && options.MachineSecretKey == null)
                 return RequestState.SignedOut(AuthErrorReason.SECRET_KEY_MISSING);
 
-            verifyTokenOptions = new VerifyTokenOptions(secretKey: options.SecretKey);
+            verifyTokenOptions = new VerifyTokenOptions(
+                secretKey: options.SecretKey, 
+                machineSecretKey: options.MachineSecretKey
+            );
         }
         else
         {

src/Clerk/BackendAPI/Helpers/AuthenticateRequestOptions.cs

@@ -11,32 +11,36 @@ public sealed class AuthenticateRequestOptions
     public readonly long ClockSkewInMs;
     public readonly string? JwtKey;
     public readonly string? SecretKey;
+    public readonly string? MachineSecretKey;
     public readonly IEnumerable<string> AcceptsToken;
 
     /// <summary>
     ///     Options to configure AuthenticateRequestAsync.
     /// </summary>
     /// <param name="secretKey">The Clerk secret key from the API Keys page in the Clerk Dashboard. (Optional)</param>
+    /// <param name="machineSecretKey">The Machine secret key for machine-specific authentication. (Optional)</param>
     /// <param name="jwtKey">PEM Public String used to verify the session token in a networkless manner. (Optional)</param>
     /// <param name="audiences">A list of audiences to verify against.</param>
     /// <param name="authorizedParties">An allowlist of origins to verify against.</param>
     /// <param name="clockSkewInMs">
     ///     Allowed time difference (in milliseconds) between the Clerk server (which generates the
-    ///     token) and the clock of the user's application server when validating a token. Defaults to 5000 ms.
+    ///     token) and the user's application server when validating a token. Defaults to 5000 ms.
     /// </param>
     /// <param name="acceptsToken">A list of token types to accept. Defaults to ["any"].</param>
     public AuthenticateRequestOptions(
         string? secretKey = null,
+        string? machineSecretKey = null,
         string? jwtKey = null,
         IEnumerable<string>? audiences = null,
         IEnumerable<string>? authorizedParties = null,
         long? clockSkewInMs = null,
         IEnumerable<string>? acceptsToken = null)
     {
-        if (string.IsNullOrEmpty(secretKey) && string.IsNullOrEmpty(jwtKey))
+        if (string.IsNullOrEmpty(secretKey) && string.IsNullOrEmpty(jwtKey) && string.IsNullOrEmpty(machineSecretKey))
             throw new AuthenticateRequestException(AuthErrorReason.SECRET_KEY_MISSING);
 
         SecretKey = secretKey;
+        MachineSecretKey = machineSecretKey;
         JwtKey = jwtKey;
         Audiences = audiences;
         AuthorizedParties = authorizedParties ?? new List<string>();

src/Clerk/BackendAPI/Helpers/RequestState.cs

@@ -128,6 +128,7 @@ public AuthObject ToAuth()
                     Claims = Claims.Claims.GroupBy(c => c.Type).ToDictionary(g => g.Key, g => (object)g.Select(c => c.Value).ToList())
                 };
             case TokenType.MachineToken:
+            case TokenType.MachineTokenV2:
                 return new M2MMachineAuthObject
                 {
                     Id = Claims.FindFirst("id")?.Value,

src/Clerk/BackendAPI/Helpers/TokenTypes.cs

@@ -9,6 +9,7 @@ public enum TokenType
 {
     SessionToken,
     MachineToken,
+    MachineTokenV2,
     OAuthToken,
     ApiKey
 }
@@ -19,6 +20,7 @@ public enum TokenType
 public static class TokenPrefix
 {
     public const string MachineToken = "mt_";
+    public const string MachineTokenV2 = "m2m_";
     public const string OAuthToken = "oat_";
     public const string ApiKey = "ak_";
 }
@@ -28,7 +30,7 @@ public static class TokenPrefix
 /// </summary>
 public static class TokenTypeHelper
 {
-    private static readonly string[] MachineTokenPrefixes = { TokenPrefix.MachineToken, TokenPrefix.OAuthToken, TokenPrefix.ApiKey };
+    private static readonly string[] MachineTokenPrefixes = { TokenPrefix.MachineToken, TokenPrefix.MachineTokenV2, TokenPrefix.OAuthToken, TokenPrefix.ApiKey };
 
     /// <summary>
     /// Determines if a token is a machine token (includes M2M, OAuth, and API key tokens)
@@ -62,6 +64,9 @@ public static TokenType GetTokenType(string token)
         if (token.StartsWith(TokenPrefix.MachineToken))
             return TokenType.MachineToken;
 
+        if (token.StartsWith(TokenPrefix.MachineTokenV2))
+            return TokenType.MachineTokenV2;
+
         if (token.StartsWith(TokenPrefix.ApiKey))
             return TokenType.ApiKey;
 
@@ -81,6 +86,7 @@ public static string GetVerificationEndpoint(TokenType tokenType)
         return tokenType switch
         {
             TokenType.MachineToken => "/m2m_tokens/verify",
+            TokenType.MachineTokenV2 => "/m2m_tokens/verify",
             TokenType.OAuthToken => "/oauth_applications/access_tokens/verify",
             TokenType.ApiKey => "/api_keys/verify",
             _ => throw new ArgumentException($"No verification endpoint for token type: {tokenType}")

src/Clerk/BackendAPI/Helpers/VerifyToken.cs

@@ -255,14 +255,16 @@ private static async Task<WellKnownJWKS> FetchJwksAsync(VerifyTokenOptions optio
     /// <returns>ClaimsPrincipal containing token information</returns>
     private static async Task<ClaimsPrincipal> VerifyMachineTokenAsync(string token, VerifyTokenOptions options, TokenType tokenType)
     {
-        if (options.SecretKey == null)
+        if (options.SecretKey == null && options.MachineSecretKey == null)
             throw new TokenVerificationException(TokenVerificationErrorReason.SECRET_KEY_MISSING);
 
         var endpoint = TokenTypeHelper.GetVerificationEndpoint(tokenType);
         var verificationUrl = $"{options.ApiUrl}/{options.ApiVersion}{endpoint}";
 
         using var client = new HttpClient();
-        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", options.SecretKey);
+        
+        var authToken = options.SecretKey ?? options.MachineSecretKey;
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authToken);
         client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
 
         var payload = new { secret = token };

src/Clerk/BackendAPI/Helpers/VerifyTokenOptions.cs

@@ -15,11 +15,13 @@ public sealed class VerifyTokenOptions
     public readonly string? JwtKey;
 
     public readonly string? SecretKey;
+    public readonly string? MachineSecretKey;
 
     /// <summary>
     ///     Options to configure VerifyTokenAsync.
     /// </summary>
     /// <param name="secretKey">The Clerk secret key from the API Keys page in the Clerk Dashboard. (Optional)</param>
+    /// <param name="machineSecretKey">The Machine secret key for machine-specific authentication. (Optional)</param>
     /// <param name="jwtKey">PEM Public String used to verify the session token in a networkless manner. (Optional)</param>
     /// <param name="audiences">A list of audiences to verify against.</param>
     /// <param name="authorizedParties">An allowlist of origins to verify against.</param>
@@ -31,17 +33,19 @@ public sealed class VerifyTokenOptions
     /// <param name="apiVersion">The version passed to the Clerk API. Defaults to 'v1'</param>
     public VerifyTokenOptions(
         string? secretKey = null,
+        string? machineSecretKey = null,
         string? jwtKey = null,
         IEnumerable<string>? audiences = null,
         IEnumerable<string>? authorizedParties = null,
         long? clockSkewInMs = null,
         string? apiUrl = null,
         string? apiVersion = null)
     {
-        if (string.IsNullOrEmpty(secretKey) && string.IsNullOrEmpty(jwtKey))
+        if (string.IsNullOrEmpty(secretKey) && string.IsNullOrEmpty(jwtKey) && string.IsNullOrEmpty(machineSecretKey))
             throw new TokenVerificationException(TokenVerificationErrorReason.SECRET_KEY_MISSING);
 
         SecretKey = secretKey;
+        MachineSecretKey = machineSecretKey;
         JwtKey = jwtKey;
         Audiences = audiences;
         AuthorizedParties = authorizedParties;

tests/Hooks/BeforeRequestHookTests.cs

@@ -18,7 +18,7 @@ public async Task BeforeRequestAsync_AddsClerkApiVersionHeader()
         var result = await hook.BeforeRequestAsync(hookCtx, request);
 
         Assert.True(result.Headers.Contains("Clerk-API-Version"));
-        Assert.Equal("2024-10-01", result.Headers.GetValues("Clerk-API-Version").First());
+        Assert.Equal("2025-04-10", result.Headers.GetValues("Clerk-API-Version").First());
     }
 
     [Fact]

tests/JwksHelpers/AuthenticateRequestTests.cs

@@ -424,6 +424,7 @@ public async Task TestRealOAuthTokenClaims()
 
         [Theory]
         [InlineData("mt_1234567890abcdef", TokenType.MachineToken)]
+        [InlineData("m2m_1234567890abcdef", TokenType.MachineTokenV2)]
         [InlineData("oat_1234567890abcdef", TokenType.OAuthToken)]
         [InlineData("ak_1234567890abcdef", TokenType.ApiKey)]
         [InlineData("eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...", TokenType.SessionToken)]
@@ -594,13 +595,58 @@ public async Task TestMachineTokenWithSecretKey()
             var httpContext = CreateHttpContextWithToken("mt_test_token");
             var state = await AuthenticateRequest.AuthenticateRequestAsync(httpContext.Request, arOptions);
 
-            // Should attempt verification (will fail due to no real HTTP client, but won't fail on secret key)
             Assert.NotEqual(AuthErrorReason.SECRET_KEY_MISSING, state.ErrorReason);
             Assert.NotEqual(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED, state.ErrorReason);
         }
 
+        [Fact]
+        public async Task TestMachineTokenWithMachineSecretKey()
+        {
+            var arOptions = new AuthenticateRequestOptions(
+                machineSecretKey: "ms_test_machine_secret",
+                acceptsToken: new[] { "any" }
+            );
+
+            var httpContext = CreateHttpContextWithToken("mt_test_token");
+            var state = await AuthenticateRequest.AuthenticateRequestAsync(httpContext.Request, arOptions);
+
+            Assert.NotEqual(AuthErrorReason.SECRET_KEY_MISSING, state.ErrorReason);
+            Assert.NotEqual(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED, state.ErrorReason);
+        }
+
+        [Fact]
+        public async Task TestMachineTokenWithBothKeys()
+        {
+            var arOptions = new AuthenticateRequestOptions(
+                secretKey: "sk_test_secret",
+                machineSecretKey: "ms_test_machine_secret",
+                acceptsToken: new[] { "any" }
+            );
+
+            var httpContext = CreateHttpContextWithToken("mt_test_token");
+            var state = await AuthenticateRequest.AuthenticateRequestAsync(httpContext.Request, arOptions);
+
+            Assert.NotEqual(AuthErrorReason.SECRET_KEY_MISSING, state.ErrorReason);
+            Assert.NotEqual(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED, state.ErrorReason);
+        }
+
+        [Fact]
+        public async Task TestMachineTokenWithNoKeys()
+        {
+            var arOptions = new AuthenticateRequestOptions(
+                jwtKey: "test-jwt-key",
+                acceptsToken: new[] { "any" }
+            );
+
+            var httpContext = CreateHttpContextWithToken("mt_test_token");
+            var state = await AuthenticateRequest.AuthenticateRequestAsync(httpContext.Request, arOptions);
+
+            Assert.Equal(AuthErrorReason.SECRET_KEY_MISSING, state.ErrorReason);
+        }
+
         [Theory]
         [InlineData("mt_machine_token_123")]
+        [InlineData("m2m_machine_token_123")]
         [InlineData("oat_oauth_token_123")]
         [InlineData("ak_api_key_123")]
         public async Task TestDifferentMachineTokenPrefixes(string token)
@@ -618,6 +664,109 @@ public async Task TestDifferentMachineTokenPrefixes(string token)
             Assert.NotEqual(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED, state.ErrorReason);
         }
 
+        [Fact]
+        public async Task TestM2MTokenWithSecretKey()
+        {
+            var arOptions = new AuthenticateRequestOptions(
+                secretKey: "sk_test_secret",
+                acceptsToken: new[] { "m2m_token" }
+            );
+
+            var httpContext = CreateHttpContextWithToken("m2m_test_token");
+            var state = await AuthenticateRequest.AuthenticateRequestAsync(httpContext.Request, arOptions);
+
+            Assert.NotEqual(AuthErrorReason.SECRET_KEY_MISSING, state.ErrorReason);
+            Assert.NotEqual(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED, state.ErrorReason);
+        }
+
+        [Fact]
+        public async Task TestM2MTokenWithMachineSecretKey()
+        {
+            var arOptions = new AuthenticateRequestOptions(
+                machineSecretKey: "ms_test_machine_secret",
+                acceptsToken: new[] { "m2m_token" }
+            );
+
+            var httpContext = CreateHttpContextWithToken("m2m_test_token");
+            var state = await AuthenticateRequest.AuthenticateRequestAsync(httpContext.Request, arOptions);
+
+            Assert.NotEqual(AuthErrorReason.SECRET_KEY_MISSING, state.ErrorReason);
+            Assert.NotEqual(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED, state.ErrorReason);
+        }
+
+        [Fact]
+        public async Task TestM2MTokenWithBothKeys()
+        {
+            var arOptions = new AuthenticateRequestOptions(
+                secretKey: "sk_test_secret",
+                machineSecretKey: "ms_test_machine_secret",
+                acceptsToken: new[] { "m2m_token" }
+            );
+
+            var httpContext = CreateHttpContextWithToken("m2m_test_token");
+            var state = await AuthenticateRequest.AuthenticateRequestAsync(httpContext.Request, arOptions);
+
+            Assert.NotEqual(AuthErrorReason.SECRET_KEY_MISSING, state.ErrorReason);
+            Assert.NotEqual(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED, state.ErrorReason);
+        }
+
+        [Fact]
+        public async Task TestM2MTokenTypeAcceptance()
+        {
+            var arOptions = new AuthenticateRequestOptions(
+                secretKey: "sk_test_secret",
+                acceptsToken: new[] { "m2m_token" }
+            );
+
+            var httpContext = CreateHttpContextWithToken("m2m_test_token");
+            var state = await AuthenticateRequest.AuthenticateRequestAsync(httpContext.Request, arOptions);
+
+            // Should not be rejected due to token type
+            Assert.NotEqual(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED, state.ErrorReason);
+        }
+
+        [Fact]
+        public async Task TestM2MTokenRejectedWhenNotAccepted()
+        {
+            var arOptions = new AuthenticateRequestOptions(
+                secretKey: "sk_test_secret",
+                acceptsToken: new[] { "session_token" }
+            );
+
+            var httpContext = CreateHttpContextWithToken("m2m_test_token");
+            var state = await AuthenticateRequest.AuthenticateRequestAsync(httpContext.Request, arOptions);
+
+            Assert.True(state.IsSignedOut());
+            Assert.Equal(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED, state.ErrorReason);
+        }
+
+        [Theory]
+        [InlineData("m2m_test_token", new[] { "m2m_token" }, false)] // Should be accepted
+        [InlineData("m2m_test_token", new[] { "machine_token" }, false)] // Should be accepted (machine_token includes m2m_token)
+        [InlineData("m2m_test_token", new[] { "session_token" }, true)] // Should be rejected
+        [InlineData("m2m_test_token", new[] { "oauth_token", "api_key" }, true)] // Should be rejected
+        public async Task TestM2MTokenTypeFiltering(string token, string[] acceptedTypes, bool shouldBeRejected)
+        {
+            var arOptions = new AuthenticateRequestOptions(
+                secretKey: "sk_test_secret",
+                acceptsToken: acceptedTypes
+            );
+
+            var httpContext = CreateHttpContextWithToken(token);
+            var state = await AuthenticateRequest.AuthenticateRequestAsync(httpContext.Request, arOptions);
+
+            if (shouldBeRejected)
+            {
+                Assert.True(state.IsSignedOut());
+                Assert.Equal(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED, state.ErrorReason);
+            }
+            else
+            {
+                // Token type is accepted, but verification might still fail
+                Assert.NotEqual(AuthErrorReason.TOKEN_TYPE_NOT_SUPPORTED, state.ErrorReason);
+            }
+        }
+
         #endregion
 
         #region Error Handling Tests