Merge branch 'main' into feat/localization-pt-BR-billing

Author: lightapps-smart-blocks

.changeset/brown-masks-admire.md

@@ -0,0 +1,7 @@
+---
+'@clerk/localizations': patch
+'@clerk/clerk-js': patch
+'@clerk/types': patch
+---
+
+Add payment history tab to UserProfile and OrgProfile

.changeset/free-times-refuse.md

@@ -0,0 +1,6 @@
+---
+'@clerk/backend': patch
+'@clerk/nextjs': patch
+---
+
+Re-organize internal types for the recently added "machine authentication" feature. 

.changeset/large-adults-juggle.md

@@ -0,0 +1,30 @@
+---
+'@clerk/tanstack-react-start': minor
+---
+
+Introduces machine authentication, supporting four token types: `api_key`, `oauth_token`, `machine_token`, and `session_token`. For backwards compatibility, `session_token` remains the default when no token type is specified. This enables machine-to-machine authentication and use cases such as API keys and OAuth integrations. Existing applications continue to work without modification.
+
+You can specify which token types are allowed by using the `acceptsToken` option in the `getAuth()` function. This option can be set to a specific type, an array of types, or `'any'` to accept all supported tokens.
+
+Example usage:
+
+```ts
+import { createServerFn } from '@tanstack/react-start'
+import { getAuth } from '@clerk/tanstack-react-start/server'
+import { getWebRequest } from '@tanstack/react-start/server'
+
+const authStateFn = createServerFn({ method: 'GET' }).handler(async () => {
+    const request = getWebRequest()
+    const auth = await getAuth(request, { acceptsToken: 'any' })
+
+    if (authObject.tokenType === 'session_token') {
+        console.log('this is session token from a user')
+    } else {
+        console.log('this is some other type of machine token')
+        console.log('more specifically, a ' + authObject.tokenType)
+    }
+
+    return {}
+})
+
+```

.changeset/petite-sites-see.md

@@ -0,0 +1,5 @@
+---
+'@clerk/clerk-js': patch
+---
+
+Fix Stripe Elements error handling

.changeset/social-carrots-melt.md

@@ -0,0 +1,6 @@
+---
+'@clerk/backend': patch
+'@clerk/nextjs': patch
+---
+
+Resolve machine token property mixing in discriminated unions

.changeset/sour-onions-wear.md

@@ -0,0 +1,27 @@
+---
+'@clerk/express': minor
+---
+
+Introduces machine authentication, supporting four token types: `api_key`, `oauth_token`, `machine_token`, and `session_token`. For backwards compatibility, `session_token` remains the default when no token type is specified. This enables machine-to-machine authentication and use cases such as API keys and OAuth integrations. Existing applications continue to work without modification.
+
+You can specify which token types are allowed by using the `acceptsToken` option in the `getAuth()` function. This option can be set to a specific type, an array of types, or `'any'` to accept all supported tokens.
+
+Example usage:
+
+```ts
+import express from 'express';
+import { getAuth } from '@clerk/express';
+
+const app = express();
+
+app.get('/path', (req, res) => {
+  const authObject = getAuth(req, { acceptsToken: 'any' });
+
+  if (authObject.tokenType === 'session_token') {
+    console.log('this is session token from a user')
+  } else {
+    console.log('this is some other type of machine token')
+    console.log('more specifically, a ' + authObject.tokenType)
+  }
+});
+```

.changeset/two-trains-pull.md

@@ -0,0 +1,27 @@
+---
+'@clerk/react-router': minor
+---
+
+Introduces machine authentication, supporting four token types: `api_key`, `oauth_token`, `machine_token`, and `session_token`. For backwards compatibility, `session_token` remains the default when no token type is specified. This enables machine-to-machine authentication and use cases such as API keys and OAuth integrations. Existing applications continue to work without modification.
+
+You can specify which token types are allowed by using the `acceptsToken` option in the `getAuth()` function. This option can be set to a specific type, an array of types, or `'any'` to accept all supported tokens.
+
+Example usage:
+
+```ts
+import { getAuth } from '@clerk/react-router/ssr.server'
+import type { Route } from './+types/profile'
+
+export async function loader(args: Route.LoaderArgs) {
+  const authObject = await getAuth(args, { acceptsToken: 'any' })
+
+  if (authObject.tokenType === 'session_token') {
+    console.log('this is session token from a user')
+  } else {
+    console.log('this is some other type of machine token')
+    console.log('more specifically, a ' + authObject.tokenType)
+  }
+
+  return {}
+}
+```

.changeset/yummy-socks-join.md

@@ -0,0 +1,27 @@
+---
+'@clerk/fastify': minor
+---
+
+Introduces machine authentication, supporting four token types: `api_key`, `oauth_token`, `machine_token`, and `session_token`. For backwards compatibility, `session_token` remains the default when no token type is specified. This enables machine-to-machine authentication and use cases such as API keys and OAuth integrations. Existing applications continue to work without modification.
+
+You can specify which token types are allowed by using the `acceptsToken` option in the `getAuth()` function. This option can be set to a specific type, an array of types, or `'any'` to accept all supported tokens.
+
+Example usage:
+
+```ts
+import Fastify from 'fastify'
+import { getAuth } from '@clerk/fastify'
+
+const fastify = Fastify()
+
+fastify.get('/path', (request, reply) => {
+  const authObject = getAuth(req, { acceptsToken: 'any' });
+
+  if (authObject.tokenType === 'session_token') {
+    console.log('this is session token from a user')
+  } else {
+    console.log('this is some other type of machine token')
+    console.log('more specifically, a ' + authObject.tokenType)
+  }
+});
+```

.typedoc/__tests__/__snapshots__/file-structure.test.ts.snap

@@ -150,7 +150,10 @@ exports[`Typedoc output > should have a deliberate file structure 1`] = `
   "backend/client.mdx",
   "backend/email-address.mdx",
   "backend/external-account.mdx",
+  "backend/get-auth-fn.mdx",
   "backend/identification-link.mdx",
+  "backend/infer-auth-object-from-token-array.mdx",
+  "backend/infer-auth-object-from-token.mdx",
   "backend/invitation-status.mdx",
   "backend/invitation.mdx",
   "backend/organization-invitation-status.mdx",

packages/backend/src/__tests__/exports.test.ts

@@ -47,6 +47,7 @@ describe('subpath /internal exports', () => {
         "createRedirect",
         "debugRequestState",
         "decorateObjectWithResources",
+        "getAuthObjectForAcceptedToken",
         "getAuthObjectFromJwt",
         "getMachineTokenType",
         "isMachineToken",

packages/backend/src/index.ts

@@ -162,3 +162,4 @@ export type {
  * Auth objects
  */
 export type { AuthObject } from './tokens/authObjects';
+export type { SessionAuthObject, MachineAuthObject } from './tokens/types';

packages/backend/src/internal.ts

@@ -7,7 +7,13 @@ export { createAuthenticateRequest } from './tokens/factory';
 
 export { debugRequestState } from './tokens/request';
 
-export type { AuthenticateRequestOptions, OrganizationSyncOptions } from './tokens/types';
+export type {
+  AuthenticateRequestOptions,
+  OrganizationSyncOptions,
+  InferAuthObjectFromToken,
+  InferAuthObjectFromTokenArray,
+  GetAuthFn,
+} from './tokens/types';
 
 export { TokenType } from './tokens/tokenTypes';
 export type { SessionTokenType, MachineTokenType } from './tokens/tokenTypes';
@@ -26,6 +32,7 @@ export {
   authenticatedMachineObject,
   unauthenticatedMachineObject,
   getAuthObjectFromJwt,
+  getAuthObjectForAcceptedToken,
 } from './tokens/authObjects';
 
 export { AuthStatus } from './tokens/authStatus';

packages/backend/src/tokens/__tests__/getAuth.test-d.ts

@@ -0,0 +1,107 @@
+import { assertType, test } from 'vitest';
+
+import type { AuthObject } from '../authObjects';
+import type { GetAuthFn, MachineAuthObject, SessionAuthObject } from '../types';
+
+// Across our SDKs, we have a getAuth() function
+const getAuth: GetAuthFn<Request> = (_request: any, _options: any) => {
+  return {} as any;
+};
+
+test('infers the correct AuthObject type for each accepted token type', () => {
+  const request = new Request('https://example.com');
+
+  // Session token by default
+  assertType<SessionAuthObject>(getAuth(request));
+
+  // Individual token types
+  assertType<SessionAuthObject>(getAuth(request, { acceptsToken: 'session_token' }));
+  assertType<MachineAuthObject<'api_key'>>(getAuth(request, { acceptsToken: 'api_key' }));
+  assertType<MachineAuthObject<'machine_token'>>(getAuth(request, { acceptsToken: 'machine_token' }));
+  assertType<MachineAuthObject<'oauth_token'>>(getAuth(request, { acceptsToken: 'oauth_token' }));
+
+  // Array of token types
+  assertType<SessionAuthObject | MachineAuthObject<'machine_token'>>(
+    getAuth(request, { acceptsToken: ['session_token', 'machine_token'] }),
+  );
+  assertType<MachineAuthObject<'machine_token' | 'oauth_token'>>(
+    getAuth(request, { acceptsToken: ['machine_token', 'oauth_token'] }),
+  );
+
+  // Any token type
+  assertType<AuthObject>(getAuth(request, { acceptsToken: 'any' }));
+});
+
+test('verifies correct properties exist for each token type', () => {
+  const request = new Request('https://example.com');
+
+  // Session token should have userId
+  const sessionAuth = getAuth(request, { acceptsToken: 'session_token' });
+  assertType<string | null>(sessionAuth.userId);
+
+  // All machine tokens should have id and subject
+  const apiKeyAuth = getAuth(request, { acceptsToken: 'api_key' });
+  const machineTokenAuth = getAuth(request, { acceptsToken: 'machine_token' });
+  const oauthTokenAuth = getAuth(request, { acceptsToken: 'oauth_token' });
+
+  assertType<string | null>(apiKeyAuth.id);
+  assertType<string | null>(machineTokenAuth.id);
+  assertType<string | null>(oauthTokenAuth.id);
+  assertType<string | null>(apiKeyAuth.subject);
+  assertType<string | null>(machineTokenAuth.subject);
+  assertType<string | null>(oauthTokenAuth.subject);
+
+  // Only api_key and machine_token should have name and claims
+  assertType<string | null>(apiKeyAuth.name);
+  assertType<Record<string, any> | null>(apiKeyAuth.claims);
+
+  assertType<string | null>(machineTokenAuth.name);
+  assertType<Record<string, any> | null>(machineTokenAuth.claims);
+
+  // oauth_token should NOT have name and claims
+  // @ts-expect-error oauth_token does not have name property
+  void oauthTokenAuth.name;
+  // @ts-expect-error oauth_token does not have claims property
+  void oauthTokenAuth.claims;
+});
+
+test('verifies discriminated union works correctly with acceptsToken: any', () => {
+  const request = new Request('https://example.com');
+
+  const auth = getAuth(request, { acceptsToken: 'any' });
+
+  if (auth.tokenType === 'session_token') {
+    // Should be SessionAuthObject - has userId
+    assertType<string | null>(auth.userId);
+    // Should NOT have machine token properties
+    // @ts-expect-error session_token does not have id property
+    void auth.id;
+  } else if (auth.tokenType === 'api_key') {
+    // Should be AuthenticatedMachineObject<'api_key'> - has id, name, claims
+    assertType<string | null>(auth.id);
+    assertType<string | null>(auth.name);
+    assertType<Record<string, any> | null>(auth.claims);
+    // Should NOT have session token properties
+    // @ts-expect-error api_key does not have userId property
+    void auth.userId;
+  } else if (auth.tokenType === 'machine_token') {
+    // Should be AuthenticatedMachineObject<'machine_token'> - has id, name, claims
+    assertType<string | null>(auth.id);
+    assertType<string | null>(auth.name);
+    assertType<Record<string, any> | null>(auth.claims);
+    // Should NOT have session token properties
+    // @ts-expect-error machine_token does not have userId property
+    void auth.userId;
+  } else if (auth.tokenType === 'oauth_token') {
+    // Should be AuthenticatedMachineObject<'oauth_token'> - has id but NOT name/claims
+    assertType<string | null>(auth.id);
+    // Should NOT have name or claims
+    // @ts-expect-error oauth_token does not have name property
+    void auth.name;
+    // @ts-expect-error oauth_token does not have claims property
+    void auth.claims;
+    // Should NOT have session token properties
+    // @ts-expect-error oauth_token does not have userId property
+    void auth.userId;
+  }
+});