The Tin Auth Proxy Server handles Clerk session authentication and proxies to an upstream application.
I didn't want to build Clerk into an OSS application I was working on but rather bolt it on. That way others could use the application with their own authentication.
- Checks, verifies and decodes the
__sessionpassed from the browser cookie for Clerk. - Passes through the
X-Forwarded-Userto the upstream application. - Separates Clerk session handling from the upstream application.
- The upstream service should not be accessible from the internet except by the proxy server.
- Does not handle
tokenauthentication. - Does not handle authorisation or roles.
- Does not handle organisations currently.
- A clerk account
Install the auth UI.
git clone git@github.com:gemmadlou/tin.auth.ui.git
cd tin.auth.uiSetup the VITE_CLERK_PUBLISHABLE_KEY.
You can get your Publishable key from the Clerk dashboard.
echo VITE_CLERK_PUBLISHABLE_KEY=... > .envStart the server.
yarn devOutside of the auth ui project, clone the tin proxy.
git clone git@github.com:gemmadlou/tin.auth.proxy.git
cd tin.auth.proxyAdd your Clerk JWK to the .env file.
You can get your JWK json URL from Clerk.
echo JWK_URL=https://clerk.xxxxxxxxxxxxxx.dev/.well-known/jwks.json > .envAdd your Auth UI URL to the .env
echo AUTH_FE_URL=http://localhost:5173/ >> .envAdd your upstream app to the .env
echo PROXY_TARGET_URL=http://localhost:3001/ >> .envStart the proxy server.
yarn devAdd a logout button to your application.
It must go to the
/session.
<a href="/session">
Log out
</a>Look at the Nitro documentation to learn more.
Make sure to install the dependencies:
yarn installStart the development server on http://localhost:3000
yarn devBuild the application for production:
yarn buildLocally preview production build:
yarn previewCheck out the deployment documentation for more information.