chore(backend): Reject OAuth JWTs for session token token type (#7765)

Author: wobsoriano

.changeset/improve-token-validation.md

@@ -0,0 +1,5 @@
+---
+"@clerk/backend": patch
+---
+
+Improve token type validation in authentication requests

integration/tests/machine-auth/oauth.test.ts

@@ -50,7 +50,7 @@ test.describe('OAuth machine authentication @machine', () => {
       .commit();
 
     await app.setup();
-    await app.withEnv(appConfigs.envs.withEmailCodes);
+    await app.withEnv(appConfigs.envs.withAPIKeys);
     await app.dev();
 
     // Test user that will authorize the OAuth application

packages/backend/src/tokens/__tests__/request.test.ts

@@ -10,7 +10,12 @@ import {
   mockJwtPayload,
   mockMalformedJwt,
 } from '../../fixtures';
-import { mockMachineAuthResponses, mockTokens, mockVerificationResults } from '../../fixtures/machine';
+import {
+  mockMachineAuthResponses,
+  mockSignedOAuthAccessTokenJwt,
+  mockTokens,
+  mockVerificationResults,
+} from '../../fixtures/machine';
 import { server } from '../../mock-server';
 import type { AuthReason } from '../authStatus';
 import { AuthErrorReason, AuthStatus } from '../authStatus';
@@ -1496,6 +1501,17 @@ describe('tokens.authenticateRequest(options)', () => {
           isAuthenticated: false,
         });
       });
+
+      test('rejects OAuth JWT token when acceptsToken is session_token', async () => {
+        const request = mockRequest({ authorization: `Bearer ${mockSignedOAuthAccessTokenJwt}` });
+        const result = await authenticateRequest(request, mockOptions({ acceptsToken: 'session_token' }));
+
+        expect(result).toBeSignedOut({
+          reason: AuthErrorReason.TokenTypeMismatch,
+          message: '',
+        });
+        expect(result.toAuth()).toBeSignedOutToAuth();
+      });
     });
 
     describe('Array of Accepted Token Types', () => {

packages/backend/src/tokens/request.ts

@@ -14,7 +14,7 @@ import { AuthErrorReason, handshake, signedIn, signedOut, signedOutInvalidToken
 import { createClerkRequest } from './clerkRequest';
 import { getCookieName, getCookieValue } from './cookie';
 import { HandshakeService } from './handshake';
-import { getMachineTokenType, isMachineToken, isTokenTypeAccepted } from './machine';
+import { getMachineTokenType, isMachineToken, isOAuthJwt, isTokenTypeAccepted } from './machine';
 import { OrganizationMatcher } from './organizationMatcher';
 import type { MachineTokenType, SessionTokenType } from './tokenTypes';
 import { TokenType } from './tokenTypes';
@@ -411,6 +411,19 @@ export const authenticateRequest: AuthenticateRequest = (async (
   async function authenticateRequestWithTokenInHeader() {
     const { tokenInHeader } = authenticateContext;
 
+    // Reject OAuth JWTs that may appear in headers when expecting session tokens.
+    // OAuth JWTs are valid Clerk-signed JWTs and will pass verifyToken() verification,
+    // but should not be accepted as session tokens.
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    if (isOAuthJwt(tokenInHeader!)) {
+      return signedOut({
+        tokenType: TokenType.SessionToken,
+        authenticateContext,
+        reason: AuthErrorReason.TokenTypeMismatch,
+        message: '',
+      });
+    }
+
     try {
       // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
       const { data, errors } = await verifyToken(tokenInHeader!, authenticateContext);