chore(backend,nextjs,astro): Introduce getAuthObjectFromJwt as internal utility (#6053)

LauraBeatris · web-flow · commit 4f93634ed6bc · 2025-06-03T13:42:11.000-07:00
diff --git a/.changeset/twelve-feet-yell.md b/.changeset/twelve-feet-yell.md
@@ -0,0 +1,7 @@
+---
+'@clerk/backend': patch
+'@clerk/nextjs': patch
+'@clerk/astro': patch
+---
+
+Introduce `getAuthObjectFromJwt` as internal utility function that centralizes the logic for generating auth objects from session JWTs.
diff --git a/packages/astro/src/server/get-auth.ts b/packages/astro/src/server/get-auth.ts
@@ -1,5 +1,5 @@
 import type { SignedInAuthObject, SignedOutAuthObject } from '@clerk/backend/internal';
-import { AuthStatus, signedInAuthObject, signedOutAuthObject } from '@clerk/backend/internal';
+import { AuthStatus, getAuthObjectFromJwt, signedOutAuthObject } from '@clerk/backend/internal';
 import { decodeJwt } from '@clerk/backend/jwt';
 import type { PendingSessionOptions } from '@clerk/types';
 import type { APIContext } from 'astro';
@@ -40,15 +40,7 @@ export const createGetAuth = ({ noAuthStatusMessage }: { noAuthStatusMessage: st
       return signedOutAuthObject(options);
     }
 
-    const jwt = decodeJwt(authToken as string);
-    // @ts-expect-error - TODO: Align types
-    const authObject = signedInAuthObject(options, jwt.raw.text, jwt.payload);
-
-    if (treatPendingAsSignedOut && authObject.sessionStatus === 'pending') {
-      return signedOutAuthObject(options);
-    }
-
-    return authObject;
+    return getAuthObjectFromJwt(decodeJwt(authToken as string), { ...options, treatPendingAsSignedOut });
   };
 };
 
diff --git a/packages/backend/src/__tests__/exports.test.ts b/packages/backend/src/__tests__/exports.test.ts
@@ -47,6 +47,7 @@ describe('subpath /internal exports', () => {
         "createRedirect",
         "debugRequestState",
         "decorateObjectWithResources",
+        "getAuthObjectFromJwt",
         "getMachineTokenType",
         "isMachineToken",
         "isTokenTypeAccepted",
diff --git a/packages/backend/src/internal.ts b/packages/backend/src/internal.ts
@@ -25,6 +25,7 @@ export {
   signedInAuthObject,
   authenticatedMachineObject,
   unauthenticatedMachineObject,
+  getAuthObjectFromJwt,
 } from './tokens/authObjects';
 
 export { AuthStatus } from './tokens/authStatus';
diff --git a/packages/backend/src/tokens/authObjects.ts b/packages/backend/src/tokens/authObjects.ts
@@ -2,7 +2,9 @@ import { createCheckAuthorization } from '@clerk/shared/authorization';
 import { __experimental_JWTPayloadToAuthObjectProperties } from '@clerk/shared/jwtPayloadParser';
 import type {
   CheckAuthorizationFromSessionClaims,
+  Jwt,
   JwtPayload,
+  PendingSessionOptions,
   ServerGetToken,
   ServerGetTokenOptions,
   SessionStatusClaim,
@@ -131,7 +133,7 @@ const createDebug = (data: AuthObjectDebugData | undefined) => {
  * @internal
  */
 export function signedInAuthObject(
-  authenticateContext: AuthenticateContext,
+  authenticateContext: Partial<AuthenticateContext>,
   sessionToken: string,
   sessionClaims: JwtPayload,
 ): SignedInAuthObject {
@@ -326,3 +328,19 @@ const createGetToken: CreateGetToken = params => {
     return sessionToken;
   };
 };
+
+/**
+ * @internal
+ */
+export const getAuthObjectFromJwt = (
+  jwt: Jwt,
+  { treatPendingAsSignedOut = true, ...options }: PendingSessionOptions & Partial<AuthenticateContext>,
+) => {
+  const authObject = signedInAuthObject(options, jwt.raw.text, jwt.payload);
+
+  if (treatPendingAsSignedOut && authObject.sessionStatus === 'pending') {
+    return signedOutAuthObject(options, authObject.sessionStatus);
+  }
+
+  return authObject;
+};
diff --git a/packages/nextjs/src/server/data/getAuthDataFromRequest.ts b/packages/nextjs/src/server/data/getAuthDataFromRequest.ts
@@ -4,10 +4,10 @@ import {
   authenticatedMachineObject,
   AuthStatus,
   constants,
+  getAuthObjectFromJwt,
   getMachineTokenType,
   isMachineToken,
   isTokenTypeAccepted,
-  signedInAuthObject,
   signedOutAuthObject,
   TokenType,
   unauthenticatedMachineObject,
@@ -66,12 +66,7 @@ export const getAuthDataFromRequestSync = (
 
     opts.logger?.debug('jwt', jwt.raw);
 
-    // @ts-expect-error -- Restrict parameter type of options to only list what's needed
-    authObject = signedInAuthObject(options, jwt.raw.text, jwt.payload);
-  }
-
-  if (treatPendingAsSignedOut && authObject.sessionStatus === 'pending') {
-    authObject = signedOutAuthObject(options, authObject.sessionStatus);
+    return getAuthObjectFromJwt(jwt, options);
   }
 
   return authObject;
