javascript icon indicating copy to clipboard operation
javascript copied to clipboard
verified publisher icon clerk

Proper way to whitelist/publicize a health api route with authMiddleware?

Open dcyoung opened this issue 2 years ago • 7 comments

With the old middleware, i performed a "public" check on my /api/healthz route, and allowed public traffic before ever calling useAuth. With the new authMiddleware, adding the /api/healthz route to the publicRoute list does not accomplish this behavior.

Instead I'm using a negative look ahead like so:

 apiRoutes: ['/api/(\\?!healthz)(.*)', '/trpc/(.*)'],

Is this the recommended method?

dcyoung avatar Jul 01 '23 21:07 dcyoung

Hello @dcyoung I would suggest to either ignore the middleware for the health endpoint if you don't consider the middleware part of the health checks. Otherwise I would ignore the health endpoint for authMiddleware specifically by using the ignoredRoutes property.

dimkl avatar Jul 04 '23 12:07 dimkl

Perfect. Thanks!

dcyoung avatar Jul 04 '23 14:07 dcyoung

@dimkl Using the ignoredRoutes works and is definitely more explicit, but I'm seeing the following log whenever I hit the health endpoint (even in a prod build):

Clerk: The middleware was skipped for this request URL: http://0.0.0.0:3000/api/healthz. For performance reasons, it's recommended to your middleware matcher to:
export const config = {
  matcher: ["/((?!.*\\..*|_next).*)","/","/(api|trpc)(.*)"],
};

Alternatively, you can set your own ignoredRoutes. See https://clerk.com/docs/nextjs/middleware

We run health checks in our orchestration layer at frequent intervals (~15s), and this may pollute our logs. Anyway to suppress this log?

Also, the config recommended by the message is identical to the one exported in my middleware file.

dcyoung avatar Jul 04 '23 14:07 dcyoung

🤔 We cannot determine if the request is for ignored route or not before receiving a request, so I couldn't find a way to skip this log.

We are taking a deeper look at some conditions we have, to allow adding the /api/healthz endpoint to both publicRoutes and apiRoutes and make it work. Eg :

export default authMiddleware({
    apiRoutes: [/\/api/],
    publicRoutes: [/\/api\/healthz/]
});

Until we make the above or something similar available, I would suggest you to ignore the /api/healthz in the middleware exported config.matcher.

Let me know if this works for you.

dimkl avatar Jul 04 '23 16:07 dimkl

Hi there @dimkl We've been ok with polluted logs in the short term, but we're still hoping for a resolution on this.

Until we make the above or something similar available, I would suggest you to add ignore the /api/healthz in the middleware exported config.matcher.

Can you provide a snippet/example of that matcher regex.

Our current setup looks like:

export default authMiddleware({
    publishableKey: env.XXX,
    ....,
    ignoredRoutes: ['/api/healthz(.*)'],
});

export const config = {
    matcher: ["/((?!.*\\..*|_next).*)", "/", "/(api|trpc)(.*)"],
};

dcyoung avatar Aug 01 '23 22:08 dcyoung

@dimkl ^ friendly bump

dcyoung avatar Aug 18 '23 18:08 dcyoung

I'd like to note that we're working on an easier way to accomplish this with middleware as a first class solution in our upcoming major release. We don't have an exact release date yet but sometime within the next couple months. Hopefully that will make this way easier for you all 😁

jescalan avatar Nov 20 '23 21:11 jescalan