Skip to content

Commit 7c10347

Browse files
authored
Merge pull request #620 from cipherstash/feat/eql-v3-identity-clerk-m2m
test(stack): federate a Clerk M2M JWT for the identity suites; wire into CI
2 parents e3c62d8 + 46db62a commit 7c10347

30 files changed

Lines changed: 546 additions & 573 deletions

.github/actions/require-cs-secrets/action.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,10 @@ description: >-
88
99
inputs:
1010
workspace-crn:
11-
description: secrets.CS_WORKSPACE_CRN
11+
description: vars.CS_WORKSPACE_CRN
1212
required: true
1313
client-id:
14-
description: secrets.CS_CLIENT_ID
14+
description: vars.CS_CLIENT_ID
1515
required: true
1616
client-key:
1717
description: secrets.CS_CLIENT_KEY

.github/workflows/integration-drizzle.yml

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -80,10 +80,18 @@ jobs:
8080
pgrest-url: http://localhost:55430
8181

8282
env:
83-
CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
84-
CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
83+
CS_WORKSPACE_CRN: ${{ vars.CS_WORKSPACE_CRN }}
84+
CS_CLIENT_ID: ${{ vars.CS_CLIENT_ID }}
8585
CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
8686
CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
87+
# The identity suites federate a freshly-minted Clerk M2M JWT into a CTS
88+
# token. Only they read these; the other suites ignore them. If one is
89+
# unset the relevant suite fails loudly (throw, never skip) rather than
90+
# taking the whole job down, so they are NOT in the require-cs-secrets
91+
# preflight. `_B` is a SECOND machine (a distinct `sub`) in the same Clerk
92+
# instance, used only by the cross-identity test.
93+
CLERK_MACHINE_TOKEN: ${{ secrets.CLERK_MACHINE_TOKEN }}
94+
CLERK_MACHINE_TOKEN_B: ${{ secrets.CLERK_MACHINE_TOKEN_B }}
8795
# Job-level env, not a `.env` file: `dotenv/config` does not override an
8896
# already-set `process.env`, so these win and no secret is written to disk.
8997
DATABASE_URL: ${{ matrix.database-url }}
@@ -95,11 +103,15 @@ jobs:
95103
CS_IT_DB_VARIANT: ${{ matrix.db }}
96104
# Scoped by directory, never by named file, so a renamed suite cannot
97105
# silently drop from CI. `integration/shared/` holds the adapter-agnostic
98-
# suites (harness, bloom, ope-term); the Supabase adapter suites are not
99-
# run here — they have their own job.
106+
# suites (harness, bloom, ope-term, the crypto/SQL matrices);
107+
# `integration/identity/` holds the Clerk-federated lock-context suites
108+
# (they need CLERK_MACHINE_TOKEN + a workspace with the Clerk issuer
109+
# registered); the Supabase adapter suites are not run here — they have
110+
# their own job.
100111
CS_IT_SUITE: >-
101112
integration/shared/**/*.integration.test.ts,
102-
integration/drizzle-v3/**/*.integration.test.ts
113+
integration/drizzle-v3/**/*.integration.test.ts,
114+
integration/identity/**/*.integration.test.ts
103115
104116
steps:
105117
- uses: actions/checkout@v6
@@ -111,8 +123,8 @@ jobs:
111123
- name: Require CipherStash secrets
112124
uses: ./.github/actions/require-cs-secrets
113125
with:
114-
workspace-crn: ${{ secrets.CS_WORKSPACE_CRN }}
115-
client-id: ${{ secrets.CS_CLIENT_ID }}
126+
workspace-crn: ${{ vars.CS_WORKSPACE_CRN }}
127+
client-id: ${{ vars.CS_CLIENT_ID }}
116128
client-key: ${{ secrets.CS_CLIENT_KEY }}
117129
client-access-key: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
118130

.github/workflows/integration-supabase.yml

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -62,8 +62,8 @@ jobs:
6262
db: [supabase]
6363

6464
env:
65-
CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
66-
CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
65+
CS_WORKSPACE_CRN: ${{ vars.CS_WORKSPACE_CRN }}
66+
CS_CLIENT_ID: ${{ vars.CS_CLIENT_ID }}
6767
CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
6868
CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
6969
# Job-level env, not a `.env` file: `dotenv/config` does not override an
@@ -78,9 +78,12 @@ jobs:
7878
CS_IT_DB_VARIANT: ${{ matrix.db }}
7979
# Scoped by directory, never by named file, so a renamed suite cannot
8080
# silently drop from CI. `integration/shared/` holds the adapter-agnostic
81-
# suites (harness, bloom, and the ope-term tripwire for THIS job's
82-
# `col->op` ordering path); the Drizzle suites talk to plain Postgres and
83-
# get their own job.
81+
# suites (harness, bloom, the ope-term tripwire for THIS job's `col->op`
82+
# ordering path, and the crypto/SQL matrices); the Drizzle suites talk to
83+
# plain Postgres and get their own job.
84+
#
85+
# `integration/identity/` runs on the Drizzle job (it needs Postgres +
86+
# Drizzle, not PostgREST), so it is intentionally not listed here.
8487
CS_IT_SUITE: >-
8588
integration/shared/**/*.integration.test.ts,
8689
integration/supabase/**/*.integration.test.ts
@@ -95,8 +98,8 @@ jobs:
9598
- name: Require CipherStash secrets
9699
uses: ./.github/actions/require-cs-secrets
97100
with:
98-
workspace-crn: ${{ secrets.CS_WORKSPACE_CRN }}
99-
client-id: ${{ secrets.CS_CLIENT_ID }}
101+
workspace-crn: ${{ vars.CS_WORKSPACE_CRN }}
102+
client-id: ${{ vars.CS_CLIENT_ID }}
100103
client-key: ${{ secrets.CS_CLIENT_KEY }}
101104
client-access-key: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
102105

.github/workflows/prisma-example-readme-e2e.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -36,8 +36,8 @@ jobs:
3636
if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
3737

3838
env:
39-
CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
40-
CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
39+
CS_WORKSPACE_CRN: ${{ vars.CS_WORKSPACE_CRN }}
40+
CS_CLIENT_ID: ${{ vars.CS_CLIENT_ID }}
4141
CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
4242
CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
4343

@@ -70,8 +70,8 @@ jobs:
7070
- name: Require CipherStash secrets
7171
uses: ./.github/actions/require-cs-secrets
7272
with:
73-
workspace-crn: ${{ secrets.CS_WORKSPACE_CRN }}
74-
client-id: ${{ secrets.CS_CLIENT_ID }}
73+
workspace-crn: ${{ vars.CS_WORKSPACE_CRN }}
74+
client-id: ${{ vars.CS_CLIENT_ID }}
7575
client-key: ${{ secrets.CS_CLIENT_KEY }}
7676
client-access-key: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
7777

.github/workflows/prisma-next-e2e.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,8 @@ jobs:
3838
if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
3939

4040
env:
41-
CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
42-
CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
41+
CS_WORKSPACE_CRN: ${{ vars.CS_WORKSPACE_CRN }}
42+
CS_CLIENT_ID: ${{ vars.CS_CLIENT_ID }}
4343
CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
4444
CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
4545

@@ -73,8 +73,8 @@ jobs:
7373
- name: Require CipherStash secrets
7474
uses: ./.github/actions/require-cs-secrets
7575
with:
76-
workspace-crn: ${{ secrets.CS_WORKSPACE_CRN }}
77-
client-id: ${{ secrets.CS_CLIENT_ID }}
76+
workspace-crn: ${{ vars.CS_WORKSPACE_CRN }}
77+
client-id: ${{ vars.CS_CLIENT_ID }}
7878
client-key: ${{ secrets.CS_CLIENT_KEY }}
7979
client-access-key: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
8080

@@ -89,8 +89,8 @@ jobs:
8989
run: |
9090
touch ./examples/prisma/.env
9191
echo "DATABASE_URL=postgres://cipherstash:cipherstash@localhost:54329/cipherstash_e2e" >> ./examples/prisma/.env
92-
echo "CS_WORKSPACE_CRN=${{ secrets.CS_WORKSPACE_CRN }}" >> ./examples/prisma/.env
93-
echo "CS_CLIENT_ID=${{ secrets.CS_CLIENT_ID }}" >> ./examples/prisma/.env
92+
echo "CS_WORKSPACE_CRN=${{ vars.CS_WORKSPACE_CRN }}" >> ./examples/prisma/.env
93+
echo "CS_CLIENT_ID=${{ vars.CS_CLIENT_ID }}" >> ./examples/prisma/.env
9494
echo "CS_CLIENT_KEY=${{ secrets.CS_CLIENT_KEY }}" >> ./examples/prisma/.env
9595
echo "CS_CLIENT_ACCESS_KEY=${{ secrets.CS_CLIENT_ACCESS_KEY }}" >> ./examples/prisma/.env
9696

.github/workflows/tests.yml

Lines changed: 26 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -64,8 +64,8 @@ jobs:
6464
- name: Require CipherStash secrets
6565
uses: ./.github/actions/require-cs-secrets
6666
with:
67-
workspace-crn: ${{ secrets.CS_WORKSPACE_CRN }}
68-
client-id: ${{ secrets.CS_CLIENT_ID }}
67+
workspace-crn: ${{ vars.CS_WORKSPACE_CRN }}
68+
client-id: ${{ vars.CS_CLIENT_ID }}
6969
client-key: ${{ secrets.CS_CLIENT_KEY }}
7070
client-access-key: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
7171

@@ -97,34 +97,34 @@ jobs:
9797
- name: Create .env file in ./packages/protect/
9898
run: |
9999
touch ./packages/protect/.env
100-
echo "CS_WORKSPACE_CRN=${{ secrets.CS_WORKSPACE_CRN }}" >> ./packages/protect/.env
101-
echo "CS_CLIENT_ID=${{ secrets.CS_CLIENT_ID }}" >> ./packages/protect/.env
100+
echo "CS_WORKSPACE_CRN=${{ vars.CS_WORKSPACE_CRN }}" >> ./packages/protect/.env
101+
echo "CS_CLIENT_ID=${{ vars.CS_CLIENT_ID }}" >> ./packages/protect/.env
102102
echo "CS_CLIENT_KEY=${{ secrets.CS_CLIENT_KEY }}" >> ./packages/protect/.env
103103
echo "CS_CLIENT_ACCESS_KEY=${{ secrets.CS_CLIENT_ACCESS_KEY }}" >> ./packages/protect/.env
104104
echo "DATABASE_URL=postgres://cipherstash:password@localhost:5432/cipherstash" >> ./packages/protect/.env
105105
106106
- name: Create .env file in ./packages/stack/
107107
run: |
108108
touch ./packages/stack/.env
109-
echo "CS_WORKSPACE_CRN=${{ secrets.CS_WORKSPACE_CRN }}" >> ./packages/stack/.env
110-
echo "CS_CLIENT_ID=${{ secrets.CS_CLIENT_ID }}" >> ./packages/stack/.env
109+
echo "CS_WORKSPACE_CRN=${{ vars.CS_WORKSPACE_CRN }}" >> ./packages/stack/.env
110+
echo "CS_CLIENT_ID=${{ vars.CS_CLIENT_ID }}" >> ./packages/stack/.env
111111
echo "CS_CLIENT_KEY=${{ secrets.CS_CLIENT_KEY }}" >> ./packages/stack/.env
112112
echo "CS_CLIENT_ACCESS_KEY=${{ secrets.CS_CLIENT_ACCESS_KEY }}" >> ./packages/stack/.env
113113
echo "DATABASE_URL=postgres://cipherstash:password@localhost:5432/cipherstash" >> ./packages/stack/.env
114114
115115
- name: Create .env file in ./packages/protect-dynamodb/
116116
run: |
117117
touch ./packages/protect-dynamodb/.env
118-
echo "CS_WORKSPACE_CRN=${{ secrets.CS_WORKSPACE_CRN }}" >> ./packages/protect-dynamodb/.env
119-
echo "CS_CLIENT_ID=${{ secrets.CS_CLIENT_ID }}" >> ./packages/protect-dynamodb/.env
118+
echo "CS_WORKSPACE_CRN=${{ vars.CS_WORKSPACE_CRN }}" >> ./packages/protect-dynamodb/.env
119+
echo "CS_CLIENT_ID=${{ vars.CS_CLIENT_ID }}" >> ./packages/protect-dynamodb/.env
120120
echo "CS_CLIENT_KEY=${{ secrets.CS_CLIENT_KEY }}" >> ./packages/protect-dynamodb/.env
121121
echo "CS_CLIENT_ACCESS_KEY=${{ secrets.CS_CLIENT_ACCESS_KEY }}" >> ./packages/protect-dynamodb/.env
122122
123123
- name: Create .env file in ./packages/drizzle/
124124
run: |
125125
touch ./packages/drizzle/.env
126-
echo "CS_WORKSPACE_CRN=${{ secrets.CS_WORKSPACE_CRN }}" >> ./packages/drizzle/.env
127-
echo "CS_CLIENT_ID=${{ secrets.CS_CLIENT_ID }}" >> ./packages/drizzle/.env
126+
echo "CS_WORKSPACE_CRN=${{ vars.CS_WORKSPACE_CRN }}" >> ./packages/drizzle/.env
127+
echo "CS_CLIENT_ID=${{ vars.CS_CLIENT_ID }}" >> ./packages/drizzle/.env
128128
echo "CS_CLIENT_KEY=${{ secrets.CS_CLIENT_KEY }}" >> ./packages/drizzle/.env
129129
echo "CS_CLIENT_ACCESS_KEY=${{ secrets.CS_CLIENT_ACCESS_KEY }}" >> ./packages/drizzle/.env
130130
echo "DATABASE_URL=postgres://cipherstash:password@localhost:5432/cipherstash" >> ./packages/drizzle/.env
@@ -147,8 +147,8 @@ jobs:
147147
# are set. We expose them at the job level so the wizard subprocess
148148
# picks them up via `process.env`.
149149
env:
150-
CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
151-
CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
150+
CS_WORKSPACE_CRN: ${{ vars.CS_WORKSPACE_CRN }}
151+
CS_CLIENT_ID: ${{ vars.CS_CLIENT_ID }}
152152
CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
153153
CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
154154
CS_ZEROKMS_HOST: https://ap-southeast-2.aws.zerokms.cipherstashmanaged.net
@@ -183,8 +183,8 @@ jobs:
183183
- name: Require CipherStash secrets
184184
uses: ./.github/actions/require-cs-secrets
185185
with:
186-
workspace-crn: ${{ secrets.CS_WORKSPACE_CRN }}
187-
client-id: ${{ secrets.CS_CLIENT_ID }}
186+
workspace-crn: ${{ vars.CS_WORKSPACE_CRN }}
187+
client-id: ${{ vars.CS_CLIENT_ID }}
188188
client-key: ${{ secrets.CS_CLIENT_KEY }}
189189
client-access-key: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
190190

@@ -211,8 +211,8 @@ jobs:
211211
# identity and region — the stack /wasm-inline config requires it and
212212
# derives the AccessKeyStrategy region from it.
213213
env:
214-
CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
215-
CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
214+
CS_WORKSPACE_CRN: ${{ vars.CS_WORKSPACE_CRN }}
215+
CS_CLIENT_ID: ${{ vars.CS_CLIENT_ID }}
216216
CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
217217
CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
218218

@@ -262,8 +262,8 @@ jobs:
262262
- name: Require CipherStash secrets
263263
uses: ./.github/actions/require-cs-secrets
264264
with:
265-
workspace-crn: ${{ secrets.CS_WORKSPACE_CRN }}
266-
client-id: ${{ secrets.CS_CLIENT_ID }}
265+
workspace-crn: ${{ vars.CS_WORKSPACE_CRN }}
266+
client-id: ${{ vars.CS_CLIENT_ID }}
267267
client-key: ${{ secrets.CS_CLIENT_KEY }}
268268
client-access-key: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
269269

@@ -317,34 +317,34 @@ jobs:
317317
- name: Create .env file in ./packages/protect/
318318
run: |
319319
touch ./packages/protect/.env
320-
echo "CS_WORKSPACE_CRN=${{ secrets.CS_WORKSPACE_CRN }}" >> ./packages/protect/.env
321-
echo "CS_CLIENT_ID=${{ secrets.CS_CLIENT_ID }}" >> ./packages/protect/.env
320+
echo "CS_WORKSPACE_CRN=${{ vars.CS_WORKSPACE_CRN }}" >> ./packages/protect/.env
321+
echo "CS_CLIENT_ID=${{ vars.CS_CLIENT_ID }}" >> ./packages/protect/.env
322322
echo "CS_CLIENT_KEY=${{ secrets.CS_CLIENT_KEY }}" >> ./packages/protect/.env
323323
echo "CS_CLIENT_ACCESS_KEY=${{ secrets.CS_CLIENT_ACCESS_KEY }}" >> ./packages/protect/.env
324324
echo "DATABASE_URL=postgres://cipherstash:password@localhost:5432/cipherstash" >> ./packages/protect/.env
325325
326326
- name: Create .env file in ./packages/stack/
327327
run: |
328328
touch ./packages/stack/.env
329-
echo "CS_WORKSPACE_CRN=${{ secrets.CS_WORKSPACE_CRN }}" >> ./packages/stack/.env
330-
echo "CS_CLIENT_ID=${{ secrets.CS_CLIENT_ID }}" >> ./packages/stack/.env
329+
echo "CS_WORKSPACE_CRN=${{ vars.CS_WORKSPACE_CRN }}" >> ./packages/stack/.env
330+
echo "CS_CLIENT_ID=${{ vars.CS_CLIENT_ID }}" >> ./packages/stack/.env
331331
echo "CS_CLIENT_KEY=${{ secrets.CS_CLIENT_KEY }}" >> ./packages/stack/.env
332332
echo "CS_CLIENT_ACCESS_KEY=${{ secrets.CS_CLIENT_ACCESS_KEY }}" >> ./packages/stack/.env
333333
echo "DATABASE_URL=postgres://cipherstash:password@localhost:5432/cipherstash" >> ./packages/stack/.env
334334
335335
- name: Create .env file in ./packages/protect-dynamodb/
336336
run: |
337337
touch ./packages/protect-dynamodb/.env
338-
echo "CS_WORKSPACE_CRN=${{ secrets.CS_WORKSPACE_CRN }}" >> ./packages/protect-dynamodb/.env
339-
echo "CS_CLIENT_ID=${{ secrets.CS_CLIENT_ID }}" >> ./packages/protect-dynamodb/.env
338+
echo "CS_WORKSPACE_CRN=${{ vars.CS_WORKSPACE_CRN }}" >> ./packages/protect-dynamodb/.env
339+
echo "CS_CLIENT_ID=${{ vars.CS_CLIENT_ID }}" >> ./packages/protect-dynamodb/.env
340340
echo "CS_CLIENT_KEY=${{ secrets.CS_CLIENT_KEY }}" >> ./packages/protect-dynamodb/.env
341341
echo "CS_CLIENT_ACCESS_KEY=${{ secrets.CS_CLIENT_ACCESS_KEY }}" >> ./packages/protect-dynamodb/.env
342342
343343
- name: Create .env file in ./packages/drizzle/
344344
run: |
345345
touch ./packages/drizzle/.env
346-
echo "CS_WORKSPACE_CRN=${{ secrets.CS_WORKSPACE_CRN }}" >> ./packages/drizzle/.env
347-
echo "CS_CLIENT_ID=${{ secrets.CS_CLIENT_ID }}" >> ./packages/drizzle/.env
346+
echo "CS_WORKSPACE_CRN=${{ vars.CS_WORKSPACE_CRN }}" >> ./packages/drizzle/.env
347+
echo "CS_CLIENT_ID=${{ vars.CS_CLIENT_ID }}" >> ./packages/drizzle/.env
348348
echo "CS_CLIENT_KEY=${{ secrets.CS_CLIENT_KEY }}" >> ./packages/drizzle/.env
349349
echo "CS_CLIENT_ACCESS_KEY=${{ secrets.CS_CLIENT_ACCESS_KEY }}" >> ./packages/drizzle/.env
350350
echo "DATABASE_URL=postgres://cipherstash:password@localhost:5432/cipherstash" >> ./packages/drizzle/.env
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
import { afterEach, describe, expect, it } from 'vitest'
2+
import { clerkJwtProvider } from '../integration/helpers/clerk'
3+
4+
/**
5+
* `clerkJwtProvider`'s "FAIL rather than skip" guard is the load-bearing half of
6+
* the identity suites' no-silent-skip contract: if it were ever weakened to a
7+
* skip or a silent `undefined`, the entire identity suite would go dark while CI
8+
* stayed green. The throw is pure logic — it fires before `createClerkClient`,
9+
* so it needs no live Clerk and belongs here in the credential-free unit suite
10+
* rather than the integration config (which only globs `*.integration.test.ts`).
11+
*/
12+
describe('clerkJwtProvider', () => {
13+
const saved = process.env.CLERK_MACHINE_TOKEN
14+
const savedB = process.env.CLERK_MACHINE_TOKEN_B
15+
afterEach(() => {
16+
if (saved === undefined) delete process.env.CLERK_MACHINE_TOKEN
17+
else process.env.CLERK_MACHINE_TOKEN = saved
18+
if (savedB === undefined) delete process.env.CLERK_MACHINE_TOKEN_B
19+
else process.env.CLERK_MACHINE_TOKEN_B = savedB
20+
})
21+
22+
it('throws (does not skip) when the default machine token env var is unset', () => {
23+
delete process.env.CLERK_MACHINE_TOKEN
24+
expect(() => clerkJwtProvider()).toThrow(/missing CLERK_MACHINE_TOKEN/)
25+
})
26+
27+
it('names the custom env var it was handed', () => {
28+
delete process.env.CLERK_MACHINE_TOKEN_B
29+
expect(() => clerkJwtProvider('CLERK_MACHINE_TOKEN_B')).toThrow(
30+
/CLERK_MACHINE_TOKEN_B/,
31+
)
32+
})
33+
})

0 commit comments

Comments
 (0)