feat(astro): Add support for keyless mode

Author: wobsoriano

packages/astro/src/env.d.ts

@@ -20,6 +20,9 @@ interface InternalEnv {
   readonly PUBLIC_CLERK_SIGN_UP_URL?: string;
   readonly PUBLIC_CLERK_TELEMETRY_DISABLED?: string;
   readonly PUBLIC_CLERK_TELEMETRY_DEBUG?: string;
+  readonly PUBLIC_CLERK_KEYLESS_CLAIM_URL?: string;
+  readonly PUBLIC_CLERK_KEYLESS_API_KEYS_URL?: string;
+  readonly PUBLIC_CLERK_KEYLESS_DISABLED?: string;
 }
 
 interface ImportMeta {

packages/astro/src/integration/create-integration.ts

@@ -3,6 +3,7 @@ import type { AstroIntegration } from 'astro';
 import { envField } from 'astro/config';
 
 import { name as packageName, version as packageVersion } from '../../package.json';
+import { resolveKeysWithKeylessFallback } from '../server/keyless/utils';
 import type { AstroClerkIntegrationParams } from '../types';
 import { vitePluginAstroConfig } from './vite-plugin-astro-config';
 
@@ -26,17 +27,36 @@ function createIntegration<Params extends HotloadAstroClerkIntegrationParams>()
     return {
       name: '@clerk/astro/integration',
       hooks: {
-        'astro:config:setup': ({ config, injectScript, updateConfig, logger, command }) => {
+        'astro:config:setup': async ({ config, injectScript, updateConfig, logger, command }) => {
           if (['server', 'hybrid'].includes(config.output) && !config.adapter) {
             logger.error('Missing adapter, please update your Astro config to use one.');
           }
 
+          const envPublishableKey = process.env.PUBLIC_CLERK_PUBLISHABLE_KEY;
+          const envSecretKey = process.env.CLERK_SECRET_KEY;
+
+          const isDev = command === 'dev';
+          let resolvedKeys = {
+            publishableKey: envPublishableKey,
+            secretKey: envSecretKey,
+            claimUrl: undefined as string | undefined,
+            apiKeysUrl: undefined as string | undefined,
+          };
+
+          if (isDev) {
+            try {
+              resolvedKeys = await resolveKeysWithKeylessFallback(envPublishableKey, envSecretKey);
+            } catch {
+              logger.warn('Keyless mode initialization failed, using configured keys');
+            }
+          }
+
           const internalParams: ClerkOptions = {
             ...params,
             sdkMetadata: {
               version: packageVersion,
               name: packageName,
-              environment: command === 'dev' ? 'development' : 'production',
+              environment: isDev ? 'development' : 'production',
             },
           };
 
@@ -58,6 +78,10 @@ function createIntegration<Params extends HotloadAstroClerkIntegrationParams>()
                 ...buildEnvVarFromOption(clerkJSUrl, 'PUBLIC_CLERK_JS_URL'),
                 ...buildEnvVarFromOption(clerkJSVersion, 'PUBLIC_CLERK_JS_VERSION'),
                 ...buildEnvVarFromOption(prefetchUI === false ? 'false' : undefined, 'PUBLIC_CLERK_PREFETCH_UI'),
+                ...buildEnvVarFromOption(resolvedKeys.publishableKey, 'PUBLIC_CLERK_PUBLISHABLE_KEY'),
+                ...buildEnvVarFromOption(resolvedKeys.secretKey, 'CLERK_SECRET_KEY'),
+                ...buildEnvVarFromOption(resolvedKeys.claimUrl, 'PUBLIC_CLERK_KEYLESS_CLAIM_URL'),
+                ...buildEnvVarFromOption(resolvedKeys.apiKeysUrl, 'PUBLIC_CLERK_KEYLESS_API_KEYS_URL'),
               },
 
               ssr: {
@@ -157,7 +181,7 @@ function createIntegration<Params extends HotloadAstroClerkIntegrationParams>()
 
 function createClerkEnvSchema() {
   return {
-    PUBLIC_CLERK_PUBLISHABLE_KEY: envField.string({ context: 'client', access: 'public' }),
+    PUBLIC_CLERK_PUBLISHABLE_KEY: envField.string({ context: 'client', access: 'public', optional: true }),
     PUBLIC_CLERK_SIGN_IN_URL: envField.string({ context: 'client', access: 'public', optional: true }),
     PUBLIC_CLERK_SIGN_UP_URL: envField.string({ context: 'client', access: 'public', optional: true }),
     PUBLIC_CLERK_IS_SATELLITE: envField.boolean({ context: 'client', access: 'public', optional: true }),
@@ -169,7 +193,20 @@ function createClerkEnvSchema() {
     PUBLIC_CLERK_UI_URL: envField.string({ context: 'client', access: 'public', optional: true, url: true }),
     PUBLIC_CLERK_TELEMETRY_DISABLED: envField.boolean({ context: 'client', access: 'public', optional: true }),
     PUBLIC_CLERK_TELEMETRY_DEBUG: envField.boolean({ context: 'client', access: 'public', optional: true }),
-    CLERK_SECRET_KEY: envField.string({ context: 'server', access: 'secret' }),
+    PUBLIC_CLERK_KEYLESS_CLAIM_URL: envField.string({
+      context: 'client',
+      access: 'public',
+      optional: true,
+      url: true,
+    }),
+    PUBLIC_CLERK_KEYLESS_API_KEYS_URL: envField.string({
+      context: 'client',
+      access: 'public',
+      optional: true,
+      url: true,
+    }),
+    PUBLIC_CLERK_KEYLESS_DISABLED: envField.boolean({ context: 'client', access: 'public', optional: true }),
+    CLERK_SECRET_KEY: envField.string({ context: 'server', access: 'secret', optional: true }),
     CLERK_MACHINE_SECRET_KEY: envField.string({ context: 'server', access: 'secret', optional: true }),
     CLERK_JWT_KEY: envField.string({ context: 'server', access: 'secret', optional: true }),
   };

packages/astro/src/internal/create-clerk-instance.ts

@@ -54,12 +54,17 @@ async function createClerkInstanceInternal<TUi extends Ui = Ui>(options?: AstroC
     $clerk.set(clerkJSInstance);
   }
 
+  const keylessClaimUrl = (options as any)?.__internal_keylessClaimUrl;
+  const keylessApiKeysUrl = (options as any)?.__internal_keylessApiKeysUrl;
+
   const clerkOptions = {
     routerPush: createNavigationHandler(window.history.pushState.bind(window.history)),
     routerReplace: createNavigationHandler(window.history.replaceState.bind(window.history)),
     ...options,
     // Pass the clerk-ui constructor promise to clerk.load()
     clerkUICtor,
+    ...(keylessClaimUrl && { __internal_keyless_claimKeylessApplicationUrl: keylessClaimUrl }),
+    ...(keylessApiKeysUrl && { __internal_keyless_copyInstanceKeysUrl: keylessApiKeysUrl }),
   } as unknown as ClerkOptions;
 
   initOptions = clerkOptions;

packages/astro/src/internal/merge-env-vars-with-params.ts

@@ -56,6 +56,8 @@ const mergeEnvVarsWithParams = (params?: AstroClerkIntegrationParams & { publish
       disabled: isTruthy(import.meta.env.PUBLIC_CLERK_TELEMETRY_DISABLED),
       debug: isTruthy(import.meta.env.PUBLIC_CLERK_TELEMETRY_DEBUG),
     },
+    __internal_keylessClaimUrl: import.meta.env.PUBLIC_CLERK_KEYLESS_CLAIM_URL,
+    __internal_keylessApiKeysUrl: import.meta.env.PUBLIC_CLERK_KEYLESS_API_KEYS_URL,
     ...rest,
   };
 };

packages/astro/src/server/get-safe-env.ts

@@ -38,6 +38,8 @@ function getSafeEnv(context: ContextOrLocals) {
     apiUrl: getContextEnvVar('CLERK_API_URL', context),
     telemetryDisabled: isTruthy(getContextEnvVar('PUBLIC_CLERK_TELEMETRY_DISABLED', context)),
     telemetryDebug: isTruthy(getContextEnvVar('PUBLIC_CLERK_TELEMETRY_DEBUG', context)),
+    keylessClaimUrl: getContextEnvVar('PUBLIC_CLERK_KEYLESS_CLAIM_URL', context),
+    keylessApiKeysUrl: getContextEnvVar('PUBLIC_CLERK_KEYLESS_API_KEYS_URL', context),
   };
 }
 
@@ -55,6 +57,8 @@ function getClientSafeEnv(context: ContextOrLocals) {
     proxyUrl: getContextEnvVar('PUBLIC_CLERK_PROXY_URL', context),
     signInUrl: getContextEnvVar('PUBLIC_CLERK_SIGN_IN_URL', context),
     signUpUrl: getContextEnvVar('PUBLIC_CLERK_SIGN_UP_URL', context),
+    keylessClaimUrl: getContextEnvVar('PUBLIC_CLERK_KEYLESS_CLAIM_URL', context),
+    keylessApiKeysUrl: getContextEnvVar('PUBLIC_CLERK_KEYLESS_API_KEYS_URL', context),
   };
 }
 

packages/astro/src/server/keyless/file-storage.ts

@@ -0,0 +1,20 @@
+import type { KeylessStorage } from '@clerk/shared/keyless';
+
+export type { KeylessStorage };
+
+export interface FileStorageOptions {
+  cwd?: () => string;
+}
+
+export async function createFileStorage(options: FileStorageOptions = {}): Promise<KeylessStorage> {
+  const { cwd = () => process.cwd() } = options;
+
+  const [{ default: fs }, { default: path }] = await Promise.all([import('node:fs'), import('node:path')]);
+
+  const { createNodeFileStorage } = await import('@clerk/shared/keyless');
+
+  return createNodeFileStorage(fs, path, {
+    cwd,
+    frameworkPackageName: '@clerk/astro',
+  });
+}

packages/astro/src/server/keyless/index.ts

@@ -0,0 +1,51 @@
+import { createKeylessService } from '@clerk/shared/keyless';
+import type { APIContext } from 'astro';
+
+import { clerkClient } from '../clerk-client';
+import { createFileStorage } from './file-storage.js';
+
+let keylessServiceInstance: ReturnType<typeof createKeylessService> | null = null;
+
+export async function keyless() {
+  if (!keylessServiceInstance) {
+    const storage = await createFileStorage();
+
+    keylessServiceInstance = createKeylessService({
+      storage,
+      api: {
+        async createAccountlessApplication(requestHeaders?: Headers) {
+          try {
+            const mockContext = {
+              locals: { runtime: { env: {} } },
+            } as unknown as APIContext;
+
+            return await clerkClient(mockContext).__experimental_accountlessApplications.createAccountlessApplication({
+              requestHeaders,
+            });
+          } catch {
+            return null;
+          }
+        },
+        async completeOnboarding(requestHeaders?: Headers) {
+          try {
+            const mockContext = {
+              locals: { runtime: { env: {} } },
+            } as unknown as APIContext;
+
+            return await clerkClient(
+              mockContext,
+            ).__experimental_accountlessApplications.completeAccountlessApplicationOnboarding({
+              requestHeaders,
+            });
+          } catch {
+            return null;
+          }
+        },
+      },
+      framework: '@clerk/astro',
+      frameworkVersion: PACKAGE_VERSION,
+    });
+  }
+
+  return keylessServiceInstance;
+}

packages/astro/src/server/keyless/utils.ts

@@ -0,0 +1,68 @@
+import type { AccountlessApplication } from '@clerk/shared/keyless';
+import { clerkDevelopmentCache, createConfirmationMessage, createKeylessModeMessage } from '@clerk/shared/keyless';
+
+import { canUseKeyless } from '../../utils/feature-flags';
+import { keyless } from './index';
+
+export interface KeylessResult {
+  publishableKey: string | undefined;
+  secretKey: string | undefined;
+  claimUrl: string | undefined;
+  apiKeysUrl: string | undefined;
+}
+
+export async function resolveKeysWithKeylessFallback(
+  configuredPublishableKey: string | undefined,
+  configuredSecretKey: string | undefined,
+): Promise<KeylessResult> {
+  let publishableKey = configuredPublishableKey;
+  let secretKey = configuredSecretKey;
+  let claimUrl: string | undefined;
+  let apiKeysUrl: string | undefined;
+
+  if (!canUseKeyless) {
+    return { publishableKey, secretKey, claimUrl, apiKeysUrl };
+  }
+
+  const keylessService = await keyless();
+  const locallyStoredKeys = keylessService.readKeys();
+
+  const runningWithClaimedKeys =
+    Boolean(configuredPublishableKey) && configuredPublishableKey === locallyStoredKeys?.publishableKey;
+
+  if (runningWithClaimedKeys && locallyStoredKeys) {
+    try {
+      await clerkDevelopmentCache?.run(() => keylessService.completeOnboarding(), {
+        cacheKey: `${locallyStoredKeys.publishableKey}_complete`,
+        onSuccessStale: 24 * 60 * 60 * 1000,
+      });
+    } catch {
+      // noop
+    }
+
+    clerkDevelopmentCache?.log({
+      cacheKey: `${locallyStoredKeys.publishableKey}_claimed`,
+      msg: createConfirmationMessage(),
+    });
+
+    return { publishableKey, secretKey, claimUrl, apiKeysUrl };
+  }
+
+  if (!publishableKey && !secretKey) {
+    const keylessApp: AccountlessApplication | null = await keylessService.getOrCreateKeys();
+
+    if (keylessApp) {
+      publishableKey = keylessApp.publishableKey;
+      secretKey = keylessApp.secretKey;
+      claimUrl = keylessApp.claimUrl;
+      apiKeysUrl = keylessApp.apiKeysUrl;
+
+      clerkDevelopmentCache?.log({
+        cacheKey: keylessApp.publishableKey,
+        msg: createKeylessModeMessage(keylessApp),
+      });
+    }
+  }
+
+  return { publishableKey, secretKey, claimUrl, apiKeysUrl };
+}

packages/astro/src/utils/feature-flags.ts

@@ -0,0 +1,17 @@
+import { isTruthy } from '@clerk/shared/underscore';
+import { isDevelopmentEnvironment } from '@clerk/shared/utils';
+
+function hasFileSystemSupport(): boolean {
+  if (typeof process === 'undefined' || !process?.versions?.node) {
+    return false;
+  }
+  if (typeof window !== 'undefined') {
+    return false;
+  }
+  return true;
+}
+
+const KEYLESS_DISABLED =
+  isTruthy(import.meta.env.PUBLIC_CLERK_KEYLESS_DISABLED) || isTruthy(import.meta.env.CLERK_KEYLESS_DISABLED) || false;
+
+export const canUseKeyless = isDevelopmentEnvironment() && !KEYLESS_DISABLED && hasFileSystemSupport();