FixVibe

// docs / baas security / clerk hardening

Jeren bincike na tsaron Clerk: abubuwa 20

Clerk yana kula da auth, zaman, da ƙungiyoyi don manhajarku — wanda ke nufin haɗin Clerk da ya saituna kuskure shine tsallake auth, mai aikatawa na gyaran-zaman, ko hanyar yoyo na org. Wannan jeren bincike ne na abu 20 a kan maɓallai, saitin zaman, webhooks, ƙungiyoyi, ƙayyade JWT, da ci gaba da kula. Kayan aikin coding na AI suna haɗa Clerk da sauri tare da tsohuwar saiti mai hankali; wannan jerin yana kama abubuwan da suka bar a tebur.

Don bayani kan dalilin da yasa kuskuren saiti na yankin-auth shine matsalar kayan aiki na AI, duba Me yasa kayan aikin coding na AI suke barin gibin tsaro. Don jeren bincike daidaitacciya akan Auth0, duba Jeren bincike na tsaron Auth0.

Maɓallan yanayi da jerin tushen da aka yarda

Clerk yana ba da maɓallai biyu daban-daban kowane aiki. Haɗa su ko yoyon su shine yanayin gazawa na farko.

  1. Yi amfani da maɓallin shawagi (pk_live_* a samarwa, pk_test_* a dev) a burauza; yi amfani da maɓallin asiri (sk_live_* / sk_test_*) a gefen sabar kawai. Maɓallin shawagi amintacce ne a NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY; maɓallin asiri ba zai taɓa ɗauke da gabatarwar yanayi na jama'a ba kuma ba zai taɓa bayyana a cikin ɓangaren abokin ciniki ba.
  2. Tabbatar manhajar samarwa tana amfani da pk_live_*, ba pk_test_* ba. Misalan gwaji suna ba da damar adireshin imel marasa tabbatarwa da MFA da aka kashe — aikawa yanayin gwaji zuwa samarwa shine tsallake auth.
  3. Saita tushen da aka yarda a Dashboard ɗin Clerk. Settings → Domains → Tushen da aka yarda dole ne ya jera dabararku na samarwa daidai. Jerin tushen mara komai ko mai wildcard yana ba masu kai hari damar ƙirƙirar frontend Clerk masu mugunta da ke magana da backend ɗinku.
  4. Juya maɓallin asiri akan duk fita ko shakkar yoyo. Dashboard → API Keys → Sake saita. An sokewa tsohuwar maɓallin; sake aika lambar gefen-sabar tare da sabon ƙimar kafin juyawa.

Saitin zaman

Karewar zaman da kasalar idle sune bambanci tsakanin zaman da aka sata shine al'amari na minti 10 da na kwana 30.

  1. Saita karewar rashin aiki na zaman zuwa minti 30 ko ƙasa don manhajojin SaaS da ke kula da bayanai masu mahimmanci. Dashboard → Sessions → Karewar rashin aiki. Manhajoji na matakin-banki ya kamata su yi amfani da minti 5-10; SaaS na yau da kullum minti 30-60; manhajojin masu amfani kwana 1-7. Tsohuwa kwana 7.
  2. Kunna sokewa zaman akan canjin kalmar shiga, canjin imel, da shigarwar MFA. Dashboard → Sessions → Soke akan. Waɗannan al'amura ne na tsaro da mai amfani ya fara; zaman da ke wanzu akan sauran na'urori ya kamata a kashe su.
  3. Tabbatar zaman a gefen-sabar akan kowane hanya da aka kare, ba kawai a sa hannu ba. A Next.js: const { userId } = await auth(); a cikin ɓangaren sabar / hanyar API yana karanta JWT daga cookie kuma yana tabbatarwa. Kar a taɓa amincewa da binciken cookie-kawai.
  4. Saita SameSite=Lax (tsohuwa) ko Strict akan cookie na zaman. Tabbatar a DevTools → Application → Cookies. SameSite=None mai aikatawa na CSRF ne — kar a taɓa amfani sai dai idan kun saita a bayyane saitin auth na ƙetare-dama.

Tabbatar da webhook

Webhooks na Clerk suna kunna akan al'amuran lokaci-rayuwa na mai amfani (an ƙirƙira, an sabunta, an share, session.ended). Su ne hanyar daidaitawa ga bayananku — kuma webhook na ƙirƙira shine mai aikatawa na rubuta-bayanai.

  1. Tabbatar da sa hannun Svix akan kowane webhook. Ana sa hannun webhooks na Clerk ta Svix. Yi amfani da new Webhook(secret).verify(body, headers). Ƙi tare da 401 idan tabbatarwa ta gaza.
  2. Adana sirrin webhook a cikin mai canjin yanayi, ba taɓa cikin lamba ba. Sirrin yana juyawa akan kowane sake samar da Dashboard — aikawa naka dole ne ya karanta shi daga yanayi, ba daga ƙimar ƙididdiga ba.
  3. Idempotency akan kowane mai sarrafa. Bayar da webhook na iya maimaitawa. Yi amfani da kanun svix-id a matsayin maɓallin farko a cikin teburin webhook_events don dedupe. Naɗe canjin yanayi da idempotency-saka a ciki transaction iri ɗaya.
  4. Akan user.deleted, share PII a tsanake ko ɓad da shi cikin sa'o'i 24. GDPR / CCPA suna buƙatar. Bincika hanyar share: waɗanne tebura suna riƙe da bayanan wannan mai amfani? Yi amfani da FK ON DELETE CASCADE inda zaka iya.

Ƙungiyoyi da izini

Idan kuna amfani da Ƙungiyoyin Clerk, iyakar org ita ce keɓantawar tenant ɗinku. Kowace tambaya ta bayanan gefen-sabar dole ne ta tace ta hanyar.

  1. Akan kowane hanyar API, karanta duka userId da orgId daga auth() kuma tace tambayoyin bayanan ta duka biyun. WHERE org_id = $orgId AND user_id = $userId. Kar a taɓa amincewa da org_id daga jikin buƙata.
  2. <strong>Use Clerk role checks for privileged operations, not boolean checks against the user object.</strong> <code>has({ role: 'org:admin' })</code> reads the role from the verified JWT. A user can spoof a boolean on a stale client object; they cannot spoof a JWT claim.
  3. Gwada keɓancewar ƙetare-org tare da asusun org biyu na gaske. Ƙirƙiri Org A, cike bayanai, sa hannu zuwa Org B a wani burauza, gwada karanta bayanan Org A ta API. Amsa dole ne ya zama 403 ko 404.

Ƙayyade JWT da haɗin waje

Ƙayyade JWT suna tura ainihin Clerk zuwa Supabase, Firebase, da sauran sabis na ƙasa. Ƙayyade da ya saituna kuskure suna raba ƙararrawa fiye da kima ko fallasa bayanan da ba kuyi niyya ba.

  1. Don kowane ƙayyadewar JWT, jera kowane ƙararrawa kuma tabbatar yana da mahimmanci. Dashboard → JWT Templates. Ƙayyadewar da ke aika email da phone zuwa Supabase yana fallasa PII ga kowa mai karanta JWT a burauza.
  2. Saita gajeren karewa akan ƙayyadewar JWT da ake amfani da su don kiran ƙasa na gefen-abokin-ciniki. Daƙiƙa 60 don buƙatun API na ƙasa shine ma'auni. JWTs masu tsawon-lokaci ana sata kuma a yi amfani da su.
  3. Tabbatar da ƙararrawar masu sauraro (aud) a gefen mai karɓa. Supabase, Firebase, da sauransu ya kamata su duba cewa aud ya dace da mai gane sabis da aka tsammani. Ba tare da wannan ba, JWT da aka bayar don sabis A zai iya tabbatar wa sabis B.

Kula da aiki

Auth shine babban tushen log da ke da siginar mafi girma da kuke da shi. Kula da shi.

  1. Yi gargaɗi akan karuwar gazawar-shiga kowane IP / kowane asusu. Rate na 50× na al'ada ne hari na credential-stuffing. Clerk yana fitar da waɗannan al'amura zuwa webhooks; tura su zuwa SIEM ɗinku.
  2. Bita uku-uku watanni na motsi na saitin zaman da misali. Tsohuwar saiti tana canzawa yayin da Clerk ke sabuntawa; "tsofaffin saituna" suna zama kuskure a shiru cikin lokaci. Yi diff fitar JSON na Dashboard akan kwafanku na sani-mai-kyau.

Matakai na gaba

Gudanar da binciken FixVibe akan URL ɗin samarwarku — binciken baas.clerk-auth0 yana yi wa alama maɓallan shawagi na Clerk, maɓallan gwaji a samarwa, da maɓallan asiri da aka haɗa. Don jeren bincike daidaitacciya akan Auth0, duba Jeren bincike na tsaron Auth0. Don ra'ayin laima a kan masu samar da BaaS, karanta Na'urar bincike na kuskuren saiti na BaaS.

// yi bincike kan saman BaaS naka

Sami teburin bude kafin wani ya same shi.

Sakawa URL ɗin samarwa. FixVibe yana ƙidaya masu samar da BaaS da manhajarku ke magana da su, yana yi musu fingaprint na ƙarshen jama'a, kuma yana ba da rahoton abin da abokin ciniki marar tabbatarwa zai iya karantawa ko rubuta. Kyauta, ba shigarwa, ba kati.

  • Matakin kyauta — 3 bincike / wata, ba kati na sa hannu.
  • Fingaprinta BaaS mai shiru — babu buƙatar tabbatar da dama.
  • Supabase, Firebase, Clerk, Auth0, Appwrite, da ƙarin.
  • Umarni na gyara AI a kan kowane gano — manna komawa zuwa Cursor / Claude Code.
Gudanar da binciken BaaS kyauta

ba buƙatar sa hannu

Jeren bincike na tsaron Clerk: abubuwa 20 — Docs · FixVibe