FixVibe

// docs / baas security / clerk hardening

Akwụkwọ ndepụta nchekwa Clerk: ihe 20

Clerk na-elekọta njirimara, oge, na nzukọ maka ngwa gị — nke pụtara na nlikọta Clerk ahaziri adịghị mma bụ ngafe njirimara, ihe nrụgharị oge, ma ọ bụ ụzọ mgbapụ nzukọ. Akwụkwọ ndepụta a bụ nyocha ihe 20 gafee igodo, nhazi oge, webhooks, nzukọ, ụdị JWT, na nleba anya na-aga n'ihu. Ngwa ihe nkuzi koodu AI na-ahazi Clerk ngwa ngwa nwere ndabara dabara adaba; ndepụta a na-ejide ihe ha hapụrụ na tebụl.

Maka ndabere n'ihi na nhazi adịghị mma ahịrị njirimara bụ ọnọdụ adịghị ike ngwá ọrụ AI, hụ Ihe kpatara ngwa ihe nkuzi koodu AI na-ahapụ oghere nchekwa. Maka akwụkwọ ndepụta yiri na Auth0, hụ Akwụkwọ ndepụta nchekwa Auth0.

Igodo gburugburu na ndepụta okwukwe isi mmalite

Clerk na-enye igodo abụọ dị iche kwa ọrụ. Ịgwakọta ha ma ọ bụ izipụ ha bụ ụzọ ọdịda mbụ.

  1. Jiri igodo nbipụta (pk_live_* na mmepụta, pk_test_* na mmepe) na nchọgharị; jiri igodo nzuzo (sk_live_* / sk_test_*) naanị na sava. Igodo nbipụta dị mma na NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY; igodo nzuzo aghaghị ighara ibu prefiks env ọha ma ghara ipụta n'ime akụrụngwa onye ahịa.
  2. Kwado na ngwa mmepụta na-eji pk_live_*, ọ bụghị pk_test_*. Ọrụ ule na-enye ohere adreesị email enweghị nkwado na MFA gbanyụrụ — ịziga ọnọdụ ule na mmepụta bụ ngafe njirimara.
  3. Hazie isi mmalite enyere ohere na Clerk Dashboard. Ntọala → Ngalaba → Isi mmalite enyere ohere aghaghị ịdepụta ngalaba mmepụta gị kpọmkwem. Ndepụta isi mmalite efu ma ọ bụ wildcard na-enye ndị na-awakpo ohere imepụta nchọgharị Clerk ọjọọ na-akpọrịta okwu na sava gị.
  4. Gbanwee igodo nzuzo na ọpụpụ ọ bụla ma ọ bụ nzuzo enyo. Dashboard → Igodo API → Tọgharịa. Igodo ochie ka enweghị; bugharịa koodu akụkụ-sava nwere uru ọhụrụ tupu ịgbanwe.

Nhazi oge

Njedebe oge na njedebe enweghị ihe omume bụ ọdịiche n'etiti oge zuru ohi ịbụ ihe nkeji 10 na ụbọchị 30.

  1. Tọọ njedebe enweghị ihe omume oge ka ọ bụrụ nkeji 30 ma ọ bụ ihe na-erughị nke ahụ maka ngwa SaaS na-elekọta data dị nro. Dashboard → Oge → Njedebe enweghị ihe omume. Ngwa ọkwa banki kwesịrị iji nkeji 5-10; SaaS ọkọlọtọ nkeji 30-60; ngwa onye ahịa ụbọchị 1-7. Ndabara bụ ụbọchị 7.
  2. Mee ka mwepu oge dị na mgbanwe okwuntughe, mgbanwe email, na ndebanye aha MFA. Dashboard → Oge → Wepu na. Ndị a bụ ihe omume nchekwa onye ọrụ malitere; oge dị adị na ngwaọrụ ndị ọzọ kwesịrị igbu.
  3. Kwado oge n'akụkụ sava na ụzọ echekwara ọ bụla, ọ bụghị naanị na nbata. Na Next.js: const { userId } = await auth(); n'akụkụ sava / ụzọ API na-agụ JWT na kuki ma kwado ya. Atụkwasịkwala obi na nyocha kuki naanị.
  4. Tọọ SameSite=Lax (ndabara) ma ọ bụ Strict na kuki oge. Kwado na DevTools → Ngwa → Kuki. SameSite=None bụ ụzọ CSRF — ejila ya ma ọ bụrụ na ahaziela nrụnye njirimara gafee ngalaba doro anya.

Nkwado webhook

Webhook Clerk na-agba na ihe omume ndụ onye ọrụ (mepụtara, melitere, hichapụrụ, session.kwụsịrị). Ha bụ usoro mmekọrịta maka ọdụ data gị — na webhook emebiri emebi bụ ihe ide ọdụ data.

  1. Kwado mbịanye aka Svix na webhook ọ bụla. Webhook Clerk na-abịanye aka Svix. Jiri new Webhook(secret).verify(body, headers). Jụ na 401 ma ọ bụrụ na nkwado adaa.
  2. Debe nzuzo webhook na mgbanwe gburugburu, ọ dịghị mgbe na koodu. Nzuzo na-agbanwe na mgbanwe Dashboard ọ bụla — nrụnye gị aghaghị ịgụ ya na env, ọ bụghị na ihe ka.
  3. Idempotency na onye nchịkwa ọ bụla. Nbubata webhook nwere ike ime ọzọ. Jiri isi svix-id dị ka igodo bụ isi na tebụl webhook_events iji dechie. Mechie mgbanwe steeti na ntinye idempotency n'otu azụmahịa.
  4. Na user.deleted, hichapụ siri ike ma ọ bụ mee enweghị aha PII n'ime awa 24. GDPR / CCPA na-achọ ya. Nyochaa ụzọ mkpochapụ: kedụ tebụl na-edebe data onye ọrụ a? Jiri FK ON DELETE CASCADE ebe ị nwere ike.

Nzukọ na ikike

Ọ bụrụ na ị na-eji Nzukọ Clerk, oke nzukọ bụ nkewa onye ọkụ obibi. Ajụjụ ọdụ data ọ bụla n'akụkụ sava aghaghị ịnyocha site na ya.

  1. Na ụzọ API ọ bụla, gụọ ma userId ma orgId na auth() ma nyochaa ajụjụ ọdụ data site na ha abụọ. WHERE org_id = $orgId AND user_id = $userId. Atụkwasịkwala obi org_id na ahụ arịrịọ.
  2. <strong>Use Clerk role checks for privileged operations, not boolean checks against the user object.</strong> <code>has({ role: 'org:admin' })</code> reads the role from the verified JWT. A user can spoof a boolean on a stale client object; they cannot spoof a JWT claim.
  3. Nwalee ohere ọtụtụ-nzukọ na akaụntụ nzukọ abụọ n'ezie. Mepụta Nzukọ A, mejupụta data, banye na Nzukọ B na nchọgharị ọzọ, gbalịa ịgụ data Nzukọ A site na API. Azịza aghaghị ịbụ 403 ma ọ bụ 404.

Ụdị JWT na njikọta èzí

Ụdị JWT na-akwanye njirimara Clerk n'ime Supabase, Firebase, na ọrụ ndị ọzọ. Ụdị ahaziri adịghị mma na-ekekọrịta mkpebi karịa ma ọ bụ na-ekpughe data ị na-achọghị.

  1. Maka ụdị JWT ọ bụla, depụta mkpebi ọ bụla ma kwado na ọ dị mkpa. Dashboard → Ụdị JWT. Ụdị na-eziga email na phone na Supabase na-ekpughere PII na onye ọ bụla na-agụ JWT na nchọgharị.
  2. Tọọ njedebe dị mkpụmkpụ na ụdị JWT eji maka ọkpụkpọ akụkụ-onye ahịa. Sekọnd 60 maka arịrịọ API n'akụkụ na-akwado ọkọlọtọ. JWT na-ebi ogologo oge ka ezuru ohi ma kpọghachie ya.
  3. Kwado mkpebi ndị na-ege ntị (aud) n'akụkụ nke na-anata. Supabase, Firebase, wdg. kwesịrị ile ma aud dabara na njirimara ọrụ a tụrụ anya. Na-enweghị nke a, JWT enyere maka ọrụ A nwere ike inye njirimara na ọrụ B.

Nleba anya ọrụ

Njirimara bụ isi mmalite ndekọ kacha elu ị nwere. Lelee ya.

  1. Mee mkpu na nrụ mbata gbagọrọ agbagọ na IP / na akaụntụ. Ọnụego ọdịda 50× ọnụego nkịtị bụ mwakpo nke njide nzuzo. Clerk na-eziga ihe omume ndị a na webhooks; banye na SIEM gị.
  2. Nyocha kwa ọnwa atọ nke ntọala oge na ntọala mmewere. Ndabara na-agbanwe ka Clerk na-emelite; "nhazi ochie" na-aghọ na-ezighi ezi ka oge na-aga. Ntụnyere mbupụ JSON Dashboard megide nke ọma-mara gị ikpeazụ.

Nzọụkwụ na-esote

Gbaa nyocha FixVibe megide URL mmepụta gị — nyocha baas.clerk-auth0 na-akọ igodo nbipụta Clerk, igodo ule na mmepụta, na igodo nzuzo etinyere. Maka akwụkwọ ndepụta yiri na Auth0, hụ Akwụkwọ ndepụta nchekwa Auth0. Maka echiche zuru ezu gafee ndị na-eweta BaaS, gụọ Sikana nhazi adịghị mma BaaS.

// nyochaa elu BaaS gị

Chọta tebụl mepere emepe tupu mmadụ ọzọ achọta ya.

Tinye URL mmepụta. FixVibe na-edepụta ndị na-eweta BaaS nke ngwa gị na-akpọrịta okwu, na-akara akara ya nke ọha, ma na-akọ ihe onye ahịa na-enweghị nkwenye nwere ike ịgụ ma ọ bụ dee. Efu, enweghị ntinye, enweghị kaadị.

  • Ọkwa efu — nyocha 3 / ọnwa, enweghị kaadị edebanye aha.
  • Akara akara BaaS na-anaghị eme ihe — enweghị mkpa nkwenye ngalaba.
  • Supabase, Firebase, Clerk, Auth0, Appwrite, na ndị ọzọ.
  • Ntugharị ndozi AI na nchọpụta ọ bụla — gbanye azụ na Cursor / Claude Code.
Gbaa nyocha BaaS efu

enweghị mkpa edebanye aha

Akwụkwọ ndepụta nchekwa Clerk: ihe 20 — Docs · FixVibe