Skip to main content
Docs

Locals

Through Astro locals, Clerk's AuthClerk Icon and current UserClerk Icon objects can be accessed between middlewares and pages. These locals are injected when you configure the provided middlewareAstro Icon.

locals.auth()

Astro.locals.auth() returns an Auth object. This JavaScript object contains important information like session data, your user's ID, as well as the ID of the . Learn more about the Auth object hereClerk Icon.

locals.auth() options

  • Name
    opts?
    Type
    {acceptsToken: TokenType, treatPendingAsSignedOut: boolean }
    Description

    An optional object that can be used to configure the behavior of the locals.auth() function. It accepts the following properties:

    • acceptsToken?: The type of authentication token(s) to accept. Valid values are:

      • 'session_token' - authenticates a user session.
      • 'oauth_token' - authenticates a machine request using OAuth.
      • 'm2m_token' - authenticates a machine to machine request.
      • 'api_key' - authenticates a machine request using API keys.

      Can be set to:

      • A single token type.
      • An array of token types.
      • 'any' to accept all available token types.

      Defaults to 'session_token'.

    • treatPendingAsSignedOut?: A boolean that indicates whether to treat pending session statusJavaScript Icon as signed out. Defaults to true.

Example: Protect a page or form

You can use the isAuthenticated property from the auth() local to protect your pages and forms.

src/pages/protected.astro
---
const { isAuthenticated, userId, redirectToSignIn } = Astro.locals.auth()

if (!isAuthenticated) {
  return redirectToSignIn()
}
---

<div>Protected page</div>
src/pages/form.astro
---
if (Astro.request.method === 'POST') {
  if (!Astro.locals.auth().isAuthenticated) {
    throw new Error('You must be signed in to add an item to your cart')
  }

  const data = await Astro.request.formData()
  console.log('add item action', data)
}
---

<form method="POST">
  <input value="test" type="text" name="name" />
  <button type="submit">Add to Cart</button>
</form>

Example: Protect a route based on token type

The following example uses locals.auth() to protect the route based on token type:

  • It accepts any token type (acceptsToken: 'any') from the request.
  • If the token is a session_token, it logs that the request is from a user session.
  • Otherwise, it logs that the request uses a machine token and specifies its type.
export const GET: APIRoute = ({ locals }) => {
  // Use `locals.auth()` to protect a route based on token type
  const authObject = locals.auth({ acceptsToken: 'any' })

  if (authObject.tokenType === 'session_token') {
    console.log('This is a session token from a user')
  } else {
    console.log(`This is a ${authObject.tokenType} token`)
  }

  return new Response(JSON.stringify({}))
}

locals.currentUser()

The currentUser() local returns the Backend UserClerk Icon object of the currently active user.

Under the hood, this local:

Warning

The Backend UserClerk Icon object includes a privateMetadata field that should not be exposed to the frontend. Avoid passing the full user object returned by currentUser() to the frontend. Instead, pass only the specified fields you need.

src/pages/form.astro
---
if (Astro.request.method === 'POST') {
  const user = await Astro.locals.currentUser()

  if (!user) {
    throw new Error('You must be signed in to use this feature')
  }

  const data = await Astro.request.formData()
  const serverData = {
    usersHobby: data.get('hobby'),
    userId: user.id,
    profileImage: user.imageUrl,
  }

  console.log('add item action completed with user details ', serverData)
}
---

<form method="POST">
  <input value="soccer" type="text" name="hobby" />
  <button type="submit">Submit your hobby</button>
</form>

Feedback

What did you think of this content?

Last updated on

GitHubEdit on GitHub