Merge branch 'main' into jacek/express-forward-auth-options

Author: jacekradko

.changeset/expo-mobile-485-cold-start-activity.md

@@ -0,0 +1,7 @@
+---
+"@clerk/expo": patch
+---
+
+Fix `MissingActivity` error on cold-start Google sign-in / passkey flows. Previously, the first tap on "Sign in with Google" in `<AuthView />` failed with `Clerk error: Google sign-in cannot start: Credential Manager requires an active Activity context.` — the workaround was to background and foreground the app once before signing in.
+
+The Android bridge now calls `Clerk.attachActivity()` (added in clerk-android 1.0.16) at SDK initialization and on AuthView/UserProfile mount, so the current Activity is registered with the underlying SDK before any Credential Manager call. No app-side changes required; the fix is transparent on rebuild.

.changeset/pink-taxes-do.md

@@ -0,0 +1,7 @@
+---
+'@clerk/ui': patch
+---
+
+Remove back button on the sign-in password compromised/pwned error screen.
+
+These errors are not recoverable by re-entering the password, so the back button led to a confusing dead end that would always take you back to the same error.

packages/backend/package.json

@@ -125,8 +125,8 @@
   },
   "devDependencies": {
     "@edge-runtime/vm": "5.0.0",
-    "cookie": "1.0.2",
-    "msw": "2.11.6",
+    "cookie": "1.1.1",
+    "msw": "2.14.2",
     "npm-run-all": "^4.1.5",
     "snakecase-keys": "9.0.2",
     "vitest-environment-miniflare": "2.14.4"

packages/clerk-js/package.json

@@ -103,16 +103,16 @@
   "devDependencies": {
     "@clerk/msw": "workspace:^",
     "@clerk/testing": "workspace:^",
-    "@emotion/react": "11.11.1",
+    "@emotion/react": "11.14.0",
     "@rsdoctor/rspack-plugin": "^0.4.13",
     "@rspack/cli": "catalog:rspack",
     "@rspack/core": "catalog:rspack",
     "@rspack/plugin-react-refresh": "catalog:rspack",
     "@types/cloudflare-turnstile": "^0.2.2",
     "@types/webpack-env": "^1.18.8",
-    "bundlewatch": "^0.4.1",
+    "bundlewatch": "^0.4.2",
     "jsdom": "26.1.0",
-    "minimatch": "^10.0.3",
+    "minimatch": "^10.2.5",
     "webpack-merge": "^5.10.0"
   },
   "engines": {

packages/expo/android/build.gradle

@@ -18,8 +18,8 @@ ext {
   credentialsVersion = "1.3.0"
   googleIdVersion = "1.1.1"
   kotlinxCoroutinesVersion = "1.7.3"
-  clerkAndroidApiVersion = "1.0.13"
-  clerkAndroidUiVersion = "1.0.13"
+  clerkAndroidApiVersion = "1.0.16"
+  clerkAndroidUiVersion = "1.0.16"
   composeVersion = "1.7.0"
   activityComposeVersion = "1.9.0"
   lifecycleVersion = "2.8.0"
@@ -117,6 +117,16 @@ dependencies {
     exclude group: 'com.squareup.okhttp3', module: 'okhttp'
     exclude group: 'com.squareup.okhttp3', module: 'okhttp-urlconnection'
   }
+  // clerk-android-telemetry has a transitive dep on the last released
+  // clerk-android-api. Pinning the api explicitly here keeps consumers
+  // compiling against the same version we ship the UI from.
+  implementation("com.clerk:clerk-android-api:$clerkAndroidApiVersion") {
+    exclude group: 'org.jetbrains.kotlin', module: 'kotlin-stdlib'
+    exclude group: 'org.jetbrains.kotlin', module: 'kotlin-stdlib-jdk7'
+    exclude group: 'org.jetbrains.kotlin', module: 'kotlin-stdlib-jdk8'
+    exclude group: 'com.squareup.okhttp3', module: 'okhttp'
+    exclude group: 'com.squareup.okhttp3', module: 'okhttp-urlconnection'
+  }
 
   // Jetpack Compose for wrapping Clerk views
   implementation "androidx.compose.ui:ui:$composeVersion"

packages/expo/android/src/main/java/expo/modules/clerk/ClerkAuthExpoView.kt

@@ -44,7 +44,14 @@ class ClerkAuthNativeView(context: Context) : FrameLayout(context) {
   var mode: String = "signInOrUp"
   var isDismissable: Boolean = true
 
-  private val activity: ComponentActivity? = findActivity(context)
+  private val activity: ComponentActivity? = findActivity(context).also {
+    // At cold start, ClerkExpoModule.configure() may run before React's
+    // host-resume sync — meaning getCurrentActivity() returns null there.
+    // This view's construction is a reliable second hook: we know the Activity
+    // is available (we just walked the context to find it) and we're about to
+    // render Google sign-in / passkey buttons that need it.
+    if (it != null) Clerk.attachActivity(it)
+  }
 
   // Per-view ViewModelStoreOwner so the AuthView's ViewModels (including its
   // navigation state) are scoped to THIS view instance, not the activity.

packages/expo/android/src/main/java/expo/modules/clerk/ClerkExpoModule.kt

@@ -85,6 +85,16 @@ class ClerkExpoModule(reactContext: ReactApplicationContext) :
                     }
 
                     Clerk.initialize(reactApplicationContext, pubKey)
+                    // clerk-android registers ActivityLifecycleCallbacks during
+                    // initialize(), but in React Native MainActivity has already passed
+                    // onResume() by the time <ClerkProvider> mounts and we reach this
+                    // line, so the callbacks miss the initial activity. Without seeding,
+                    // the first Credential Manager call (Google sign-in / passkeys)
+                    // fails with MissingActivity until the user backgrounds and
+                    // foregrounds the app. getCurrentActivity() can be null here on
+                    // cold start before React's host-resume sync — AuthView and
+                    // UserProfile also call attachActivity() on mount as a backstop.
+                    getCurrentActivity()?.let { Clerk.attachActivity(it) }
                     // Theme loading is centralized here. ClerkViewFactory.configure()
                     // and ClerkUserProfileActivity.onCreate() only call Clerk.initialize()
                     // when Clerk is not yet initialized, so by the time they run

packages/expo/package.json

@@ -124,15 +124,15 @@
     "@clerk/expo-passkeys": "workspace:*",
     "@expo/config-plugins": "^54.0.4",
     "@types/base-64": "^1.0.2",
-    "esbuild": "^0.25.0",
+    "esbuild": "^0.28.0",
     "expo-apple-authentication": "^7.2.4",
-    "expo-auth-session": "^5.4.0",
-    "expo-constants": "^18.0.0",
-    "expo-crypto": "^15.0.7",
+    "expo-auth-session": "^5.5.2",
+    "expo-constants": "^18.0.13",
+    "expo-crypto": "^15.0.9",
     "expo-local-authentication": "^13.8.0",
     "expo-secure-store": "^12.8.1",
     "expo-web-browser": "^12.8.2",
-    "react-native": "^0.81.4"
+    "react-native": "^0.85.2"
   },
   "peerDependencies": {
     "@clerk/expo-passkeys": ">=0.0.6",

packages/ui/src/components/SignIn/SignInFactorOne.tsx

@@ -155,7 +155,8 @@ function SignInFactorOneInternal(): JSX.Element {
   }
 
   if (showAllStrategies || showForgotPasswordStrategies) {
-    const canGoBack = factorHasLocalStrategy(currentFactor);
+    // Password errors are not recoverable by re-entering the password, so we hide the back button
+    const canGoBack = factorHasLocalStrategy(currentFactor) && !passwordErrorCode;
 
     const toggle = showAllStrategies ? toggleAllStrategies : toggleForgotPasswordStrategies;
     const backHandler = () => {

packages/ui/src/components/SignIn/__tests__/SignInFactorOne.test.tsx

@@ -303,57 +303,6 @@ describe('SignInFactorOne', () => {
         await screen.findByText('First, enter the code sent to your phone');
       });
 
-      it('entering a pwned password, then going back and clicking forgot password should result in the correct title', async () => {
-        const { wrapper, fixtures } = await createFixtures(f => {
-          f.withEmailAddress();
-          f.withPassword();
-          f.withPreferredSignInStrategy({ strategy: 'password' });
-          f.startSignInWithEmailAddress({
-            supportPassword: true,
-            supportEmailCode: true,
-            supportResetPassword: true,
-          });
-        });
-        fixtures.signIn.prepareFirstFactor.mockReturnValueOnce(Promise.resolve({} as SignInResource));
-
-        const errJSON = {
-          code: 'form_password_pwned',
-          long_message:
-            'Password has been found in an online data breach. For account safety, please reset your password.',
-          message: 'Password has been found in an online data breach. For account safety, please reset your password.',
-          meta: { param_name: 'password' },
-        };
-
-        fixtures.signIn.attemptFirstFactor.mockRejectedValueOnce(
-          new ClerkAPIResponseError('Error', {
-            data: [errJSON],
-            status: 422,
-          }),
-        );
-
-        const { userEvent } = render(<SignInFactorOne />, { wrapper });
-        await userEvent.type(screen.getByLabelText('Password'), '123456');
-        await userEvent.click(screen.getByText('Continue'));
-
-        await screen.findByText('Password compromised');
-        await screen.findByText(
-          'This password has been found as part of a breach and can not be used, please reset your password.',
-        );
-        await screen.findByText('Or, sign in with another method');
-
-        // Go back
-        await userEvent.click(screen.getByText('Back'));
-
-        // Choose to reset password via "Forgot password" instead
-        await userEvent.click(screen.getByText(/Forgot password/i));
-        await screen.findByText('Forgot Password?');
-        expect(
-          screen.queryByText(
-            'This password has been found as part of a breach and can not be used, please reset your password.',
-          ),
-        ).not.toBeInTheDocument();
-      });
-
       it('using an compromised password should show the compromised password screen', async () => {
         const { wrapper, fixtures } = await createFixtures(f => {
           f.withEmailAddress();