fix(clerk-js): pickFreshestJwt returns incoming on full tie

nikosdouvlis · nikosdouvlis · commit 3b558c3cfb33 · 2026-05-13T18:21:45.000+03:00
Two tokens with identical oiat+iat may still differ in other claims
(azp, org_id, etc.) added in a token-format rollout. The previous
'no churn on tie' rule suppressed legitimate updates and caused the
backend to read stale claim sets, redirecting to /sign-in. Only
suppress when existing is strictly fresher.
diff --git a/.husky/_/husky.sh b/.husky/_/husky.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env sh
+if [ -z "$husky_skip_init" ]; then
+  debug () {
+    if [ "$HUSKY_DEBUG" = "1" ]; then
+      echo "husky (debug) - $1"
+    fi
+  }
+
+  readonly hook_name="$(basename -- "$0")"
+  debug "starting $hook_name..."
+
+  if [ "$HUSKY" = "0" ]; then
+    debug "HUSKY env variable is set to 0, skipping hook"
+    exit 0
+  fi
+
+  if [ -f ~/.huskyrc ]; then
+    debug "sourcing ~/.huskyrc"
+    . ~/.huskyrc
+  fi
+
+  readonly husky_skip_init=1
+  export husky_skip_init
+  sh -e "$0" "$@"
+  exitCode="$?"
+
+  if [ $exitCode != 0 ]; then
+    echo "husky - $hook_name hook exited with code $exitCode (error)"
+  fi
+
+  if [ $exitCode = 127 ]; then
+    echo "husky - command not found in PATH=$PATH"
+  fi
+
+  exit $exitCode
+fi
diff --git a/packages/clerk-js/src/core/__tests__/tokenFreshness.test.ts b/packages/clerk-js/src/core/__tests__/tokenFreshness.test.ts
@@ -46,10 +46,13 @@ describe('pickFreshestJwt', () => {
       expect(pickFreshestJwt(existing, incoming)).toBe(incoming);
     });
 
-    it('picks existing when oiat equal and iat equal (identical, no churn)', () => {
+    it('picks incoming when oiat equal and iat equal (other claims may differ)', () => {
+      // Two tokens with identical oiat+iat may still differ in other claims
+      // (azp, org_id, etc.) during a token-format rollout. Only suppress when
+      // existing is strictly fresher; on full ties, let incoming through.
       const existing = makeToken({ oiat: 100, iat: 150 });
       const incoming = makeToken({ oiat: 100, iat: 150 });
-      expect(pickFreshestJwt(existing, incoming)).toBe(existing);
+      expect(pickFreshestJwt(existing, incoming)).toBe(incoming);
     });
 
     it('picks existing when oiat equal and incoming iat missing (treated as 0)', () => {
diff --git a/packages/clerk-js/src/core/tokenFreshness.ts b/packages/clerk-js/src/core/tokenFreshness.ts
@@ -42,7 +42,11 @@ export function pickFreshestJwt<T extends TokenResource | JWT>(existing: T, inco
     return incoming;
   }
 
+  // Equal oiat: tie-break by iat (more recent mint wins). On a full tie,
+  // return incoming: two tokens with identical oiat+iat may still differ
+  // in other claims (azp, org_id, etc.) added in a token-format rollout,
+  // so we only suppress when existing is strictly fresher.
   const existingIat = asJwt(existing)?.claims?.iat ?? 0;
   const incomingIat = asJwt(incoming)?.claims?.iat ?? 0;
-  return existingIat >= incomingIat ? existing : incoming;
+  return existingIat > incomingIat ? existing : incoming;
 }

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,11 @@ export function pickFreshestJwt<T extends TokenResource \| JWT>(existing: T, inco`
`42`	`42`	`return incoming;`
`43`	`43`	`}`
`44`	`44`
	`45`	`+ // Equal oiat: tie-break by iat (more recent mint wins). On a full tie,`
	`46`	`+ // return incoming: two tokens with identical oiat+iat may still differ`
	`47`	`+ // in other claims (azp, org_id, etc.) added in a token-format rollout,`
	`48`	`+ // so we only suppress when existing is strictly fresher.`
`45`	`49`	`const existingIat = asJwt(existing)?.claims?.iat ?? 0;`
`46`	`50`	`const incomingIat = asJwt(incoming)?.claims?.iat ?? 0;`
`47`		`- return existingIat >= incomingIat ? existing : incoming;`
	`51`	`+ return existingIat > incomingIat ? existing : incoming;`
`48`	`52`	`}`