fix(nextjs): enforce middleware authorization during keyless bootstrap

Previously, `clerkMiddleware` early-returned `NextResponse.next()` when it
detected no publishable key (the client-side keyless bootstrap window), which
skipped the user's handler entirely. Any authorization logic inside that
handler — including `auth.protect()` — was bypassed during the bootstrap window.

The fix runs the user's handler against a synthetic signed-out RequestState
(via the new `createBootstrapSignedOutState` helper in @clerk/backend/internal)
through the same post-authentication pipeline as the normal path. Authorization
fails closed during bootstrap; `<ClerkProvider/>` downstream resumes the flow
once keys are provisioned client-side. Dev-only path — production behavior is
unchanged.

Closes SDK-70.

Author: jacekradko

.changeset/sdk-70-keyless-middleware-bypass-fix.md

@@ -0,0 +1,5 @@
+---
+'@clerk/nextjs': patch
+---
+
+Fix a middleware-bypass window in keyless mode. When `clerkMiddleware` runs before a publishable key has been provisioned (the client-side keyless bootstrap window), the user's middleware handler now runs against a synthetic signed-out `RequestState` instead of being skipped. Authorization logic (`auth.protect()`, custom checks) is enforced fail-closed during bootstrap; `<ClerkProvider/>` downstream resumes the flow once keys are available. Dev-only path — production behavior is unchanged.

packages/backend/src/tokens/__tests__/authStatus.test.ts

@@ -3,7 +3,7 @@ import { describe, expect, it } from 'vitest';
 
 import { mockTokens, mockVerificationResults } from '../../fixtures/machine';
 import type { AuthenticateContext } from '../../tokens/authenticateContext';
-import { handshake, signedIn, signedOut } from '../authStatus';
+import { createBootstrapSignedOutState, handshake, signedIn, signedOut } from '../authStatus';
 
 describe('signed-in', () => {
   describe('session tokens', () => {
@@ -132,6 +132,48 @@ describe('signed-out', () => {
   });
 });
 
+describe('createBootstrapSignedOutState', () => {
+  it('returns a signed-out session_token state with no publishable key', () => {
+    const state = createBootstrapSignedOutState();
+
+    expect(state.status).toBe('signed-out');
+    expect(state.tokenType).toBe('session_token');
+    expect(state.isSignedIn).toBe(false);
+    expect(state.isAuthenticated).toBe(false);
+    expect(state.publishableKey).toBe('');
+    expect(state.token).toBeNull();
+  });
+
+  it('applies provided signInUrl and signUpUrl', () => {
+    const state = createBootstrapSignedOutState({
+      signInUrl: '/sign-in',
+      signUpUrl: '/sign-up',
+    });
+
+    expect(state.signInUrl).toBe('/sign-in');
+    expect(state.signUpUrl).toBe('/sign-up');
+  });
+
+  it('toAuth() returns a signed-out auth object without throwing', () => {
+    const authObject = createBootstrapSignedOutState().toAuth();
+
+    expect(authObject.userId).toBeNull();
+    expect(authObject.sessionId).toBeNull();
+    expect(authObject.tokenType).toBe('session_token');
+  });
+
+  it('includes debug headers on the state', () => {
+    const state = createBootstrapSignedOutState({
+      reason: 'session-token-and-uat-missing',
+      message: 'no keys yet',
+    });
+
+    expect(state.headers.get('x-clerk-auth-status')).toBe('signed-out');
+    expect(state.headers.get('x-clerk-auth-reason')).toBe('session-token-and-uat-missing');
+    expect(state.headers.get('x-clerk-auth-message')).toBe('no keys yet');
+  });
+});
+
 describe('handshake', () => {
   it('includes debug headers', () => {
     const headers = new Headers({ location: '/' });

packages/nextjs/src/server/clerkMiddleware.ts

@@ -12,6 +12,7 @@ import type {
 import {
   AuthStatus,
   constants,
+  createBootstrapSignedOutState,
   createClerkRequest,
   createRedirect,
   getAuthObjectForAcceptedToken,
@@ -230,6 +231,54 @@ export const clerkMiddleware = ((...args: unknown[]): NextMiddleware | NextMiddl
       });
     });
 
+    // Bootstrap path for the keyless window where no publishable key is available yet.
+    // The real authenticateRequest() can't run without keys, so we synthesize a signed-out
+    // RequestState and run the user's handler against it. This closes the middleware-bypass
+    // window: authorization logic (e.g. auth.protect()) fail-closed during bootstrap instead
+    // of being skipped entirely.
+    const bootstrapNextMiddleware: NextMiddleware = withLogger(
+      'clerkMiddleware',
+      logger => async (request, event) => {
+        const resolvedParams = typeof params === 'function' ? await params(request) : params;
+        const keyless = await getKeylessCookieValue(name => request.cookies.get(name)?.value);
+
+        const signInUrl = resolvedParams.signInUrl || SIGN_IN_URL || '';
+        const signUpUrl = resolvedParams.signUpUrl || SIGN_UP_URL || '';
+
+        const options = {
+          publishableKey: '',
+          secretKey: '',
+          signInUrl,
+          signUpUrl,
+          ...resolvedParams,
+        };
+
+        clerkMiddlewareRequestDataStore.set('requestData', options);
+
+        if (options.debug) {
+          logger.enable();
+        }
+
+        const clerkRequest = createClerkRequest(request);
+        logger.debug('keyless bootstrap (no publishable key)', () => ({ signInUrl, signUpUrl }));
+        logger.debug('url', () => clerkRequest.toJSON());
+
+        const requestState = createBootstrapSignedOutState({ signInUrl, signUpUrl });
+
+        return runHandlerWithRequestState({
+          clerkRequest,
+          request,
+          event,
+          requestState,
+          handler,
+          options,
+          resolvedParams,
+          keyless,
+          logger,
+        });
+      },
+    );
+
     const keylessMiddleware: NextMiddleware = async (request, event) => {
       /**
        * This mechanism replaces a full-page reload. Ensures that middleware will re-run and authenticate the request properly without the secret key or publishable key to be missing.
@@ -245,14 +294,13 @@ export const clerkMiddleware = ((...args: unknown[]): NextMiddleware | NextMiddl
       const authHeader = getHeader(request, constants.Headers.Authorization)?.replace('Bearer ', '') ?? '';
 
       /**
-       * In keyless mode, if the publishable key is missing, let the request through, to render `<ClerkProvider/>` that will resume the flow gracefully.
+       * In keyless mode, when no publishable key is available yet, we still run the user's
+       * middleware handler — against a synthetic signed-out RequestState — so authorization
+       * logic is enforced during the bootstrap window. `<ClerkProvider/>` downstream resumes
+       * the flow once keys are provisioned client-side.
        */
       if (isMissingPublishableKey && !isMachineTokenByPrefix(authHeader)) {
-        const res = NextResponse.next();
-        setRequestHeadersOnNextResponse(res, request, {
-          [constants.Headers.AuthStatus]: 'signed-out',
-        });
-        return res;
+        return bootstrapNextMiddleware(request, event);
       }
 
       return baseNextMiddleware(request, event);